• J
    USB: cdc-acm: fix unthrottle races · 764478f4
    Johan Hovold 提交于
    Fix two long-standing bugs which could potentially lead to memory
    corruption or leave the port throttled until it is reopened (on weakly
    ordered systems), respectively, when read-URB completion races with
    unthrottle().
    
    First, the URB must not be marked as free before processing is complete
    to prevent it from being submitted by unthrottle() on another CPU.
    
    	CPU 1				CPU 2
    	================		================
    	complete()			unthrottle()
    	  process_urb();
    	  smp_mb__before_atomic();
    	  set_bit(i, free);		  if (test_and_clear_bit(i, free))
    						  submit_urb();
    
    Second, the URB must be marked as free before checking the throttled
    flag to prevent unthrottle() on another CPU from failing to observe that
    the URB needs to be submitted if complete() sees that the throttled flag
    is set.
    
    	CPU 1				CPU 2
    	================		================
    	complete()			unthrottle()
    	  set_bit(i, free);		  throttled = 0;
    	  smp_mb__after_atomic();	  smp_mb();
    	  if (throttled)		  if (test_and_clear_bit(i, free))
    		  return;			  submit_urb();
    
    Note that test_and_clear_bit() only implies barriers when the test is
    successful. To handle the case where the URB is still in use an explicit
    barrier needs to be added to unthrottle() for the second race condition.
    
    Also note that the first race was fixed by 36e59e0d ("cdc-acm: fix
    race between callback and unthrottle") back in 2015, but the bug was
    reintroduced a year later.
    
    Fixes: 1aba579f ("cdc-acm: handle read pipe errors")
    Fixes: 088c64f8 ("USB: cdc-acm: re-write read processing")
    Signed-off-by: NJohan Hovold <johan@kernel.org>
    Acked-by: NOliver Neukum <oneukum@suse.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    764478f4
cdc-acm.c 52.9 KB