| Message ID | 20201026082548.17970-1-johan@kernel.org |
|---|---|
| State | Accepted |
| Commit | 985616f0457d9f555fff417d0da56174f70cc14f |
| Headers | show |
| Series | USB: serial: cyberjack: fix write-URB completion race | expand |
On Mon, Oct 26, 2020 at 09:25:48AM +0100, Johan Hovold wrote: > The write-URB busy flag was being cleared before the completion handler > was done with the URB, something which could lead to corrupt transfers > due to a racing write request if the URB is resubmitted. > > Fixes: 507ca9bc0476 ("[PATCH] USB: add ability for usb-serial drivers to determine if their write urb is currently being used.") > Cc: stable <stable@vger.kernel.org> # 2.6.13 > Signed-off-by: Johan Hovold <johan@kernel.org> > --- > drivers/usb/serial/cyberjack.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
On Wed, Oct 28, 2020 at 10:38:27AM +0100, Greg Kroah-Hartman wrote: > On Mon, Oct 26, 2020 at 09:25:48AM +0100, Johan Hovold wrote: > > The write-URB busy flag was being cleared before the completion handler > > was done with the URB, something which could lead to corrupt transfers > > due to a racing write request if the URB is resubmitted. > > > > Fixes: 507ca9bc0476 ("[PATCH] USB: add ability for usb-serial drivers to determine if their write urb is currently being used.") > > Cc: stable <stable@vger.kernel.org> # 2.6.13 > > Signed-off-by: Johan Hovold <johan@kernel.org> > > --- > > drivers/usb/serial/cyberjack.c | 7 ++++++- > > 1 file changed, 6 insertions(+), 1 deletion(-) > > Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Thanks, applied for 5.10-rc. Johan
diff --git a/drivers/usb/serial/cyberjack.c b/drivers/usb/serial/cyberjack.c index 821970609695..2e40908963da 100644 --- a/drivers/usb/serial/cyberjack.c +++ b/drivers/usb/serial/cyberjack.c @@ -357,11 +357,12 @@ static void cyberjack_write_bulk_callback(struct urb *urb) struct device *dev = &port->dev; int status = urb->status; unsigned long flags; + bool resubmitted = false; - set_bit(0, &port->write_urbs_free); if (status) { dev_dbg(dev, "%s - nonzero write bulk status received: %d\n", __func__, status); + set_bit(0, &port->write_urbs_free); return; } @@ -394,6 +395,8 @@ static void cyberjack_write_bulk_callback(struct urb *urb) goto exit; } + resubmitted = true; + dev_dbg(dev, "%s - priv->wrsent=%d\n", __func__, priv->wrsent); dev_dbg(dev, "%s - priv->wrfilled=%d\n", __func__, priv->wrfilled); @@ -410,6 +413,8 @@ static void cyberjack_write_bulk_callback(struct urb *urb) exit: spin_unlock_irqrestore(&priv->lock, flags); + if (!resubmitted) + set_bit(0, &port->write_urbs_free); usb_serial_port_softint(port); }
The write-URB busy flag was being cleared before the completion handler was done with the URB, something which could lead to corrupt transfers due to a racing write request if the URB is resubmitted. Fixes: 507ca9bc0476 ("[PATCH] USB: add ability for usb-serial drivers to determine if their write urb is currently being used.") Cc: stable <stable@vger.kernel.org> # 2.6.13 Signed-off-by: Johan Hovold <johan@kernel.org> --- drivers/usb/serial/cyberjack.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)