linux/drivers/usb/class
Johan Hovold 764478f411 USB: cdc-acm: fix unthrottle races
Fix two long-standing bugs which could potentially lead to memory
corruption or leave the port throttled until it is reopened (on weakly
ordered systems), respectively, when read-URB completion races with
unthrottle().

First, the URB must not be marked as free before processing is complete
to prevent it from being submitted by unthrottle() on another CPU.

	CPU 1				CPU 2
	================		================
	complete()			unthrottle()
	  process_urb();
	  smp_mb__before_atomic();
	  set_bit(i, free);		  if (test_and_clear_bit(i, free))
						  submit_urb();

Second, the URB must be marked as free before checking the throttled
flag to prevent unthrottle() on another CPU from failing to observe that
the URB needs to be submitted if complete() sees that the throttled flag
is set.

	CPU 1				CPU 2
	================		================
	complete()			unthrottle()
	  set_bit(i, free);		  throttled = 0;
	  smp_mb__after_atomic();	  smp_mb();
	  if (throttled)		  if (test_and_clear_bit(i, free))
		  return;			  submit_urb();

Note that test_and_clear_bit() only implies barriers when the test is
successful. To handle the case where the URB is still in use an explicit
barrier needs to be added to unthrottle() for the second race condition.

Also note that the first race was fixed by 36e59e0d70 ("cdc-acm: fix
race between callback and unthrottle") back in 2015, but the bug was
reintroduced a year later.

Fixes: 1aba579f3c ("cdc-acm: handle read pipe errors")
Fixes: 088c64f812 ("USB: cdc-acm: re-write read processing")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-04-29 16:14:41 +02:00
..
cdc-acm.c USB: cdc-acm: fix unthrottle races 2019-04-29 16:14:41 +02:00
cdc-acm.h cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader. 2018-12-20 16:38:52 +01:00
cdc-wdm.c cdc-wdm: pass return value of recover_from_urb_loss 2019-02-19 14:41:38 +01:00
Kconfig USB: add missing SPDX lines to Kconfig and Makefiles 2019-01-22 09:08:17 +01:00
Makefile USB: add SPDX identifiers to all remaining Makefiles 2017-11-07 15:53:48 +01:00
usblp.c usb: usblp: use irqsave() in USB's complete callback 2018-06-28 19:36:06 +09:00
usbtmc.c usb: usbtmc: uninitialized symbol 'actual' in usbtmc_ioctl_abort_bulk_in_tag 2018-09-28 15:12:08 +02:00