Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 52c0273c authored Dec 14, 2021 by Greg Kroah-Hartman Committed by Greg Kroah-Hartman Dec 15, 2021

FROMGIT: USB: gadget: bRequestType is a bitfield, not a enum



Szymon rightly pointed out that the previous check for the endpoint
direction in bRequestType was not looking at only the bit involved, but
rather the whole value.  Normally this is ok, but for some request
types, bits other than bit 8 could be set and the check for the endpoint
length could not stall correctly.

Fix that up by only checking the single bit.

Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests")
Cc: Felipe Balbi <balbi@kernel.org>
Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit f08adf5add9a071160c68bb2a61d697f39ab0758
 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git

 usb-linus)
Bug: 210292376
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I7e708b2b94433009c87f697346e0515d93454f48

parent 060bbd53

drivers/usb/gadget/composite.c

+3 −3

Original line number	Original line	Diff line number	Diff line
	@@ -1632,14 +1632,14 @@ composite_setup(struct usb_gadget gadget, const struct usb_ctrlrequest ctrl)
	u8 endp;		u8 endp;

	if (w_length > USB_COMP_EP0_BUFSIZ) {		if (w_length > USB_COMP_EP0_BUFSIZ) {
	if (ctrl->bRequestType == USB_DIR_OUT) {		if (ctrl->bRequestType & USB_DIR_IN) {
	goto done;
	} else {
	/* Cast away the const, we are going to overwrite on purpose. */		/* Cast away the const, we are going to overwrite on purpose. */
	__le16 temp = (__le16 )&ctrl->wLength;		__le16 temp = (__le16 )&ctrl->wLength;

	*temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);		*temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
	w_length = USB_COMP_EP0_BUFSIZ;		w_length = USB_COMP_EP0_BUFSIZ;
			} else {
			goto done;
	}		}
	}		}

drivers/usb/gadget/legacy/dbgp.c

+3 −3

Original line number	Original line	Diff line number	Diff line
	@@ -345,14 +345,14 @@ static int dbgp_setup(struct usb_gadget *gadget,
	u16 len = 0;		u16 len = 0;

	if (length > DBGP_REQ_LEN) {		if (length > DBGP_REQ_LEN) {
	if (ctrl->bRequestType == USB_DIR_OUT) {		if (ctrl->bRequestType & USB_DIR_IN) {
	return err;
	} else {
	/* Cast away the const, we are going to overwrite on purpose. */		/* Cast away the const, we are going to overwrite on purpose. */
	__le16 temp = (__le16 )&ctrl->wLength;		__le16 temp = (__le16 )&ctrl->wLength;

	*temp = cpu_to_le16(DBGP_REQ_LEN);		*temp = cpu_to_le16(DBGP_REQ_LEN);
	length = DBGP_REQ_LEN;		length = DBGP_REQ_LEN;
			} else {
			return err;
	}		}
	}		}

drivers/usb/gadget/legacy/inode.c

+3 −3

Original line number	Original line	Diff line number	Diff line
	@@ -1339,14 +1339,14 @@ gadgetfs_setup (struct usb_gadget gadget, const struct usb_ctrlrequest ctrl)
	u16 w_length = le16_to_cpu(ctrl->wLength);		u16 w_length = le16_to_cpu(ctrl->wLength);

	if (w_length > RBUF_SIZE) {		if (w_length > RBUF_SIZE) {
	if (ctrl->bRequestType == USB_DIR_OUT) {		if (ctrl->bRequestType & USB_DIR_IN) {
	return value;
	} else {
	/* Cast away the const, we are going to overwrite on purpose. */		/* Cast away the const, we are going to overwrite on purpose. */
	__le16 temp = (__le16 )&ctrl->wLength;		__le16 temp = (__le16 )&ctrl->wLength;

	*temp = cpu_to_le16(RBUF_SIZE);		*temp = cpu_to_le16(RBUF_SIZE);
	w_length = RBUF_SIZE;		w_length = RBUF_SIZE;
			} else {
			return value;
	}		}
	}		}