From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25462CA9EC9 for ; Mon, 4 Nov 2019 21:51:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E5AF721928 for ; Mon, 4 Nov 2019 21:50:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572904260; bh=/Ys8JP9U4GHYI+d6hD1pxpt4rHg0+OqteyS7APFzBx8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=yHoyT0dhL4wug1dGd0MeG5vEYQ37ENBshbCZsSXvzCLZuT47P7a9kJiYa0aNOpATz K6mVS7g6GMGGGk0cozwMnqPFJUKUGhdzFs1t2tONtcsO5acJaUhaFK7f9ZZeLpIeHu gazHtc85csVnHFHUUna1ujTnSOwHz0s2MgQFNd6I= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730374AbfKDVu6 (ORCPT ); Mon, 4 Nov 2019 16:50:58 -0500 Received: from mail.kernel.org ([198.145.29.99]:43640 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729985AbfKDVu6 (ORCPT ); Mon, 4 Nov 2019 16:50:58 -0500 Received: from localhost (6.204-14-84.ripe.coltfrance.com [84.14.204.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0EEE5217F5; Mon, 4 Nov 2019 21:50:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572904257; bh=/Ys8JP9U4GHYI+d6hD1pxpt4rHg0+OqteyS7APFzBx8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uVYEV7hybt8LoxC2SemjKg7n/yaUWSNaEu9K2XBpgougrHLgfj4niPFLzSDibhVBU Tr3NNgLRpz6EisJCIJpHYqTQgiUfe7rr5lJYESlFZOrnfVG0kIBFy3l+JMSf81EMh5 ne74qeDcRFJ0MWNPveZSrcKeUPpmU9yDXZlwr5s4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johan Hovold Subject: [PATCH 4.9 40/62] USB: ldusb: fix ring-buffer locking Date: Mon, 4 Nov 2019 22:45:02 +0100 Message-Id: <20191104211943.395765482@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191104211901.387893698@linuxfoundation.org> References: <20191104211901.387893698@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Johan Hovold commit d98ee2a19c3334e9343df3ce254b496f1fc428eb upstream. The custom ring-buffer implementation was merged without any locking or explicit memory barriers, but a spinlock was later added by commit 9d33efd9a791 ("USB: ldusb bugfix"). The lock did not cover the update of the tail index once the entry had been processed, something which could lead to memory corruption on weakly ordered architectures or due to compiler optimisations. Specifically, a completion handler running on another CPU might observe the incremented tail index and update the entry before ld_usb_read() is done with it. Fixes: 2824bd250f0b ("[PATCH] USB: add ldusb driver") Fixes: 9d33efd9a791 ("USB: ldusb bugfix") Cc: stable # 2.6.13 Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20191022143203.5260-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/ldusb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/usb/misc/ldusb.c +++ b/drivers/usb/misc/ldusb.c @@ -499,11 +499,11 @@ static ssize_t ld_usb_read(struct file * retval = -EFAULT; goto unlock_exit; } - dev->ring_tail = (dev->ring_tail+1) % ring_buffer_size; - retval = bytes_to_read; spin_lock_irq(&dev->rbsl); + dev->ring_tail = (dev->ring_tail + 1) % ring_buffer_size; + if (dev->buffer_overflow) { dev->buffer_overflow = 0; spin_unlock_irq(&dev->rbsl);