Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.19/series b/queue-4.19/series
index d0c48c7a03824ca1d62b6c4356dda8184233c8e2..48d1c2efa26ccc8ea3c86707d1843f59627a6cb8 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -27,3 +27,4 @@ ixgbe-set-x550-mdio-speed-before-talking-to-phy.patch
 netdevsim-zero-initialize-memory-for-new-map-s-value.patch
 net-packet-rx_owner_map-depends-on-pg_vec.patch
 sit-do-not-call-ipip6_dev_free-from-sit_init_net.patch
+usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch

diff --git a/queue-4.19/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch b/queue-4.19/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch
new file mode 100644 (file)
index 0000000..7765a68
--- /dev/null
+++ b/queue-4.19/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch
@@ -0,0 +1,98 @@
+From 24c97e1f1d343139e60b14aaeb686f227b3d157c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 19:46:21 +0100
+Subject: USB: gadget: bRequestType is a bitfield, not a enum
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit f08adf5add9a071160c68bb2a61d697f39ab0758 ]
+
+Szymon rightly pointed out that the previous check for the endpoint
+direction in bRequestType was not looking at only the bit involved, but
+rather the whole value.  Normally this is ok, but for some request
+types, bits other than bit 8 could be set and the check for the endpoint
+length could not stall correctly.
+
+Fix that up by only checking the single bit.
+
+Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests")
+Cc: Felipe Balbi <balbi@kernel.org>
+Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/composite.c    | 6 +++---
+ drivers/usb/gadget/legacy/dbgp.c  | 6 +++---
+ drivers/usb/gadget/legacy/inode.c | 6 +++---
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index 99550c9eb33ed..748f8fede5c23 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1635,14 +1635,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+       u8                              endp;
+ 
+       if (w_length > USB_COMP_EP0_BUFSIZ) {
+-              if (ctrl->bRequestType == USB_DIR_OUT) {
+-                      goto done;
+-              } else {
++              if (ctrl->bRequestType & USB_DIR_IN) {
+                       /* Cast away the const, we are going to overwrite on purpose. */
+                       __le16 *temp = (__le16 *)&ctrl->wLength;
+ 
+                       *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
+                       w_length = USB_COMP_EP0_BUFSIZ;
++              } else {
++                      goto done;
+               }
+       }
+ 
+diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
+index 355bc7dab9d5f..6bcbad3825802 100644
+--- a/drivers/usb/gadget/legacy/dbgp.c
++++ b/drivers/usb/gadget/legacy/dbgp.c
+@@ -346,14 +346,14 @@ static int dbgp_setup(struct usb_gadget *gadget,
+       u16 len = 0;
+ 
+       if (length > DBGP_REQ_LEN) {
+-              if (ctrl->bRequestType == USB_DIR_OUT) {
+-                      return err;
+-              } else {
++              if (ctrl->bRequestType & USB_DIR_IN) {
+                       /* Cast away the const, we are going to overwrite on purpose. */
+                       __le16 *temp = (__le16 *)&ctrl->wLength;
+ 
+                       *temp = cpu_to_le16(DBGP_REQ_LEN);
+                       length = DBGP_REQ_LEN;
++              } else {
++                      return err;
+               }
+       }
+ 
+diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
+index 848562222015d..a456267b6b784 100644
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1335,14 +1335,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+       u16                             w_length = le16_to_cpu(ctrl->wLength);
+ 
+       if (w_length > RBUF_SIZE) {
+-              if (ctrl->bRequestType == USB_DIR_OUT) {
+-                      return value;
+-              } else {
++              if (ctrl->bRequestType & USB_DIR_IN) {
+                       /* Cast away the const, we are going to overwrite on purpose. */
+                       __le16 *temp = (__le16 *)&ctrl->wLength;
+ 
+                       *temp = cpu_to_le16(RBUF_SIZE);
+                       w_length = RBUF_SIZE;
++              } else {
++                      return value;
+               }
+       }
+ 
+-- 
+2.34.1
+