From 330ebd39e846dfb98b9a496e4cb1e467da0d4113 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Mon, 17 Feb 2020 02:19:57 +0000 Subject: [PATCH] Fix TOCTOU in usb_transfer_complete for pipe->up_repeat. If the pipe is aborted _during_ the callback while the lock is dropped, then despite usbd_ar_pipe's setting pipe->up_repeat=0, usb_transfer_complete will continue to act on the old state of pipe->up_repeat=1 from before the callback -- and put it right back on the queue, which is not allowed when the caller subsequently tries to close the pipe. --- sys/dev/usb/usbdi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/dev/usb/usbdi.c b/sys/dev/usb/usbdi.c index 4ad5fadc1eb6..5f4a913f8dad 100644 --- a/sys/dev/usb/usbdi.c +++ b/sys/dev/usb/usbdi.c @@ -1005,7 +1005,7 @@ usb_transfer_complete(struct usbd_xfer *xfer) cv_broadcast(&xfer->ux_cv); } - if (repeat) { + if (pipe->up_repeat) { xfer->ux_actlen = 0; xfer->ux_status = USBD_NOT_STARTED; } else {