diff options
author | Bjørn Mork <bjorn@mork.no> | 2014-01-12 21:48:53 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-01-12 20:13:28 -0800 |
commit | f563926fed982f26b391ca42493f55f2447f1b0a (patch) | |
tree | f25186b2329acd71e206d510c01be31ece23aae9 /drivers/usb/class | |
parent | 52a6966c350624db89addc3e6a825f5e797a73e4 (diff) | |
download | linux-f563926fed982f26b391ca42493f55f2447f1b0a.tar.gz linux-f563926fed982f26b391ca42493f55f2447f1b0a.tar.bz2 linux-f563926fed982f26b391ca42493f55f2447f1b0a.zip |
usb: cdc-wdm: resp_count can be 0 even if WDM_READ is set
Do not decrement resp_count if it's already 0.
We set resp_count to 0 when the device is closed. The next open and
read will try to clear the WDM_READ flag if there was leftover data
in the read buffer. This fix is necessary to prevent resubmitting
the read URB in a tight loop because resp_count becomes negative.
The bug can easily be triggered from userspace by not reading all
data in the read buffer, and then closing and reopening the chardev.
Fixes: 8dd5cd5395b9 ("usb: cdc-wdm: avoid hanging on zero length reads")
Cc: <stable@vger.kernel.org> # 3.13
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/class')
-rw-r--r-- | drivers/usb/class/cdc-wdm.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c index 590ff8b5aa20..a051a7a2b1bd 100644 --- a/drivers/usb/class/cdc-wdm.c +++ b/drivers/usb/class/cdc-wdm.c @@ -445,7 +445,7 @@ static int clear_wdm_read_flag(struct wdm_device *desc) clear_bit(WDM_READ, &desc->flags); /* submit read urb only if the device is waiting for it */ - if (!--desc->resp_count) + if (!desc->resp_count || !--desc->resp_count) goto out; set_bit(WDM_RESPONDING, &desc->flags); |