From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Felipe Balbi <balbi@kernel.org>,
Szymon Heidrich <szymon.heidrich@gmail.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 12/23] USB: gadget: bRequestType is a bitfield, not a enum
Date: Mon, 20 Dec 2021 15:34:13 +0100 [thread overview]
Message-ID: <20211220143018.254890645@linuxfoundation.org> (raw)
In-Reply-To: <20211220143017.842390782@linuxfoundation.org>
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit f08adf5add9a071160c68bb2a61d697f39ab0758 ]
Szymon rightly pointed out that the previous check for the endpoint
direction in bRequestType was not looking at only the bit involved, but
rather the whole value. Normally this is ok, but for some request
types, bits other than bit 8 could be set and the check for the endpoint
length could not stall correctly.
Fix that up by only checking the single bit.
Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests")
Cc: Felipe Balbi <balbi@kernel.org>
Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/composite.c | 6 +++---
drivers/usb/gadget/legacy/dbgp.c | 6 +++---
drivers/usb/gadget/legacy/inode.c | 6 +++---
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 1f584d15a3ca4..580ba69f1e4a4 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1485,14 +1485,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
u8 endp;
if (w_length > USB_COMP_EP0_BUFSIZ) {
- if (ctrl->bRequestType == USB_DIR_OUT) {
- goto done;
- } else {
+ if (ctrl->bRequestType & USB_DIR_IN) {
/* Cast away the const, we are going to overwrite on purpose. */
__le16 *temp = (__le16 *)&ctrl->wLength;
*temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
w_length = USB_COMP_EP0_BUFSIZ;
+ } else {
+ goto done;
}
}
diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
index f1c5a22704b28..e8818ad973e4b 100644
--- a/drivers/usb/gadget/legacy/dbgp.c
+++ b/drivers/usb/gadget/legacy/dbgp.c
@@ -345,14 +345,14 @@ static int dbgp_setup(struct usb_gadget *gadget,
u16 len = 0;
if (length > DBGP_REQ_LEN) {
- if (ctrl->bRequestType == USB_DIR_OUT) {
- return err;
- } else {
+ if (ctrl->bRequestType & USB_DIR_IN) {
/* Cast away the const, we are going to overwrite on purpose. */
__le16 *temp = (__le16 *)&ctrl->wLength;
*temp = cpu_to_le16(DBGP_REQ_LEN);
length = DBGP_REQ_LEN;
+ } else {
+ return err;
}
}
diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index af0b34763326d..f2b4fdd1f49d5 100644
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -1335,14 +1335,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
u16 w_length = le16_to_cpu(ctrl->wLength);
if (w_length > RBUF_SIZE) {
- if (ctrl->bRequestType == USB_DIR_OUT) {
- return value;
- } else {
+ if (ctrl->bRequestType & USB_DIR_IN) {
/* Cast away the const, we are going to overwrite on purpose. */
__le16 *temp = (__le16 *)&ctrl->wLength;
*temp = cpu_to_le16(RBUF_SIZE);
w_length = RBUF_SIZE;
+ } else {
+ return value;
}
}
--
2.34.1
next prev parent reply other threads:[~2021-12-20 14:36 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 01/23] nfc: fix segfault in nfc_genl_dump_devices_done Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 02/23] parisc/agp: Annotate parisc agp init functions with __init Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 03/23] i2c: rk3x: Handle a spurious start completion interrupt flag Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 04/23] net: netlink: af_netlink: Prevent empty skb by adding a check on len Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 05/23] hwmon: (dell-smm) Fix warning on /proc/i8k creation error Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 06/23] mac80211: send ADDBA requests using the tid/queue of the aggregation session Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 07/23] recordmcount.pl: look for jgnop instruction as well as bcrl on s390 Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 08/23] dm btree remove: fix use after free in rebalance_children() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 09/23] nfsd: fix use-after-free due to delegation race Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 10/23] soc/tegra: fuse: Fix bitwise vs. logical OR warning Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 11/23] igbvf: fix double free in `igbvf_probe` Greg Kroah-Hartman
2021-12-20 14:34 ` Greg Kroah-Hartman [this message]
2021-12-20 14:34 ` [PATCH 4.4 13/23] PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 14/23] USB: serial: option: add Telit FN990 compositions Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 15/23] timekeeping: Really make sure wall_to_monotonic isnt positive Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 16/23] net: systemport: Add global locking for descriptor lifecycle Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 17/23] net: lan78xx: Avoid unnecessary self assignment Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 18/23] ARM: 8805/2: remove unneeded naked function usage Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 19/23] Input: touchscreen - avoid bitwise vs logical OR warning Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 20/23] xen/blkfront: harden blkfront against event channel storms Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 21/23] xen/netfront: harden netfront " Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 22/23] xen/console: harden hvc_xen " Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 4.4 23/23] xen/netback: dont queue unlimited number of packages Greg Kroah-Hartman
2021-12-20 20:04 ` [PATCH 4.4 00/23] 4.4.296-rc1 review Pavel Machek
2021-12-20 23:19 ` Shuah Khan
2021-12-21 17:34 ` Naresh Kamboju
2021-12-21 23:11 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211220143018.254890645@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=balbi@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=szymon.heidrich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox