diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2012-02-12 01:00:41 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-02-24 16:11:56 -0500 |
commit | 711c68b3c0f7a924ffbee4aa962d8f62b85188ff (patch) | |
tree | 364aa61ad7714ae92264ae06e304fc4fd8171dd0 /drivers/usb/class | |
parent | c192c8e71a2ded01170c1a992cd21aaedc822756 (diff) |
cdc-wdm: Fix more races on the read path
We must not allow the input buffer length to change while we're
shuffling the buffer contents. We also mustn't clear the WDM_READ
flag after more data might have arrived. Therefore move both of these
into the spinlocked region at the bottom of wdm_read().
When reading desc->length without holding the iuspin lock, use
ACCESS_ONCE() to ensure the compiler doesn't re-read it with
inconsistent results.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tested-by: Bjørn Mork <bjorn@mork.no>
Cc: Oliver Neukum <oliver@neukum.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/class')
-rw-r--r-- | drivers/usb/class/cdc-wdm.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c index b27bbb957e1..7ca54d4dea9 100644 --- a/drivers/usb/class/cdc-wdm.c +++ b/drivers/usb/class/cdc-wdm.c | |||
@@ -391,7 +391,7 @@ outnl: | |||
391 | static ssize_t wdm_read | 391 | static ssize_t wdm_read |
392 | (struct file *file, char __user *buffer, size_t count, loff_t *ppos) | 392 | (struct file *file, char __user *buffer, size_t count, loff_t *ppos) |
393 | { | 393 | { |
394 | int rv, cntr = 0; | 394 | int rv, cntr; |
395 | int i = 0; | 395 | int i = 0; |
396 | struct wdm_device *desc = file->private_data; | 396 | struct wdm_device *desc = file->private_data; |
397 | 397 | ||
@@ -400,7 +400,8 @@ static ssize_t wdm_read | |||
400 | if (rv < 0) | 400 | if (rv < 0) |
401 | return -ERESTARTSYS; | 401 | return -ERESTARTSYS; |
402 | 402 | ||
403 | if (desc->length == 0) { | 403 | cntr = ACCESS_ONCE(desc->length); |
404 | if (cntr == 0) { | ||
404 | desc->read = 0; | 405 | desc->read = 0; |
405 | retry: | 406 | retry: |
406 | if (test_bit(WDM_DISCONNECTING, &desc->flags)) { | 407 | if (test_bit(WDM_DISCONNECTING, &desc->flags)) { |
@@ -455,25 +456,30 @@ retry: | |||
455 | goto retry; | 456 | goto retry; |
456 | } | 457 | } |
457 | clear_bit(WDM_READ, &desc->flags); | 458 | clear_bit(WDM_READ, &desc->flags); |
459 | cntr = desc->length; | ||
458 | spin_unlock_irq(&desc->iuspin); | 460 | spin_unlock_irq(&desc->iuspin); |
459 | } | 461 | } |
460 | 462 | ||
461 | cntr = count > desc->length ? desc->length : count; | 463 | if (cntr > count) |
464 | cntr = count; | ||
462 | rv = copy_to_user(buffer, desc->ubuf, cntr); | 465 | rv = copy_to_user(buffer, desc->ubuf, cntr); |
463 | if (rv > 0) { | 466 | if (rv > 0) { |
464 | rv = -EFAULT; | 467 | rv = -EFAULT; |
465 | goto err; | 468 | goto err; |
466 | } | 469 | } |
467 | 470 | ||
471 | spin_lock_irq(&desc->iuspin); | ||
472 | |||
468 | for (i = 0; i < desc->length - cntr; i++) | 473 | for (i = 0; i < desc->length - cntr; i++) |
469 | desc->ubuf[i] = desc->ubuf[i + cntr]; | 474 | desc->ubuf[i] = desc->ubuf[i + cntr]; |
470 | 475 | ||
471 | spin_lock_irq(&desc->iuspin); | ||
472 | desc->length -= cntr; | 476 | desc->length -= cntr; |
473 | spin_unlock_irq(&desc->iuspin); | ||
474 | /* in case we had outstanding data */ | 477 | /* in case we had outstanding data */ |
475 | if (!desc->length) | 478 | if (!desc->length) |
476 | clear_bit(WDM_READ, &desc->flags); | 479 | clear_bit(WDM_READ, &desc->flags); |
480 | |||
481 | spin_unlock_irq(&desc->iuspin); | ||
482 | |||
477 | rv = cntr; | 483 | rv = cntr; |
478 | 484 | ||
479 | err: | 485 | err: |