From: Greg Kroah-Hartman Date: Mon, 13 May 2024 13:26:49 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.19.314~57 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0d35d4598271c13ad12e7f6912059984221e23cd;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: usb-gadget-composite-fix-os-descriptors-w_value-logic.patch usb-gadget-f_fs-fix-a-race-condition-when-processing-setup-packets.patch --- diff --git a/queue-5.4/series b/queue-5.4/series index d1cc345cef4..77e7d123a04 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -74,3 +74,5 @@ ipv6-fib6_rules-avoid-possible-null-dereference-in-f.patch net-qede-sanitize-rc-in-qede_add_tc_flower_fltr.patch net-qede-use-return-from-qede_parse_flow_attr-for-fl.patch-6660 firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch +usb-gadget-composite-fix-os-descriptors-w_value-logic.patch +usb-gadget-f_fs-fix-a-race-condition-when-processing-setup-packets.patch diff --git a/queue-5.4/usb-gadget-composite-fix-os-descriptors-w_value-logic.patch b/queue-5.4/usb-gadget-composite-fix-os-descriptors-w_value-logic.patch new file mode 100644 index 00000000000..e49f4a910c5 --- /dev/null +++ b/queue-5.4/usb-gadget-composite-fix-os-descriptors-w_value-logic.patch @@ -0,0 +1,78 @@ +From ec6ce7075ef879b91a8710829016005dc8170f17 Mon Sep 17 00:00:00 2001 +From: Peter Korsgaard +Date: Thu, 4 Apr 2024 12:06:35 +0200 +Subject: usb: gadget: composite: fix OS descriptors w_value logic + +From: Peter Korsgaard + +commit ec6ce7075ef879b91a8710829016005dc8170f17 upstream. + +The OS descriptors logic had the high/low byte of w_value inverted, causing +the extended properties to not be accessible for interface != 0. + +>From the Microsoft documentation: +https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/microsoft-os-1-0-descriptors-specification + +OS_Desc_CompatID.doc (w_index = 0x4): + +- wValue: + + High Byte = InterfaceNumber. InterfaceNumber is set to the number of the + interface or function that is associated with the descriptor, typically + 0x00. Because a device can have only one extended compat ID descriptor, + it should ignore InterfaceNumber, regardless of the value, and simply + return the descriptor. + + Low Byte = 0. PageNumber is used to retrieve descriptors that are larger + than 64 KB. The header section is 16 bytes, so PageNumber is set to 0 for + this request. + +We currently do not support >64KB compat ID descriptors, so verify that the +low byte is 0. + +OS_Desc_Ext_Prop.doc (w_index = 0x5): + +- wValue: + + High byte = InterfaceNumber. The high byte of wValue is set to the number + of the interface or function that is associated with the descriptor. + + Low byte = PageNumber. The low byte of wValue is used to retrieve + descriptors that are larger than 64 KB. The header section is 10 bytes, so + PageNumber is set to 0 for this request. + +We also don't support >64KB extended properties, so verify that the low byte +is 0 and use the high byte for the interface number. + +Fixes: 37a3a533429e ("usb: gadget: OS Feature Descriptors support") +Cc: stable +Signed-off-by: Peter Korsgaard +Link: https://lore.kernel.org/r/20240404100635.3215340-1-peter@korsgaard.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1925,7 +1925,7 @@ unknown: + buf[5] = 0x01; + switch (ctrl->bRequestType & USB_RECIP_MASK) { + case USB_RECIP_DEVICE: +- if (w_index != 0x4 || (w_value >> 8)) ++ if (w_index != 0x4 || (w_value & 0xff)) + break; + buf[6] = w_index; + /* Number of ext compat interfaces */ +@@ -1941,9 +1941,9 @@ unknown: + } + break; + case USB_RECIP_INTERFACE: +- if (w_index != 0x5 || (w_value >> 8)) ++ if (w_index != 0x5 || (w_value & 0xff)) + break; +- interface = w_value & 0xFF; ++ interface = w_value >> 8; + if (interface >= MAX_CONFIG_INTERFACES || + !os_desc_cfg->interface[interface]) + break; diff --git a/queue-5.4/usb-gadget-f_fs-fix-a-race-condition-when-processing-setup-packets.patch b/queue-5.4/usb-gadget-f_fs-fix-a-race-condition-when-processing-setup-packets.patch new file mode 100644 index 00000000000..49cf66011f1 --- /dev/null +++ b/queue-5.4/usb-gadget-f_fs-fix-a-race-condition-when-processing-setup-packets.patch @@ -0,0 +1,34 @@ +From 0aea736ddb877b93f6d2dd8cf439840d6b4970a9 Mon Sep 17 00:00:00 2001 +From: Chris Wulff +Date: Tue, 23 Apr 2024 18:02:15 +0000 +Subject: usb: gadget: f_fs: Fix a race condition when processing setup packets. + +From: Chris Wulff + +commit 0aea736ddb877b93f6d2dd8cf439840d6b4970a9 upstream. + +If the USB driver passes a pointer into the TRB buffer for creq, this +buffer can be overwritten with the status response as soon as the event +is queued. This can make the final check return USB_GADGET_DELAYED_STATUS +when it shouldn't. Instead use the stored wLength. + +Fixes: 4d644abf2569 ("usb: gadget: f_fs: Only return delayed status when len is 0") +Cc: stable +Signed-off-by: Chris Wulff +Link: https://lore.kernel.org/r/CO1PR17MB5419BD664264A558B2395E28E1112@CO1PR17MB5419.namprd17.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -3422,7 +3422,7 @@ static int ffs_func_setup(struct usb_fun + __ffs_event_add(ffs, FUNCTIONFS_SETUP); + spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); + +- return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0; ++ return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0; + } + + static bool ffs_func_req_match(struct usb_function *f,