* [PATCH] usb: gadget: bdc: validate status-report endpoint indices
@ 2026-03-23 12:17 Pengpeng Hou
2026-03-23 19:20 ` Florian Fainelli
0 siblings, 1 reply; 3+ messages in thread
From: Pengpeng Hou @ 2026-03-23 12:17 UTC (permalink / raw)
To: justin.chen
Cc: alcooperx, bcm-kernel-feedback-list, gregkh, linux-usb,
linux-kernel, pengpeng
bdc_sr_xsf() decodes a 5-bit endpoint number from the hardware status
report and uses it to index bdc->bdc_ep_array[] directly. The array is
only allocated to bdc->num_eps for the current controller instance, so a
status report can carry an endpoint number that still fits the 5-bit
field but does not fit the runtime-sized endpoint table.
Reject status reports whose endpoint number is outside bdc->num_eps
before indexing the endpoint array.
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
drivers/usb/gadget/udc/bdc/bdc_ep.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/gadget/udc/bdc/bdc_ep.c b/drivers/usb/gadget/udc/bdc/bdc_ep.c
index c0ab3347059a..a7a22e5ec47b 100644
--- a/drivers/usb/gadget/udc/bdc/bdc_ep.c
+++ b/drivers/usb/gadget/udc/bdc/bdc_ep.c
@@ -1647,6 +1647,10 @@ void bdc_sr_xsf(struct bdc *bdc, struct bdc_sr *sreport)
u8 ep_num;
ep_num = (le32_to_cpu(sreport->offset[3])>>4) & 0x1f;
+ if (ep_num >= bdc->num_eps) {
+ dev_err(bdc->dev, "xsf for invalid ep %u\n", ep_num);
+ return;
+ }
ep = bdc->bdc_ep_array[ep_num];
if (!ep || !(ep->flags & BDC_EP_ENABLED)) {
dev_err(bdc->dev, "xsf for ep not enabled\n");
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] usb: gadget: bdc: validate status-report endpoint indices
2026-03-23 12:17 [PATCH] usb: gadget: bdc: validate status-report endpoint indices Pengpeng Hou
@ 2026-03-23 19:20 ` Florian Fainelli
2026-03-24 18:45 ` Justin Chen
0 siblings, 1 reply; 3+ messages in thread
From: Florian Fainelli @ 2026-03-23 19:20 UTC (permalink / raw)
To: Pengpeng Hou, justin.chen
Cc: alcooperx, bcm-kernel-feedback-list, gregkh, linux-usb,
linux-kernel
On 3/23/26 05:17, Pengpeng Hou wrote:
> bdc_sr_xsf() decodes a 5-bit endpoint number from the hardware status
> report and uses it to index bdc->bdc_ep_array[] directly. The array is
> only allocated to bdc->num_eps for the current controller instance, so a
> status report can carry an endpoint number that still fits the 5-bit
> field but does not fit the runtime-sized endpoint table.
>
> Reject status reports whose endpoint number is outside bdc->num_eps
> before indexing the endpoint array.
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] usb: gadget: bdc: validate status-report endpoint indices
2026-03-23 19:20 ` Florian Fainelli
@ 2026-03-24 18:45 ` Justin Chen
0 siblings, 0 replies; 3+ messages in thread
From: Justin Chen @ 2026-03-24 18:45 UTC (permalink / raw)
To: Florian Fainelli, Pengpeng Hou
Cc: alcooperx, bcm-kernel-feedback-list, gregkh, linux-usb,
linux-kernel
On 3/23/26 12:20 PM, Florian Fainelli wrote:
> On 3/23/26 05:17, Pengpeng Hou wrote:
>> bdc_sr_xsf() decodes a 5-bit endpoint number from the hardware status
>> report and uses it to index bdc->bdc_ep_array[] directly. The array is
>> only allocated to bdc->num_eps for the current controller instance, so a
>> status report can carry an endpoint number that still fits the 5-bit
>> field but does not fit the runtime-sized endpoint table.
>>
>> Reject status reports whose endpoint number is outside bdc->num_eps
>> before indexing the endpoint array.
>>
>> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
>
> Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Tested-by: Justin Chen <justin.chen@broadcom.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-03-24 18:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-23 12:17 [PATCH] usb: gadget: bdc: validate status-report endpoint indices Pengpeng Hou
2026-03-23 19:20 ` Florian Fainelli
2026-03-24 18:45 ` Justin Chen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox