[thirdparty/kernel/stable-queue.git] / queue-5.10 / usb-gadget-f_fs-fix-a-race-condition-when-processing-setup-packets.patch

From 0aea736ddb877b93f6d2dd8cf439840d6b4970a9 Mon Sep 17 00:00:00 2001
From: Chris Wulff <Chris.Wulff@biamp.com>
Date: Tue, 23 Apr 2024 18:02:15 +0000
Subject: usb: gadget: f_fs: Fix a race condition when processing setup packets.

From: Chris Wulff <Chris.Wulff@biamp.com>

commit 0aea736ddb877b93f6d2dd8cf439840d6b4970a9 upstream.

If the USB driver passes a pointer into the TRB buffer for creq, this
buffer can be overwritten with the status response as soon as the event
is queued. This can make the final check return USB_GADGET_DELAYED_STATUS
when it shouldn't. Instead use the stored wLength.

Fixes: 4d644abf2569 ("usb: gadget: f_fs: Only return delayed status when len is 0")
Cc: stable <stable@kernel.org>
Signed-off-by: Chris Wulff <chris.wulff@biamp.com>
Link: https://lore.kernel.org/r/CO1PR17MB5419BD664264A558B2395E28E1112@CO1PR17MB5419.namprd17.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_fs.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -3403,7 +3403,7 @@ static int ffs_func_setup(struct usb_fun
 	__ffs_event_add(ffs, FUNCTIONFS_SETUP);
 	spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
 
-	return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
+	return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
 }
 
 static bool ffs_func_req_match(struct usb_function *f,
Commit	Line	Data
47011521 GKH	1	From 0aea736ddb877b93f6d2dd8cf439840d6b4970a9 Mon Sep 17 00:00:00 2001
	2	From: Chris Wulff <Chris.Wulff@biamp.com>
	3	Date: Tue, 23 Apr 2024 18:02:15 +0000
	4	Subject: usb: gadget: f_fs: Fix a race condition when processing setup packets.
	5
	6	From: Chris Wulff <Chris.Wulff@biamp.com>
	7
	8	commit 0aea736ddb877b93f6d2dd8cf439840d6b4970a9 upstream.
	9
	10	If the USB driver passes a pointer into the TRB buffer for creq, this
	11	buffer can be overwritten with the status response as soon as the event
	12	is queued. This can make the final check return USB_GADGET_DELAYED_STATUS
	13	when it shouldn't. Instead use the stored wLength.
	14
	15	Fixes: 4d644abf2569 ("usb: gadget: f_fs: Only return delayed status when len is 0")
	16	Cc: stable <stable@kernel.org>
	17	Signed-off-by: Chris Wulff <chris.wulff@biamp.com>
	18	Link: https://lore.kernel.org/r/CO1PR17MB5419BD664264A558B2395E28E1112@CO1PR17MB5419.namprd17.prod.outlook.com
	19	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	20	---
	21	drivers/usb/gadget/function/f_fs.c \| 2 +-
	22	1 file changed, 1 insertion(+), 1 deletion(-)
	23
	24	--- a/drivers/usb/gadget/function/f_fs.c
	25	+++ b/drivers/usb/gadget/function/f_fs.c
	26	@@ -3403,7 +3403,7 @@ static int ffs_func_setup(struct usb_fun
	27	__ffs_event_add(ffs, FUNCTIONFS_SETUP);
	28	spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
	29
	30	- return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
	31	+ return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
	32	}
	33
	34	static bool ffs_func_req_match(struct usb_function *f,