Do not decrement resp_count if it's already 0.
We set resp_count to 0 when the device is closed. The next open and
read will try to clear the WDM_READ flag if there was leftover data
in the read buffer. This fix is necessary to prevent resubmitting
the read URB in a tight loop because resp_count becomes negative.
The bug can easily be triggered from userspace by not reading all
data in the read buffer, and then closing and reopening the chardev.
Fixes: 8dd5cd5395b9 ("usb: cdc-wdm: avoid hanging on zero length reads")
Cc: <stable@vger.kernel.org>
Signed-off-by: Bjørn Mork <bj...@mork.no>
---
A fix for the fix... Sorry about that.
Bjørn
drivers/usb/class/cdc-wdm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
index 590ff8b5aa20..a051a7a2b1bd 100644
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -445,7 +445,7 @@ static int clear_wdm_read_flag(struct wdm_device *desc)
clear_bit(WDM_READ, &desc->flags);
/* submit read urb only if the device is waiting for it */
- if (!--desc->resp_count)
+ if (!desc->resp_count || !--desc->resp_count)
goto out;
set_bit(WDM_RESPONDING, &desc->flags);
--
1.8.5.2
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
