Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp4503771ybx; Mon, 4 Nov 2019 14:29:23 -0800 (PST) X-Google-Smtp-Source: APXvYqzQkqsPebczFVrOwvIs8fim065iBezpSKBbtBa1gks0g3eqzPGJUSQrFkj9B67LSLPViSGu X-Received: by 2002:a17:906:73d4:: with SMTP id n20mr26765687ejl.45.1572906563859; Mon, 04 Nov 2019 14:29:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572906563; cv=none; d=google.com; s=arc-20160816; b=0izjqWYz231wZGmwv9L/N4EUoBAlPTtfp7zk97xRhOgVR4P85wWT7u3VrroS5m8NcJ 5yaND13x/+gtQWI05gOVUHifU5FbtE5H4Z4l7LBT/2/p8eQl8NW8D+abvqUUAFM1m10L Me0iUg1dG2tBCeksGjUxzghr4Q3QWk04rJRlVmFNDEMZ1OnvsvjdSdVSdcGrUd8cZkYO 5Xg97hUeB4+KrdUGmHHKxEswGEzKOmfLKicTG1a7jNuOI22E/kLk/UFFwqwpb8dYse1z BUg2OdrRsyk17HcfmmCB2lW/SVj8TMJMLytTF/Al2SPiRTk8zBf45xOhbR4vT6uoKSjp MPOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=X/AQ5pJ0NxJXjZQy8OwgxNvvfSOKSopjuXEl3h22tA0=; b=KVObwpI6SAfrEpM/dJ4iZCx+UfF2+Oha+h5Fg+teKRFHD1Xr++TGdVs/gdZakFE+yL sk8+AqNQX+Q8+Ksdlk/7keZfonPfOKpX0ezHF/KIOgVohnjvnYKFsjTJ9WRR0G6jSijh vIERqL0wk4vQiYz3DJH03pfke9sQDoRnbQdpaBSg7vtEsDhuJZuemcKZkpRcLwwnZjNw vdPugAzGlWWfpLE3Lb4BuXf6W68SPb40WK5eXsINJ1mXAw3xz74QBzfYE8fZH/mY3Dz/ k8vgWS3LBSWpT5IDN1jUeIzc0r0Hluv/Fr7uDmUd1wHgKKEMmH7rwPiNMPCiODyYHfFo BLUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uVYEV7hy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n5si12262202ejb.67.2019.11.04.14.29.00; Mon, 04 Nov 2019 14:29:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uVYEV7hy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729984AbfKDVvC (ORCPT + 99 others); Mon, 4 Nov 2019 16:51:02 -0500 Received: from mail.kernel.org ([198.145.29.99]:43640 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729985AbfKDVu6 (ORCPT ); Mon, 4 Nov 2019 16:50:58 -0500 Received: from localhost (6.204-14-84.ripe.coltfrance.com [84.14.204.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0EEE5217F5; Mon, 4 Nov 2019 21:50:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572904257; bh=/Ys8JP9U4GHYI+d6hD1pxpt4rHg0+OqteyS7APFzBx8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uVYEV7hybt8LoxC2SemjKg7n/yaUWSNaEu9K2XBpgougrHLgfj4niPFLzSDibhVBU Tr3NNgLRpz6EisJCIJpHYqTQgiUfe7rr5lJYESlFZOrnfVG0kIBFy3l+JMSf81EMh5 ne74qeDcRFJ0MWNPveZSrcKeUPpmU9yDXZlwr5s4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johan Hovold Subject: [PATCH 4.9 40/62] USB: ldusb: fix ring-buffer locking Date: Mon, 4 Nov 2019 22:45:02 +0100 Message-Id: <20191104211943.395765482@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191104211901.387893698@linuxfoundation.org> References: <20191104211901.387893698@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit d98ee2a19c3334e9343df3ce254b496f1fc428eb upstream. The custom ring-buffer implementation was merged without any locking or explicit memory barriers, but a spinlock was later added by commit 9d33efd9a791 ("USB: ldusb bugfix"). The lock did not cover the update of the tail index once the entry had been processed, something which could lead to memory corruption on weakly ordered architectures or due to compiler optimisations. Specifically, a completion handler running on another CPU might observe the incremented tail index and update the entry before ld_usb_read() is done with it. Fixes: 2824bd250f0b ("[PATCH] USB: add ldusb driver") Fixes: 9d33efd9a791 ("USB: ldusb bugfix") Cc: stable # 2.6.13 Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20191022143203.5260-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/ldusb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/usb/misc/ldusb.c +++ b/drivers/usb/misc/ldusb.c @@ -499,11 +499,11 @@ static ssize_t ld_usb_read(struct file * retval = -EFAULT; goto unlock_exit; } - dev->ring_tail = (dev->ring_tail+1) % ring_buffer_size; - retval = bytes_to_read; spin_lock_irq(&dev->rbsl); + dev->ring_tail = (dev->ring_tail + 1) % ring_buffer_size; + if (dev->buffer_overflow) { dev->buffer_overflow = 0; spin_unlock_irq(&dev->rbsl);