usb: gadget: bdc: validate status-report endpoint indices

bdc_sr_xsf() decodes a 5-bit endpoint number from the hardware status
report and uses it to index bdc->bdc_ep_array[] directly. The array is
only allocated to bdc->num_eps for the current controller instance, so a
status report can carry an endpoint number that still fits the 5-bit
field but does not fit the runtime-sized endpoint table.

Reject status reports whose endpoint number is outside bdc->num_eps
before indexing the endpoint array.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Tested-by: Justin Chen <justin.chen@broadcom.com>
Link: https://patch.msgid.link/20260323121730.75245-1-pengpeng@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/gadget/udc/bdc/bdc_ep.c b/drivers/usb/gadget/udc/bdc/bdc_ep.c
index c0ab3347059a03420229c5e82c03a74709602963..a7a22e5ec47ba1fe5f099f39309673b58e5e14cd 100644 (file)
--- a/drivers/usb/gadget/udc/bdc/bdc_ep.c
+++ b/drivers/usb/gadget/udc/bdc/bdc_ep.c
@@ -1647,6 +1647,10 @@ void bdc_sr_xsf(struct bdc *bdc, struct bdc_sr *sreport)
        u8 ep_num;
 
        ep_num = (le32_to_cpu(sreport->offset[3])>>4) & 0x1f;
+       if (ep_num >= bdc->num_eps) {
+               dev_err(bdc->dev, "xsf for invalid ep %u\n", ep_num);
+               return;
+       }
        ep = bdc->bdc_ep_array[ep_num];
        if (!ep || !(ep->flags & BDC_EP_ENABLED)) {
                dev_err(bdc->dev, "xsf for ep not enabled\n");