From: Greg Kroah-Hartman Date: Mon, 10 May 2021 08:27:48 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.4.118~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ce9f189e50ca8eb4ed77c344181c8cb96f8fe5a1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: ext4-fix-check-to-prevent-false-positive-report-of-incorrect-used-inodes.patch ext4-fix-error-code-in-ext4_commit_super.patch ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch media-dvbdev-fix-memory-leak-in-dvb_media_device_free.patch usb-dwc3-gadget-fix-start_transfer-link-state-check.patch usb-gadget-dummy_hcd-fix-gpf-in-gadget_setup.patch usb-gadget-fix-double-free-of-device-descriptor-pointers.patch usb-gadget-function-f_fs-string-table-fix-for-multiple-languages.patch --- diff --git a/queue-4.14/ext4-fix-check-to-prevent-false-positive-report-of-incorrect-used-inodes.patch b/queue-4.14/ext4-fix-check-to-prevent-false-positive-report-of-incorrect-used-inodes.patch new file mode 100644 index 00000000000..59ee1c94dad --- /dev/null +++ b/queue-4.14/ext4-fix-check-to-prevent-false-positive-report-of-incorrect-used-inodes.patch @@ -0,0 +1,96 @@ +From a149d2a5cabbf6507a7832a1c4fd2593c55fd450 Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Wed, 31 Mar 2021 20:15:16 +0800 +Subject: ext4: fix check to prevent false positive report of incorrect used inodes + +From: Zhang Yi + +commit a149d2a5cabbf6507a7832a1c4fd2593c55fd450 upstream. + +Commit <50122847007> ("ext4: fix check to prevent initializing reserved +inodes") check the block group zero and prevent initializing reserved +inodes. But in some special cases, the reserved inode may not all belong +to the group zero, it may exist into the second group if we format +filesystem below. + + mkfs.ext4 -b 4096 -g 8192 -N 1024 -I 4096 /dev/sda + +So, it will end up triggering a false positive report of a corrupted +file system. This patch fix it by avoid check reserved inodes if no free +inode blocks will be zeroed. + +Cc: stable@kernel.org +Fixes: 50122847007 ("ext4: fix check to prevent initializing reserved inodes") +Signed-off-by: Zhang Yi +Suggested-by: Jan Kara +Link: https://lore.kernel.org/r/20210331121516.2243099-1-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ialloc.c | 48 ++++++++++++++++++++++++++++++++---------------- + 1 file changed, 32 insertions(+), 16 deletions(-) + +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -1367,6 +1367,7 @@ int ext4_init_inode_table(struct super_b + handle_t *handle; + ext4_fsblk_t blk; + int num, ret = 0, used_blks = 0; ++ unsigned long used_inos = 0; + + /* This should not happen, but just to be sure check this */ + if (sb_rdonly(sb)) { +@@ -1397,22 +1398,37 @@ int ext4_init_inode_table(struct super_b + * used inodes so we need to skip blocks with used inodes in + * inode table. + */ +- if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT))) +- used_blks = DIV_ROUND_UP((EXT4_INODES_PER_GROUP(sb) - +- ext4_itable_unused_count(sb, gdp)), +- sbi->s_inodes_per_block); +- +- if ((used_blks < 0) || (used_blks > sbi->s_itb_per_group) || +- ((group == 0) && ((EXT4_INODES_PER_GROUP(sb) - +- ext4_itable_unused_count(sb, gdp)) < +- EXT4_FIRST_INO(sb)))) { +- ext4_error(sb, "Something is wrong with group %u: " +- "used itable blocks: %d; " +- "itable unused count: %u", +- group, used_blks, +- ext4_itable_unused_count(sb, gdp)); +- ret = 1; +- goto err_out; ++ if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT))) { ++ used_inos = EXT4_INODES_PER_GROUP(sb) - ++ ext4_itable_unused_count(sb, gdp); ++ used_blks = DIV_ROUND_UP(used_inos, sbi->s_inodes_per_block); ++ ++ /* Bogus inode unused count? */ ++ if (used_blks < 0 || used_blks > sbi->s_itb_per_group) { ++ ext4_error(sb, "Something is wrong with group %u: " ++ "used itable blocks: %d; " ++ "itable unused count: %u", ++ group, used_blks, ++ ext4_itable_unused_count(sb, gdp)); ++ ret = 1; ++ goto err_out; ++ } ++ ++ used_inos += group * EXT4_INODES_PER_GROUP(sb); ++ /* ++ * Are there some uninitialized inodes in the inode table ++ * before the first normal inode? ++ */ ++ if ((used_blks != sbi->s_itb_per_group) && ++ (used_inos < EXT4_FIRST_INO(sb))) { ++ ext4_error(sb, "Something is wrong with group %u: " ++ "itable unused count: %u; " ++ "itables initialized count: %ld", ++ group, ext4_itable_unused_count(sb, gdp), ++ used_inos); ++ ret = 1; ++ goto err_out; ++ } + } + + blk = ext4_inode_table(sb, gdp) + used_blks; diff --git a/queue-4.14/ext4-fix-error-code-in-ext4_commit_super.patch b/queue-4.14/ext4-fix-error-code-in-ext4_commit_super.patch new file mode 100644 index 00000000000..ead0d3cb807 --- /dev/null +++ b/queue-4.14/ext4-fix-error-code-in-ext4_commit_super.patch @@ -0,0 +1,38 @@ +From f88f1466e2a2e5ca17dfada436d3efa1b03a3972 Mon Sep 17 00:00:00 2001 +From: Fengnan Chang +Date: Fri, 2 Apr 2021 18:16:31 +0800 +Subject: ext4: fix error code in ext4_commit_super + +From: Fengnan Chang + +commit f88f1466e2a2e5ca17dfada436d3efa1b03a3972 upstream. + +We should set the error code when ext4_commit_super check argument failed. +Found in code review. +Fixes: c4be0c1dc4cdc ("filesystem freeze: add error handling of write_super_lockfs/unlockfs"). + +Cc: stable@kernel.org +Signed-off-by: Fengnan Chang +Reviewed-by: Andreas Dilger +Link: https://lore.kernel.org/r/20210402101631.561-1-changfengnan@vivo.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -4859,8 +4859,10 @@ static int ext4_commit_super(struct supe + struct buffer_head *sbh = EXT4_SB(sb)->s_sbh; + int error = 0; + +- if (!sbh || block_device_ejected(sb)) +- return error; ++ if (!sbh) ++ return -EINVAL; ++ if (block_device_ejected(sb)) ++ return -ENODEV; + + /* + * If the file system is mounted read-only, don't update the diff --git a/queue-4.14/ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch b/queue-4.14/ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch new file mode 100644 index 00000000000..cd73a7085e4 --- /dev/null +++ b/queue-4.14/ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch @@ -0,0 +1,54 @@ +From 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 5 May 2021 10:38:24 -0400 +Subject: ftrace: Handle commands when closing set_ftrace_filter file + +From: Steven Rostedt (VMware) + +commit 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 upstream. + + # echo switch_mm:traceoff > /sys/kernel/tracing/set_ftrace_filter + +will cause switch_mm to stop tracing by the traceoff command. + + # echo -n switch_mm:traceoff > /sys/kernel/tracing/set_ftrace_filter + +does nothing. + +The reason is that the parsing in the write function only processes +commands if it finished parsing (there is white space written after the +command). That's to handle: + + write(fd, "switch_mm:", 10); + write(fd, "traceoff", 8); + +cases, where the command is broken over multiple writes. + +The problem is if the file descriptor is closed, then the write call is +not processed, and the command needs to be processed in the release code. +The release code can handle matching of functions, but does not handle +commands. + +Cc: stable@vger.kernel.org +Fixes: eda1e32855656 ("tracing: handle broken names in ftrace filter") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5096,8 +5096,11 @@ int ftrace_regex_release(struct inode *i + + parser = &iter->parser; + if (trace_parser_loaded(parser)) { ++ int enable = !(iter->flags & FTRACE_ITER_NOTRACE); ++ + parser->buffer[parser->idx] = 0; +- ftrace_match_records(iter->hash, parser->buffer, parser->idx); ++ ftrace_process_regex(iter, parser->buffer, ++ parser->idx, enable); + } + + trace_parser_put(parser); diff --git a/queue-4.14/media-dvbdev-fix-memory-leak-in-dvb_media_device_free.patch b/queue-4.14/media-dvbdev-fix-memory-leak-in-dvb_media_device_free.patch new file mode 100644 index 00000000000..0e2fa094404 --- /dev/null +++ b/queue-4.14/media-dvbdev-fix-memory-leak-in-dvb_media_device_free.patch @@ -0,0 +1,37 @@ +From bf9a40ae8d722f281a2721779595d6df1c33a0bf Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Fri, 11 Dec 2020 09:30:39 +0100 +Subject: media: dvbdev: Fix memory leak in dvb_media_device_free() + +From: Peilin Ye + +commit bf9a40ae8d722f281a2721779595d6df1c33a0bf upstream. + +dvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn` +before setting it to NULL, as documented in include/media/media-device.h: +"The media_entity instance itself must be freed explicitly by the driver +if required." + +Link: https://syzkaller.appspot.com/bug?id=9bbe4b842c98f0ed05c5eed77a226e9de33bf298 + +Link: https://lore.kernel.org/linux-media/20201211083039.521617-1-yepeilin.cs@gmail.com +Cc: stable@vger.kernel.org +Fixes: 0230d60e4661 ("[media] dvbdev: Add RF connector if needed") +Reported-by: syzbot+7f09440acc069a0d38ac@syzkaller.appspotmail.com +Signed-off-by: Peilin Ye +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-core/dvbdev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -218,6 +218,7 @@ static void dvb_media_device_free(struct + + if (dvbdev->adapter->conn) { + media_device_unregister_entity(dvbdev->adapter->conn); ++ kfree(dvbdev->adapter->conn); + dvbdev->adapter->conn = NULL; + kfree(dvbdev->adapter->conn_pads); + dvbdev->adapter->conn_pads = NULL; diff --git a/queue-4.14/series b/queue-4.14/series index 983c1668274..d6098d9dfdf 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -88,3 +88,11 @@ fix-misc-new-gcc-warnings.patch jffs2-check-the-validity-of-dstlen-in-jffs2_zlib_compress.patch revert-337f13046ff0-futex-allow-futex_clock_realtime-with-futex_wait-op.patch posix-timers-preserve-return-value-in-clock_adjtime32.patch +ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch +ext4-fix-check-to-prevent-false-positive-report-of-incorrect-used-inodes.patch +ext4-fix-error-code-in-ext4_commit_super.patch +media-dvbdev-fix-memory-leak-in-dvb_media_device_free.patch +usb-gadget-dummy_hcd-fix-gpf-in-gadget_setup.patch +usb-gadget-fix-double-free-of-device-descriptor-pointers.patch +usb-gadget-function-f_fs-string-table-fix-for-multiple-languages.patch +usb-dwc3-gadget-fix-start_transfer-link-state-check.patch diff --git a/queue-4.14/usb-dwc3-gadget-fix-start_transfer-link-state-check.patch b/queue-4.14/usb-dwc3-gadget-fix-start_transfer-link-state-check.patch new file mode 100644 index 00000000000..637d08e1f14 --- /dev/null +++ b/queue-4.14/usb-dwc3-gadget-fix-start_transfer-link-state-check.patch @@ -0,0 +1,63 @@ +From c560e76319a94a3b9285bc426c609903408e4826 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Mon, 19 Apr 2021 19:11:12 -0700 +Subject: usb: dwc3: gadget: Fix START_TRANSFER link state check + +From: Thinh Nguyen + +commit c560e76319a94a3b9285bc426c609903408e4826 upstream. + +The START_TRANSFER command needs to be executed while in ON/U0 link +state (with an exception during register initialization). Don't use +dwc->link_state to check this since the driver only tracks the link +state when the link state change interrupt is enabled. Check the link +state from DSTS register instead. + +Note that often the host already brings the device out of low power +before it sends/requests the next transfer. So, the user won't see any +issue when the device starts transfer then. This issue is more +noticeable in cases when the device delays starting transfer, which can +happen during delayed control status after the host put the device in +low power. + +Fixes: 799e9dc82968 ("usb: dwc3: gadget: conditionally disable Link State change events") +Cc: +Acked-by: Felipe Balbi +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/bcefaa9ecbc3e1936858c0baa14de6612960e909.1618884221.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -310,13 +310,12 @@ int dwc3_send_gadget_ep_cmd(struct dwc3_ + } + + if (DWC3_DEPCMD_CMD(cmd) == DWC3_DEPCMD_STARTTRANSFER) { +- int needs_wakeup; ++ int link_state; + +- needs_wakeup = (dwc->link_state == DWC3_LINK_STATE_U1 || +- dwc->link_state == DWC3_LINK_STATE_U2 || +- dwc->link_state == DWC3_LINK_STATE_U3); +- +- if (unlikely(needs_wakeup)) { ++ link_state = dwc3_gadget_get_link_state(dwc); ++ if (link_state == DWC3_LINK_STATE_U1 || ++ link_state == DWC3_LINK_STATE_U2 || ++ link_state == DWC3_LINK_STATE_U3) { + ret = __dwc3_gadget_wakeup(dwc); + dev_WARN_ONCE(dwc->dev, ret, "wakeup failed --> %d\n", + ret); +@@ -1671,6 +1670,8 @@ static int __dwc3_gadget_wakeup(struct d + case DWC3_LINK_STATE_RESET: + case DWC3_LINK_STATE_RX_DET: /* in HS, means Early Suspend */ + case DWC3_LINK_STATE_U3: /* in HS, means SUSPEND */ ++ case DWC3_LINK_STATE_U2: /* in HS, means Sleep (L1) */ ++ case DWC3_LINK_STATE_U1: + case DWC3_LINK_STATE_RESUME: + break; + default: diff --git a/queue-4.14/usb-gadget-dummy_hcd-fix-gpf-in-gadget_setup.patch b/queue-4.14/usb-gadget-dummy_hcd-fix-gpf-in-gadget_setup.patch new file mode 100644 index 00000000000..2512dc34d4b --- /dev/null +++ b/queue-4.14/usb-gadget-dummy_hcd-fix-gpf-in-gadget_setup.patch @@ -0,0 +1,90 @@ +From 4a5d797a9f9c4f18585544237216d7812686a71f Mon Sep 17 00:00:00 2001 +From: Anirudh Rayabharam +Date: Mon, 19 Apr 2021 09:07:08 +0530 +Subject: usb: gadget: dummy_hcd: fix gpf in gadget_setup + +From: Anirudh Rayabharam + +commit 4a5d797a9f9c4f18585544237216d7812686a71f upstream. + +Fix a general protection fault reported by syzbot due to a race between +gadget_setup() and gadget_unbind() in raw_gadget. + +The gadget core is supposed to guarantee that there won't be any more +callbacks to the gadget driver once the driver's unbind routine is +called. That guarantee is enforced in usb_gadget_remove_driver as +follows: + + usb_gadget_disconnect(udc->gadget); + if (udc->gadget->irq) + synchronize_irq(udc->gadget->irq); + udc->driver->unbind(udc->gadget); + usb_gadget_udc_stop(udc); + +usb_gadget_disconnect turns off the pullup resistor, telling the host +that the gadget is no longer connected and preventing the transmission +of any more USB packets. Any packets that have already been received +are sure to processed by the UDC driver's interrupt handler by the time +synchronize_irq returns. + +But this doesn't work with dummy_hcd, because dummy_hcd doesn't use +interrupts; it uses a timer instead. It does have code to emulate the +effect of synchronize_irq, but that code doesn't get invoked at the +right time -- it currently runs in usb_gadget_udc_stop, after the unbind +callback instead of before. Indeed, there's no way for +usb_gadget_remove_driver to invoke this code before the unbind callback. + +To fix this, move the synchronize_irq() emulation code to dummy_pullup +so that it runs before unbind. Also, add a comment explaining why it is +necessary to have it there. + +Reported-by: syzbot+eb4674092e6cc8d9e0bd@syzkaller.appspotmail.com +Suggested-by: Alan Stern +Acked-by: Alan Stern +Signed-off-by: Anirudh Rayabharam +Link: https://lore.kernel.org/r/20210419033713.3021-1-mail@anirudhrb.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/dummy_hcd.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -902,6 +902,21 @@ static int dummy_pullup(struct usb_gadge + spin_lock_irqsave(&dum->lock, flags); + dum->pullup = (value != 0); + set_link_state(dum_hcd); ++ if (value == 0) { ++ /* ++ * Emulate synchronize_irq(): wait for callbacks to finish. ++ * This seems to be the best place to emulate the call to ++ * synchronize_irq() that's in usb_gadget_remove_driver(). ++ * Doing it in dummy_udc_stop() would be too late since it ++ * is called after the unbind callback and unbind shouldn't ++ * be invoked until all the other callbacks are finished. ++ */ ++ while (dum->callback_usage > 0) { ++ spin_unlock_irqrestore(&dum->lock, flags); ++ usleep_range(1000, 2000); ++ spin_lock_irqsave(&dum->lock, flags); ++ } ++ } + spin_unlock_irqrestore(&dum->lock, flags); + + usb_hcd_poll_rh_status(dummy_hcd_to_hcd(dum_hcd)); +@@ -1005,14 +1020,6 @@ static int dummy_udc_stop(struct usb_gad + spin_lock_irq(&dum->lock); + dum->ints_enabled = 0; + stop_activity(dum); +- +- /* emulate synchronize_irq(): wait for callbacks to finish */ +- while (dum->callback_usage > 0) { +- spin_unlock_irq(&dum->lock); +- usleep_range(1000, 2000); +- spin_lock_irq(&dum->lock); +- } +- + dum->driver = NULL; + spin_unlock_irq(&dum->lock); + diff --git a/queue-4.14/usb-gadget-fix-double-free-of-device-descriptor-pointers.patch b/queue-4.14/usb-gadget-fix-double-free-of-device-descriptor-pointers.patch new file mode 100644 index 00000000000..f2cb460dfbc --- /dev/null +++ b/queue-4.14/usb-gadget-fix-double-free-of-device-descriptor-pointers.patch @@ -0,0 +1,44 @@ +From 43c4cab006f55b6ca549dd1214e22f5965a8675f Mon Sep 17 00:00:00 2001 +From: Hemant Kumar +Date: Wed, 21 Apr 2021 12:47:32 -0700 +Subject: usb: gadget: Fix double free of device descriptor pointers + +From: Hemant Kumar + +commit 43c4cab006f55b6ca549dd1214e22f5965a8675f upstream. + +Upon driver unbind usb_free_all_descriptors() function frees all +speed descriptor pointers without setting them to NULL. In case +gadget speed changes (i.e from super speed plus to super speed) +after driver unbind only upto super speed descriptor pointers get +populated. Super speed plus desc still holds the stale (already +freed) pointer. Fix this issue by setting all descriptor pointers +to NULL after freeing them in usb_free_all_descriptors(). + +Fixes: f5c61225cf29 ("usb: gadget: Update function for SuperSpeedPlus") +cc: stable@vger.kernel.org +Reviewed-by: Peter Chen +Signed-off-by: Hemant Kumar +Signed-off-by: Wesley Cheng +Link: https://lore.kernel.org/r/1619034452-17334-1-git-send-email-wcheng@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/config.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/gadget/config.c ++++ b/drivers/usb/gadget/config.c +@@ -198,9 +198,13 @@ EXPORT_SYMBOL_GPL(usb_assign_descriptors + void usb_free_all_descriptors(struct usb_function *f) + { + usb_free_descriptors(f->fs_descriptors); ++ f->fs_descriptors = NULL; + usb_free_descriptors(f->hs_descriptors); ++ f->hs_descriptors = NULL; + usb_free_descriptors(f->ss_descriptors); ++ f->ss_descriptors = NULL; + usb_free_descriptors(f->ssp_descriptors); ++ f->ssp_descriptors = NULL; + } + EXPORT_SYMBOL_GPL(usb_free_all_descriptors); + diff --git a/queue-4.14/usb-gadget-function-f_fs-string-table-fix-for-multiple-languages.patch b/queue-4.14/usb-gadget-function-f_fs-string-table-fix-for-multiple-languages.patch new file mode 100644 index 00000000000..8e06834c01d --- /dev/null +++ b/queue-4.14/usb-gadget-function-f_fs-string-table-fix-for-multiple-languages.patch @@ -0,0 +1,44 @@ +From 55b74ce7d2ce0b0058f3e08cab185a0afacfe39e Mon Sep 17 00:00:00 2001 +From: Dean Anderson +Date: Wed, 17 Mar 2021 15:41:09 -0700 +Subject: usb: gadget/function/f_fs string table fix for multiple languages + +From: Dean Anderson + +commit 55b74ce7d2ce0b0058f3e08cab185a0afacfe39e upstream. + +Fixes bug with the handling of more than one language in +the string table in f_fs.c. +str_count was not reset for subsequent language codes. +str_count-- "rolls under" and processes u32 max strings on +the processing of the second language entry. +The existing bug can be reproduced by adding a second language table +to the structure "strings" in tools/usb/ffs-test.c. + +Signed-off-by: Dean Anderson +Link: https://lore.kernel.org/r/20210317224109.21534-1-dean@sensoray.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -2543,6 +2543,7 @@ static int __ffs_data_got_strings(struct + + do { /* lang_count > 0 so we can use do-while */ + unsigned needed = needed_count; ++ u32 str_per_lang = str_count; + + if (unlikely(len < 3)) + goto error_free; +@@ -2578,7 +2579,7 @@ static int __ffs_data_got_strings(struct + + data += length + 1; + len -= length + 1; +- } while (--str_count); ++ } while (--str_per_lang); + + s->id = 0; /* terminator */ + s->s = NULL;