From: Sasha Levin Date: Mon, 20 Dec 2021 02:48:17 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v4.4.296~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=612d0fafdc3e23c28866532f20f2bd993177834c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/series b/queue-4.19/series index d0c48c7a038..48d1c2efa26 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -27,3 +27,4 @@ ixgbe-set-x550-mdio-speed-before-talking-to-phy.patch netdevsim-zero-initialize-memory-for-new-map-s-value.patch net-packet-rx_owner_map-depends-on-pg_vec.patch sit-do-not-call-ipip6_dev_free-from-sit_init_net.patch +usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch diff --git a/queue-4.19/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch b/queue-4.19/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch new file mode 100644 index 00000000000..7765a689972 --- /dev/null +++ b/queue-4.19/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch @@ -0,0 +1,98 @@ +From 24c97e1f1d343139e60b14aaeb686f227b3d157c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 19:46:21 +0100 +Subject: USB: gadget: bRequestType is a bitfield, not a enum + +From: Greg Kroah-Hartman + +[ Upstream commit f08adf5add9a071160c68bb2a61d697f39ab0758 ] + +Szymon rightly pointed out that the previous check for the endpoint +direction in bRequestType was not looking at only the bit involved, but +rather the whole value. Normally this is ok, but for some request +types, bits other than bit 8 could be set and the check for the endpoint +length could not stall correctly. + +Fix that up by only checking the single bit. + +Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests") +Cc: Felipe Balbi +Reported-by: Szymon Heidrich +Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/composite.c | 6 +++--- + drivers/usb/gadget/legacy/dbgp.c | 6 +++--- + drivers/usb/gadget/legacy/inode.c | 6 +++--- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index 99550c9eb33ed..748f8fede5c23 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1635,14 +1635,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + u8 endp; + + if (w_length > USB_COMP_EP0_BUFSIZ) { +- if (ctrl->bRequestType == USB_DIR_OUT) { +- goto done; +- } else { ++ if (ctrl->bRequestType & USB_DIR_IN) { + /* Cast away the const, we are going to overwrite on purpose. */ + __le16 *temp = (__le16 *)&ctrl->wLength; + + *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ); + w_length = USB_COMP_EP0_BUFSIZ; ++ } else { ++ goto done; + } + } + +diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c +index 355bc7dab9d5f..6bcbad3825802 100644 +--- a/drivers/usb/gadget/legacy/dbgp.c ++++ b/drivers/usb/gadget/legacy/dbgp.c +@@ -346,14 +346,14 @@ static int dbgp_setup(struct usb_gadget *gadget, + u16 len = 0; + + if (length > DBGP_REQ_LEN) { +- if (ctrl->bRequestType == USB_DIR_OUT) { +- return err; +- } else { ++ if (ctrl->bRequestType & USB_DIR_IN) { + /* Cast away the const, we are going to overwrite on purpose. */ + __le16 *temp = (__le16 *)&ctrl->wLength; + + *temp = cpu_to_le16(DBGP_REQ_LEN); + length = DBGP_REQ_LEN; ++ } else { ++ return err; + } + } + +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index 848562222015d..a456267b6b784 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -1335,14 +1335,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + u16 w_length = le16_to_cpu(ctrl->wLength); + + if (w_length > RBUF_SIZE) { +- if (ctrl->bRequestType == USB_DIR_OUT) { +- return value; +- } else { ++ if (ctrl->bRequestType & USB_DIR_IN) { + /* Cast away the const, we are going to overwrite on purpose. */ + __le16 *temp = (__le16 *)&ctrl->wLength; + + *temp = cpu_to_le16(RBUF_SIZE); + w_length = RBUF_SIZE; ++ } else { ++ return value; + } + } + +-- +2.34.1 +