public inbox for linux-usb@vger.kernel.org
 help / color / mirror / Atom feed
From: Greg KH <gregkh@linuxfoundation.org>
To: Gui-Dong Han <hanguidong02@gmail.com>
Cc: Oliver Neukum <oneukum@suse.com>,
	linux-usb@vger.kernel.org, Jia-Ju Bai <baijiaju1990@gmail.com>
Subject: Re: [PATCH] usb: class: cdc-wdm: fix reordering issue in read code path
Date: Wed, 4 Mar 2026 16:35:21 +0100	[thread overview]
Message-ID: <2026030408-concept-relish-4ab2@gregkh> (raw)
In-Reply-To: <CALbr=LZLTrAHLVeE2twUoHb=S=RCEnhZMjp77E-ZUU2_Krtb6g@mail.gmail.com>

On Wed, Mar 04, 2026 at 09:43:47PM +0800, Gui-Dong Han wrote:
> On Wed, Mar 4, 2026 at 9:01 PM Oliver Neukum <oneukum@suse.com> wrote:
> >
> > Quoting the bug report:
> >
> > Due to compiler optimization or CPU out-of-order execution, the
> > desc->length update can be reordered before the memmove. If this
> > happens, wdm_read() can see the new length and call copy_to_user() on
> > uninitialized memory. This also violates LKMM data race rules [1].
> >
> > Fix it by using WRITE_ONCE and memory barriers.
> >
> > Fixes: afba937e540c9 ("USB: CDC WDM driver")
> 
> Closes: https://lore.kernel.org/linux-usb/CALbr=LbrUZn_cfp7CfR-7Z5wDTHF96qeuM=3fO2m-q4cDrnC4A@mail.gmail.com/
> Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
> 
> Looks good for the immediate fix.
> 
> As a long-term solution, refactoring this to use kfifo would be much
> better. The race condition I reported is just one example of how this
> ad-hoc lockless implementation can fail. Hand-rolling lockless
> algorithms is highly error-prone and likely hides other subtle bugs.

Again, great, please submit patches to do this.  It was done "recently"
for the tty layer, so perhaps take a look at that work to see how it can
be done, and the issues involved.  I'd be interested if it changes the
throughput and code size any (probably not on throughput given the slow
speeds of USB, but code size might be more interesting...)

thanks,

greg k-h

  reply	other threads:[~2026-03-04 15:35 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-04 13:01 [PATCH] usb: class: cdc-wdm: fix reordering issue in read code path Oliver Neukum
2026-03-04 13:43 ` Gui-Dong Han
2026-03-04 15:35   ` Greg KH [this message]
2026-03-04 14:54 ` Gui-Dong Han
2026-03-04 15:34   ` Oliver Neukum

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2026030408-concept-relish-4ab2@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=baijiaju1990@gmail.com \
    --cc=hanguidong02@gmail.com \
    --cc=linux-usb@vger.kernel.org \
    --cc=oneukum@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox