usb: gadget: renesas_usb3: validate endpoint index in standard request handlers

The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint
number from the host-supplied wIndex without any sort of validation.
Fix this up by validating the number of endpoints actually match up with
the number the device has before attempting to dereference a pointer
based on this math.

This is just like what was done in commit ee0d382feb44 ("usb: gadget:
aspeed_udc: validate endpoint index for ast udc") for the aspeed driver.

Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Link: https://patch.msgid.link/2026040647-sincerity-untidy-b104@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c
index b0b264d34919cd2aa8d07fbf1887afb3c464e845..2c9c3e935a5ec878e5895cb4d3fdf8d811ad816d 100644 (file)
--- a/drivers/usb/gadget/udc/renesas_usb3.c
+++ b/drivers/usb/gadget/udc/renesas_usb3.c
@@ -1669,6 +1669,10 @@ static bool usb3_std_req_get_status(struct renesas_usb3 *usb3,
                break;
        case USB_RECIP_ENDPOINT:
                num = le16_to_cpu(ctrl->wIndex) & USB_ENDPOINT_NUMBER_MASK;
+               if (num >= usb3->num_usb3_eps) {
+                       stall = true;
+                       break;
+               }
                usb3_ep = usb3_get_ep(usb3, num);
                if (usb3_ep->halt)
                        status |= 1 << USB_ENDPOINT_HALT;
@@ -1781,7 +1785,8 @@ static bool usb3_std_req_feature_endpoint(struct renesas_usb3 *usb3,
        struct renesas_usb3_ep *usb3_ep;
        struct renesas_usb3_request *usb3_req;
 
-       if (le16_to_cpu(ctrl->wValue) != USB_ENDPOINT_HALT)
+       if ((le16_to_cpu(ctrl->wValue) != USB_ENDPOINT_HALT) ||
+           (num >= usb3->num_usb3_eps))
                return true;    /* stall */
 
        usb3_ep = usb3_get_ep(usb3, num);