summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobin Guo <guoweibin@inspur.com>2022-09-06 10:21:19 +0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2022-10-26 13:25:53 +0200
commitacf0006f2b2b2ca672988875fd154429aafb2a9b (patch)
treecf861d53a4785f905138c4331e0d2e93987f5cf6
parent91271a3e772e180bbb8afb114c72fd294a02f93d (diff)
downloadlinux-stable-acf0006f2b2b2ca672988875fd154429aafb2a9b.tar.gz
linux-stable-acf0006f2b2b2ca672988875fd154429aafb2a9b.tar.bz2
linux-stable-acf0006f2b2b2ca672988875fd154429aafb2a9b.zip
usb: musb: Fix musb_gadget.c rxstate overflow bug
[ Upstream commit eea4c860c3b366369eff0489d94ee4f0571d467d ] The usb function device call musb_gadget_queue() adds the passed request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz) and (is_buffer_mapped(req) return false),the rxstate() will copy all data in fifo to request->buf which may cause request->buf out of bounds. Fix it by add the length check : fifocnt = min_t(unsigned, request->length - request->actual, fifocnt); Signed-off-by: Robin Guo <guoweibin@inspur.com> Link: https://lore.kernel.org/r/20220906102119.1b071d07a8391ff115e6d1ef@inspur.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat
-rw-r--r--drivers/usb/musb/musb_gadget.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
index fb806b33178a..c273eee35aaa 100644
--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -760,6 +760,9 @@ static void rxstate(struct musb *musb, struct musb_request *req)
musb_writew(epio, MUSB_RXCSR, csr);
buffer_aint_mapped:
+ fifo_count = min_t(unsigned int,
+ request->length - request->actual,
+ (unsigned int)fifo_count);
musb_read_fifo(musb_ep->hw_ep, fifo_count, (u8 *)
(request->buf + request->actual));
request->actual += fifo_count;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-31 00:32:28 +0000