| From 65a205e6113506e69a503b61d97efec43fc10fd7 Mon Sep 17 00:00:00 2001 |
| From: Johan Hovold <johan@kernel.org> |
| Date: Wed, 29 Sep 2021 11:09:36 +0200 |
| Subject: USB: cdc-acm: fix racy tty buffer accesses |
| |
| From: Johan Hovold <johan@kernel.org> |
| |
| commit 65a205e6113506e69a503b61d97efec43fc10fd7 upstream. |
| |
| A recent change that started reporting break events to the line |
| discipline caused the tty-buffer insertions to no longer be serialised |
| by inserting events also from the completion handler for the interrupt |
| endpoint. |
| |
| Completion calls for distinct endpoints are not guaranteed to be |
| serialised. For example, in case a host-controller driver uses |
| bottom-half completion, the interrupt and bulk-in completion handlers |
| can end up running in parallel on two CPUs (high-and low-prio tasklets, |
| respectively) thereby breaking the tty layer's single producer |
| assumption. |
| |
| Fix this by holding the read lock also when inserting characters from |
| the bulk endpoint. |
| |
| Fixes: 08dff274edda ("cdc-acm: fix BREAK rx code path adding necessary calls") |
| Cc: stable@vger.kernel.org |
| Acked-by: Oliver Neukum <oneukum@suse.com> |
| Signed-off-by: Johan Hovold <johan@kernel.org> |
| Link: https://lore.kernel.org/r/20210929090937.7410-2-johan@kernel.org |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/usb/class/cdc-acm.c | 5 +++++ |
| 1 file changed, 5 insertions(+) |
| |
| --- a/drivers/usb/class/cdc-acm.c |
| +++ b/drivers/usb/class/cdc-acm.c |
| @@ -474,11 +474,16 @@ static int acm_submit_read_urbs(struct a |
| |
| static void acm_process_read_urb(struct acm *acm, struct urb *urb) |
| { |
| + unsigned long flags; |
| + |
| if (!urb->actual_length) |
| return; |
| |
| + spin_lock_irqsave(&acm->read_lock, flags); |
| tty_insert_flip_string(&acm->port, urb->transfer_buffer, |
| urb->actual_length); |
| + spin_unlock_irqrestore(&acm->read_lock, flags); |
| + |
| tty_flip_buffer_push(&acm->port); |
| } |
| |