From f563926fed982f26b391ca42493f55f2447f1b0a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
Date: Sun, 12 Jan 2014 21:48:53 +0100
Subject: [PATCH] usb: cdc-wdm: resp_count can be 0 even if WDM_READ is set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Do not decrement resp_count if it's already 0.

We set resp_count to 0 when the device is closed.  The next open and
read will try to clear the WDM_READ flag if there was leftover data
in the read buffer. This fix is necessary to prevent resubmitting
the read URB in a tight loop because resp_count becomes negative.

The bug can easily be triggered from userspace by not reading all
data in the read buffer, and then closing and reopening the chardev.

Fixes: 8dd5cd5395b9 ("usb: cdc-wdm: avoid hanging on zero length reads")
Cc: <stable@vger.kernel.org> # 3.13
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/class/cdc-wdm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
index 590ff8b5aa2030..a051a7a2b1bd53 100644
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -445,7 +445,7 @@ static int clear_wdm_read_flag(struct wdm_device *desc)
 	clear_bit(WDM_READ, &desc->flags);
 
 	/* submit read urb only if the device is waiting for it */
-	if (!--desc->resp_count)
+	if (!desc->resp_count || !--desc->resp_count)
 		goto out;
 
 	set_bit(WDM_RESPONDING, &desc->flags);
-- 
GitLab