Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/series b/queue-5.4/series
index 88bb543cc8a780d036b4dffa479d4560236b33f7..386f137ce23cebf49b9641337dcd7ae7af8c29f4 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -41,3 +41,4 @@ net-fix-double-0x-prefix-print-in-skb-dump.patch
 net-smc-prevent-smc_release-from-long-blocking.patch
 net-systemport-add-global-locking-for-descriptor-lif.patch
 sit-do-not-call-ipip6_dev_free-from-sit_init_net.patch
+usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch

diff --git a/queue-5.4/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch b/queue-5.4/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch
new file mode 100644 (file)
index 0000000..5ed7090
--- /dev/null
+++ b/queue-5.4/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch
@@ -0,0 +1,98 @@
+From d748c34f9993e6cf8f86d2658e467cd2c2e863db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 19:46:21 +0100
+Subject: USB: gadget: bRequestType is a bitfield, not a enum
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit f08adf5add9a071160c68bb2a61d697f39ab0758 ]
+
+Szymon rightly pointed out that the previous check for the endpoint
+direction in bRequestType was not looking at only the bit involved, but
+rather the whole value.  Normally this is ok, but for some request
+types, bits other than bit 8 could be set and the check for the endpoint
+length could not stall correctly.
+
+Fix that up by only checking the single bit.
+
+Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests")
+Cc: Felipe Balbi <balbi@kernel.org>
+Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/composite.c    | 6 +++---
+ drivers/usb/gadget/legacy/dbgp.c  | 6 +++---
+ drivers/usb/gadget/legacy/inode.c | 6 +++---
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index d2980e30f3417..c5acf5c39fb18 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1649,14 +1649,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+       u8                              endp;
+ 
+       if (w_length > USB_COMP_EP0_BUFSIZ) {
+-              if (ctrl->bRequestType == USB_DIR_OUT) {
+-                      goto done;
+-              } else {
++              if (ctrl->bRequestType & USB_DIR_IN) {
+                       /* Cast away the const, we are going to overwrite on purpose. */
+                       __le16 *temp = (__le16 *)&ctrl->wLength;
+ 
+                       *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
+                       w_length = USB_COMP_EP0_BUFSIZ;
++              } else {
++                      goto done;
+               }
+       }
+ 
+diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
+index 355bc7dab9d5f..6bcbad3825802 100644
+--- a/drivers/usb/gadget/legacy/dbgp.c
++++ b/drivers/usb/gadget/legacy/dbgp.c
+@@ -346,14 +346,14 @@ static int dbgp_setup(struct usb_gadget *gadget,
+       u16 len = 0;
+ 
+       if (length > DBGP_REQ_LEN) {
+-              if (ctrl->bRequestType == USB_DIR_OUT) {
+-                      return err;
+-              } else {
++              if (ctrl->bRequestType & USB_DIR_IN) {
+                       /* Cast away the const, we are going to overwrite on purpose. */
+                       __le16 *temp = (__le16 *)&ctrl->wLength;
+ 
+                       *temp = cpu_to_le16(DBGP_REQ_LEN);
+                       length = DBGP_REQ_LEN;
++              } else {
++                      return err;
+               }
+       }
+ 
+diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
+index f0aff79f544c3..5f1e15172403e 100644
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1336,14 +1336,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+       u16                             w_length = le16_to_cpu(ctrl->wLength);
+ 
+       if (w_length > RBUF_SIZE) {
+-              if (ctrl->bRequestType == USB_DIR_OUT) {
+-                      return value;
+-              } else {
++              if (ctrl->bRequestType & USB_DIR_IN) {
+                       /* Cast away the const, we are going to overwrite on purpose. */
+                       __le16 *temp = (__le16 *)&ctrl->wLength;
+ 
+                       *temp = cpu_to_le16(RBUF_SIZE);
+                       w_length = RBUF_SIZE;
++              } else {
++                      return value;
+               }
+       }
+ 
+-- 
+2.34.1
+