Fixes for 4.9

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.9/series b/queue-4.9/series
index 7e14415e9cc3c182df9b0f3b3d787cbdff859616..7c092aa12d6ca55afc46fbc9d1b738a6beb1d383 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -12,3 +12,4 @@ nfsd-fix-use-after-free-due-to-delegation-race.patch
 soc-tegra-fuse-fix-bitwise-vs.-logical-or-warning.patch
 igbvf-fix-double-free-in-igbvf_probe.patch
 ixgbe-set-x550-mdio-speed-before-talking-to-phy.patch
+usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch

diff --git a/queue-4.9/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch b/queue-4.9/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch
new file mode 100644 (file)
index 0000000..0bfc291
--- /dev/null
+++ b/queue-4.9/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch
@@ -0,0 +1,98 @@
+From ffcea51c374f5348dabff79e22e09e2b8673f5e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 19:46:21 +0100
+Subject: USB: gadget: bRequestType is a bitfield, not a enum
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit f08adf5add9a071160c68bb2a61d697f39ab0758 ]
+
+Szymon rightly pointed out that the previous check for the endpoint
+direction in bRequestType was not looking at only the bit involved, but
+rather the whole value.  Normally this is ok, but for some request
+types, bits other than bit 8 could be set and the check for the endpoint
+length could not stall correctly.
+
+Fix that up by only checking the single bit.
+
+Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests")
+Cc: Felipe Balbi <balbi@kernel.org>
+Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/composite.c    | 6 +++---
+ drivers/usb/gadget/legacy/dbgp.c  | 6 +++---
+ drivers/usb/gadget/legacy/inode.c | 6 +++---
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index 3d14a316830a6..a7c44a3cb2d25 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1632,14 +1632,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+       u8                              endp;
+ 
+       if (w_length > USB_COMP_EP0_BUFSIZ) {
+-              if (ctrl->bRequestType == USB_DIR_OUT) {
+-                      goto done;
+-              } else {
++              if (ctrl->bRequestType & USB_DIR_IN) {
+                       /* Cast away the const, we are going to overwrite on purpose. */
+                       __le16 *temp = (__le16 *)&ctrl->wLength;
+ 
+                       *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
+                       w_length = USB_COMP_EP0_BUFSIZ;
++              } else {
++                      goto done;
+               }
+       }
+ 
+diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
+index f1c5a22704b28..e8818ad973e4b 100644
+--- a/drivers/usb/gadget/legacy/dbgp.c
++++ b/drivers/usb/gadget/legacy/dbgp.c
+@@ -345,14 +345,14 @@ static int dbgp_setup(struct usb_gadget *gadget,
+       u16 len = 0;
+ 
+       if (length > DBGP_REQ_LEN) {
+-              if (ctrl->bRequestType == USB_DIR_OUT) {
+-                      return err;
+-              } else {
++              if (ctrl->bRequestType & USB_DIR_IN) {
+                       /* Cast away the const, we are going to overwrite on purpose. */
+                       __le16 *temp = (__le16 *)&ctrl->wLength;
+ 
+                       *temp = cpu_to_le16(DBGP_REQ_LEN);
+                       length = DBGP_REQ_LEN;
++              } else {
++                      return err;
+               }
+       }
+ 
+diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
+index d39bd1a1ab8fc..19eb954a7afa3 100644
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1339,14 +1339,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+       u16                             w_length = le16_to_cpu(ctrl->wLength);
+ 
+       if (w_length > RBUF_SIZE) {
+-              if (ctrl->bRequestType == USB_DIR_OUT) {
+-                      return value;
+-              } else {
++              if (ctrl->bRequestType & USB_DIR_IN) {
+                       /* Cast away the const, we are going to overwrite on purpose. */
+                       __le16 *temp = (__le16 *)&ctrl->wLength;
+ 
+                       *temp = cpu_to_le16(RBUF_SIZE);
+                       w_length = RBUF_SIZE;
++              } else {
++                      return value;
+               }
+       }
+ 
+-- 
+2.34.1
+