usb: cdc-wdm: resp_count can be 0 even if WDM_READ is set

Do not decrement resp_count if it's already 0. We set resp_count to 0 when the device is closed. The next open and read will try to clear the WDM_READ flag if there was leftover data in the read buffer. This fix is necessary to prevent resubmitting the read URB in a tight loop because resp_count becomes negative. The bug can easily be triggered from userspace by not reading all data in the read buffer, and then closing and reopening the chardev. Fixes: 8dd5cd5 ("usb: cdc-wdm: avoid hanging on zero length reads") Cc: <stable@vger.kernel.org> # 3.13 Signed-off-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mariux64 · Jan 13, 2014 · f563926 · f563926
1 parent 52a6966
commit f563926
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
@@ -445,7 +445,7 @@ static int clear_wdm_read_flag(struct wdm_device *desc)
 	clear_bit(WDM_READ, &desc->flags);
 
 	/* submit read urb only if the device is waiting for it */
-	if (!--desc->resp_count)
+	if (!desc->resp_count || !--desc->resp_count)
 		goto out;
 
 	set_bit(WDM_RESPONDING, &desc->flags);