CVE-2026-43427: usb: class: cdc-wdm: fix reordering issue in read code path

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

usb: class: cdc-wdm: fix reordering issue in read code path

Quoting the bug report:

Due to compiler optimization or CPU out-of-order execution, the
desc->length update can be reordered before the memmove. If this
happens, wdm_read() can see the new length and call copy_to_user() on
uninitialized memory. This also violates LKMM data race rules [1].

Fix it by using WRITE_ONCE and memory barriers.

The Linux kernel CVE team has assigned CVE-2026-43427 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.26 with commit afba937e540c902c989cd516fd97ea0c8499bb27 and fixed in 5.10.253 with commit 638328ca9c17ae6511ad62198c57bae32ffa3c91
	Issue introduced in 2.6.26 with commit afba937e540c902c989cd516fd97ea0c8499bb27 and fixed in 5.15.203 with commit 170e8daca24da6edb4be82ab01abf44e87af387b
	Issue introduced in 2.6.26 with commit afba937e540c902c989cd516fd97ea0c8499bb27 and fixed in 6.1.167 with commit c8fa96ed021923dae147bcd9f9205b8df7b82360
	Issue introduced in 2.6.26 with commit afba937e540c902c989cd516fd97ea0c8499bb27 and fixed in 6.6.130 with commit 4ee3062bf2c9a722afef429826e8607eaf3fc6a0
	Issue introduced in 2.6.26 with commit afba937e540c902c989cd516fd97ea0c8499bb27 and fixed in 6.12.78 with commit 276aef0fd2b92f41b920ac891c72cadeee957934
	Issue introduced in 2.6.26 with commit afba937e540c902c989cd516fd97ea0c8499bb27 and fixed in 6.18.19 with commit 67ed312124bb1b61858778ac0b985b48961c862a
	Issue introduced in 2.6.26 with commit afba937e540c902c989cd516fd97ea0c8499bb27 and fixed in 6.19.9 with commit e3c874b05901dc519054b5107d16620e6d2b5fea
	Issue introduced in 2.6.26 with commit afba937e540c902c989cd516fd97ea0c8499bb27 and fixed in 7.0 with commit 8df672bfe3ec2268c2636584202755898e547173

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43427
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/usb/class/cdc-wdm.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/638328ca9c17ae6511ad62198c57bae32ffa3c91
	https://git.kernel.org/stable/c/170e8daca24da6edb4be82ab01abf44e87af387b
	https://git.kernel.org/stable/c/c8fa96ed021923dae147bcd9f9205b8df7b82360
	https://git.kernel.org/stable/c/4ee3062bf2c9a722afef429826e8607eaf3fc6a0
	https://git.kernel.org/stable/c/276aef0fd2b92f41b920ac891c72cadeee957934
	https://git.kernel.org/stable/c/67ed312124bb1b61858778ac0b985b48961c862a
	https://git.kernel.org/stable/c/e3c874b05901dc519054b5107d16620e6d2b5fea
	https://git.kernel.org/stable/c/8df672bfe3ec2268c2636584202755898e547173