* [PATCH] usb: gadget: printer: fix infinite loop in printer_read()
@ 2026-07-01 20:53 Melbin K Mathew
2026-07-03 7:03 ` Peter Chen
2026-07-03 7:54 ` [PATCH v2] " Melbin K Mathew
0 siblings, 2 replies; 3+ messages in thread
From: Melbin K Mathew @ 2026-07-01 20:53 UTC (permalink / raw)
To: gregkh; +Cc: linux-usb, linux-kernel, security, Melbin K Mathew, stable
printer_read() uses the same variable for the requested copy size and
the number of bytes actually copied to user space. copy_to_user()
returns the number of bytes not copied, so when it fails to copy
anything, the computed copied length becomes zero.
In that case len, buf, current_rx_bytes and current_rx_buf are left
unchanged. If RX data is available and the user buffer remains
unwritable, the read loop can repeat indefinitely.
Track the copied length separately and return -EFAULT, or the number of
bytes already copied, if an iteration makes no progress.
Fixes: b185f01a9ab7 ("usb: gadget: printer: factor out f_printer")
Cc: stable@vger.kernel.org
Signed-off-by: Melbin K Mathew <mlbnkm1@gmail.com>
---
A small userspace model/reproducer is available to maintainers on request.
drivers/usb/gadget/function/f_printer.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
index e4f7828ae7..e346e4c26e 100644
--- a/drivers/usb/gadget/function/f_printer.c
+++ b/drivers/usb/gadget/function/f_printer.c
@@ -432,7 +432,7 @@ printer_read(struct file *fd, char __user *buf, size_t len, loff_t *ptr)
{
struct printer_dev *dev = fd->private_data;
unsigned long flags;
- size_t size;
+ size_t size, not_copied, copied;
size_t bytes_copied;
struct usb_request *req;
/* This is a pointer to the current USB rx request. */
@@ -525,14 +525,16 @@ printer_read(struct file *fd, char __user *buf, size_t len, loff_t *ptr)
else
size = len;
- size -= copy_to_user(buf, current_rx_buf, size);
- bytes_copied += size;
- len -= size;
- buf += size;
+ not_copied = copy_to_user(buf, current_rx_buf, size);
+ copied = size - not_copied;
+
+ bytes_copied += copied;
+ len -= copied;
+ buf += copied;
spin_lock_irqsave(&dev->lock, flags);
- /* We've disconnected or reset so return. */
+ /* We have disconnected or reset so return. */
if (dev->reset_printer) {
list_add(¤t_rx_req->list, &dev->rx_reqs);
spin_unlock_irqrestore(&dev->lock, flags);
@@ -543,6 +545,17 @@ printer_read(struct file *fd, char __user *buf, size_t len, loff_t *ptr)
if (dev->interface < 0)
goto out_disabled;
+ if (!copied) {
+ dev->current_rx_req = current_rx_req;
+ dev->current_rx_bytes = current_rx_bytes;
+ dev->current_rx_buf = current_rx_buf;
+ spin_unlock_irqrestore(&dev->lock, flags);
+ mutex_unlock(&dev->lock_printer_io);
+ return bytes_copied ? bytes_copied : -EFAULT;
+ }
+
+ size = copied;
+
/* If we not returning all the data left in this RX request
* buffer then adjust the amount of data left in the buffer.
* Othewise if we are done with this RX request buffer then
--
2.39.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] usb: gadget: printer: fix infinite loop in printer_read()
2026-07-01 20:53 [PATCH] usb: gadget: printer: fix infinite loop in printer_read() Melbin K Mathew
@ 2026-07-03 7:03 ` Peter Chen
2026-07-03 7:54 ` [PATCH v2] " Melbin K Mathew
1 sibling, 0 replies; 3+ messages in thread
From: Peter Chen @ 2026-07-03 7:03 UTC (permalink / raw)
To: Melbin K Mathew; +Cc: gregkh, linux-usb, linux-kernel, security, stable
On 26-07-01 22:53:20, Melbin K Mathew wrote:
> printer_read() uses the same variable for the requested copy size and
> the number of bytes actually copied to user space. copy_to_user()
> returns the number of bytes not copied, so when it fails to copy
> anything, the computed copied length becomes zero.
>
> In that case len, buf, current_rx_bytes and current_rx_buf are left
> unchanged. If RX data is available and the user buffer remains
> unwritable, the read loop can repeat indefinitely.
>
> Track the copied length separately and return -EFAULT, or the number of
> bytes already copied, if an iteration makes no progress.
>
> Fixes: b185f01a9ab7 ("usb: gadget: printer: factor out f_printer")
> Cc: stable@vger.kernel.org
> Signed-off-by: Melbin K Mathew <mlbnkm1@gmail.com>
> ---
> A small userspace model/reproducer is available to maintainers on request.
>
> drivers/usb/gadget/function/f_printer.c | 25 +++++++++++++++++++------
> 1 file changed, 19 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
> index e4f7828ae7..e346e4c26e 100644
> --- a/drivers/usb/gadget/function/f_printer.c
> +++ b/drivers/usb/gadget/function/f_printer.c
> @@ -432,7 +432,7 @@ printer_read(struct file *fd, char __user *buf, size_t len, loff_t *ptr)
> {
> struct printer_dev *dev = fd->private_data;
> unsigned long flags;
> - size_t size;
> + size_t size, not_copied, copied;
> size_t bytes_copied;
> struct usb_request *req;
> /* This is a pointer to the current USB rx request. */
> @@ -525,14 +525,16 @@ printer_read(struct file *fd, char __user *buf, size_t len, loff_t *ptr)
> else
> size = len;
>
> - size -= copy_to_user(buf, current_rx_buf, size);
> - bytes_copied += size;
> - len -= size;
> - buf += size;
> + not_copied = copy_to_user(buf, current_rx_buf, size);
> + copied = size - not_copied;
> +
> + bytes_copied += copied;
> + len -= copied;
> + buf += copied;
>
> spin_lock_irqsave(&dev->lock, flags);
>
> - /* We've disconnected or reset so return. */
> + /* We have disconnected or reset so return. */
Since it is a bug-fix, and goes to stable tree, drop this un-related change.
Otherwise:
Reviewed-by: Peter Chen <peter.chen@kernel.org>
Peter
> if (dev->reset_printer) {
> list_add(¤t_rx_req->list, &dev->rx_reqs);
> spin_unlock_irqrestore(&dev->lock, flags);
> @@ -543,6 +545,17 @@ printer_read(struct file *fd, char __user *buf, size_t len, loff_t *ptr)
> if (dev->interface < 0)
> goto out_disabled;
>
> + if (!copied) {
> + dev->current_rx_req = current_rx_req;
> + dev->current_rx_bytes = current_rx_bytes;
> + dev->current_rx_buf = current_rx_buf;
> + spin_unlock_irqrestore(&dev->lock, flags);
> + mutex_unlock(&dev->lock_printer_io);
> + return bytes_copied ? bytes_copied : -EFAULT;
> + }
> +
> + size = copied;
> +
> /* If we not returning all the data left in this RX request
> * buffer then adjust the amount of data left in the buffer.
> * Othewise if we are done with this RX request buffer then
> --
> 2.39.5
>
>
--
Thanks,
Peter Chen
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH v2] usb: gadget: printer: fix infinite loop in printer_read()
2026-07-01 20:53 [PATCH] usb: gadget: printer: fix infinite loop in printer_read() Melbin K Mathew
2026-07-03 7:03 ` Peter Chen
@ 2026-07-03 7:54 ` Melbin K Mathew
1 sibling, 0 replies; 3+ messages in thread
From: Melbin K Mathew @ 2026-07-03 7:54 UTC (permalink / raw)
To: Greg Kroah-Hartman, linux-usb
Cc: linux-kernel, Peter Chen, stable, Melbin K Mathew
printer_read() uses the same variable for the requested copy size and
the number of bytes actually copied to user space. copy_to_user()
returns the number of bytes not copied, so when it fails to copy
anything, the computed copied length becomes zero.
In that case len, buf, current_rx_bytes and current_rx_buf are left
unchanged. If RX data is available and the user buffer remains
unwritable, the read loop can repeat indefinitely.
Track the copied length separately and return -EFAULT, or the number of
bytes already copied, if an iteration makes no progress.
Fixes: b185f01a9ab7 ("usb: gadget: printer: factor out f_printer")
Cc: stable@vger.kernel.org
Reviewed-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Melbin K Mathew <mlbnkm1@gmail.com>
---
Changes in v2:
- Drop unrelated comment wording change.
- Add Reviewed-by tag from Peter Chen.
drivers/usb/gadget/function/f_printer.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
index e4f7828ae7..e346e4c26e 100644
--- a/drivers/usb/gadget/function/f_printer.c
+++ b/drivers/usb/gadget/function/f_printer.c
@@ -432,7 +432,7 @@ printer_read(struct file *fd, char __user *buf, size_t len, loff_t *ptr)
{
struct printer_dev *dev = fd->private_data;
unsigned long flags;
- size_t size;
+ size_t size, not_copied, copied;
size_t bytes_copied;
struct usb_request *req;
/* This is a pointer to the current USB rx request. */
@@ -525,14 +525,16 @@ printer_read(struct file *fd, char __user *buf, size_t len, loff_t *ptr)
else
size = len;
- size -= copy_to_user(buf, current_rx_buf, size);
- bytes_copied += size;
- len -= size;
- buf += size;
+ not_copied = copy_to_user(buf, current_rx_buf, size);
+ copied = size - not_copied;
+
+ bytes_copied += copied;
+ len -= copied;
+ buf += copied;
spin_lock_irqsave(&dev->lock, flags);
if (dev->reset_printer) {
list_add(¤t_rx_req->list, &dev->rx_reqs);
spin_unlock_irqrestore(&dev->lock, flags);
@@ -543,6 +545,17 @@ printer_read(struct file *fd, char __user *buf, size_t len, loff_t *ptr)
if (dev->interface < 0)
goto out_disabled;
+ if (!copied) {
+ dev->current_rx_req = current_rx_req;
+ dev->current_rx_bytes = current_rx_bytes;
+ dev->current_rx_buf = current_rx_buf;
+ spin_unlock_irqrestore(&dev->lock, flags);
+ mutex_unlock(&dev->lock_printer_io);
+ return bytes_copied ? bytes_copied : -EFAULT;
+ }
+
+ size = copied;
+
/* If we not returning all the data left in this RX request
* buffer then adjust the amount of data left in the buffer.
* Othewise if we are done with this RX request buffer then
--
2.39.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-03 7:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01 20:53 [PATCH] usb: gadget: printer: fix infinite loop in printer_read() Melbin K Mathew
2026-07-03 7:03 ` Peter Chen
2026-07-03 7:54 ` [PATCH v2] " Melbin K Mathew
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox