From: Bjørn Mork Date: Sun, 12 Jan 2014 20:48:53 +0000 (+0100) Subject: usb: cdc-wdm: resp_count can be 0 even if WDM_READ is set X-Git-Tag: firefly_0821_release~176^2~4624^2~8 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=f563926fed982f26b391ca42493f55f2447f1b0a;p=firefly-linux-kernel-4.4.55.git usb: cdc-wdm: resp_count can be 0 even if WDM_READ is set Do not decrement resp_count if it's already 0. We set resp_count to 0 when the device is closed. The next open and read will try to clear the WDM_READ flag if there was leftover data in the read buffer. This fix is necessary to prevent resubmitting the read URB in a tight loop because resp_count becomes negative. The bug can easily be triggered from userspace by not reading all data in the read buffer, and then closing and reopening the chardev. Fixes: 8dd5cd5395b9 ("usb: cdc-wdm: avoid hanging on zero length reads") Cc: # 3.13 Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c index 590ff8b5aa20..a051a7a2b1bd 100644 --- a/drivers/usb/class/cdc-wdm.c +++ b/drivers/usb/class/cdc-wdm.c @@ -445,7 +445,7 @@ static int clear_wdm_read_flag(struct wdm_device *desc) clear_bit(WDM_READ, &desc->flags); /* submit read urb only if the device is waiting for it */ - if (!--desc->resp_count) + if (!desc->resp_count || !--desc->resp_count) goto out; set_bit(WDM_RESPONDING, &desc->flags);