From d252f04bc02c83d6aacbd19ee84025b8e2bfda0b Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 19 Dec 2021 21:48:16 -0500 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- queue-5.4/series | 1 + ...requesttype-is-a-bitfield-not-a-enum.patch | 98 +++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 queue-5.4/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch diff --git a/queue-5.4/series b/queue-5.4/series index 88bb543cc8a..386f137ce23 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -41,3 +41,4 @@ net-fix-double-0x-prefix-print-in-skb-dump.patch net-smc-prevent-smc_release-from-long-blocking.patch net-systemport-add-global-locking-for-descriptor-lif.patch sit-do-not-call-ipip6_dev_free-from-sit_init_net.patch +usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch diff --git a/queue-5.4/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch b/queue-5.4/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch new file mode 100644 index 00000000000..5ed7090e411 --- /dev/null +++ b/queue-5.4/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch @@ -0,0 +1,98 @@ +From d748c34f9993e6cf8f86d2658e467cd2c2e863db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 19:46:21 +0100 +Subject: USB: gadget: bRequestType is a bitfield, not a enum + +From: Greg Kroah-Hartman + +[ Upstream commit f08adf5add9a071160c68bb2a61d697f39ab0758 ] + +Szymon rightly pointed out that the previous check for the endpoint +direction in bRequestType was not looking at only the bit involved, but +rather the whole value. Normally this is ok, but for some request +types, bits other than bit 8 could be set and the check for the endpoint +length could not stall correctly. + +Fix that up by only checking the single bit. + +Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests") +Cc: Felipe Balbi +Reported-by: Szymon Heidrich +Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/composite.c | 6 +++--- + drivers/usb/gadget/legacy/dbgp.c | 6 +++--- + drivers/usb/gadget/legacy/inode.c | 6 +++--- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index d2980e30f3417..c5acf5c39fb18 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1649,14 +1649,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + u8 endp; + + if (w_length > USB_COMP_EP0_BUFSIZ) { +- if (ctrl->bRequestType == USB_DIR_OUT) { +- goto done; +- } else { ++ if (ctrl->bRequestType & USB_DIR_IN) { + /* Cast away the const, we are going to overwrite on purpose. */ + __le16 *temp = (__le16 *)&ctrl->wLength; + + *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ); + w_length = USB_COMP_EP0_BUFSIZ; ++ } else { ++ goto done; + } + } + +diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c +index 355bc7dab9d5f..6bcbad3825802 100644 +--- a/drivers/usb/gadget/legacy/dbgp.c ++++ b/drivers/usb/gadget/legacy/dbgp.c +@@ -346,14 +346,14 @@ static int dbgp_setup(struct usb_gadget *gadget, + u16 len = 0; + + if (length > DBGP_REQ_LEN) { +- if (ctrl->bRequestType == USB_DIR_OUT) { +- return err; +- } else { ++ if (ctrl->bRequestType & USB_DIR_IN) { + /* Cast away the const, we are going to overwrite on purpose. */ + __le16 *temp = (__le16 *)&ctrl->wLength; + + *temp = cpu_to_le16(DBGP_REQ_LEN); + length = DBGP_REQ_LEN; ++ } else { ++ return err; + } + } + +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index f0aff79f544c3..5f1e15172403e 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -1336,14 +1336,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + u16 w_length = le16_to_cpu(ctrl->wLength); + + if (w_length > RBUF_SIZE) { +- if (ctrl->bRequestType == USB_DIR_OUT) { +- return value; +- } else { ++ if (ctrl->bRequestType & USB_DIR_IN) { + /* Cast away the const, we are going to overwrite on purpose. */ + __le16 *temp = (__le16 *)&ctrl->wLength; + + *temp = cpu_to_le16(RBUF_SIZE); + w_length = RBUF_SIZE; ++ } else { ++ return value; + } + } + +-- +2.34.1 + -- 2.47.3