diff options
author | Robin Guo <guoweibin@inspur.com> | 2022-09-06 10:21:19 +0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-10-26 13:25:53 +0200 |
commit | acf0006f2b2b2ca672988875fd154429aafb2a9b (patch) | |
tree | cf861d53a4785f905138c4331e0d2e93987f5cf6 | |
parent | 91271a3e772e180bbb8afb114c72fd294a02f93d (diff) | |
download | linux-stable-acf0006f2b2b2ca672988875fd154429aafb2a9b.tar.gz linux-stable-acf0006f2b2b2ca672988875fd154429aafb2a9b.tar.bz2 linux-stable-acf0006f2b2b2ca672988875fd154429aafb2a9b.zip |
usb: musb: Fix musb_gadget.c rxstate overflow bug
[ Upstream commit eea4c860c3b366369eff0489d94ee4f0571d467d ]
The usb function device call musb_gadget_queue() adds the passed
request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz)
and (is_buffer_mapped(req) return false),the rxstate() will copy all data
in fifo to request->buf which may cause request->buf out of bounds.
Fix it by add the length check :
fifocnt = min_t(unsigned, request->length - request->actual, fifocnt);
Signed-off-by: Robin Guo <guoweibin@inspur.com>
Link: https://lore.kernel.org/r/20220906102119.1b071d07a8391ff115e6d1ef@inspur.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r-- | drivers/usb/musb/musb_gadget.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c index fb806b33178a..c273eee35aaa 100644 --- a/drivers/usb/musb/musb_gadget.c +++ b/drivers/usb/musb/musb_gadget.c @@ -760,6 +760,9 @@ static void rxstate(struct musb *musb, struct musb_request *req) musb_writew(epio, MUSB_RXCSR, csr); buffer_aint_mapped: + fifo_count = min_t(unsigned int, + request->length - request->actual, + (unsigned int)fifo_count); musb_read_fifo(musb_ep->hw_ep, fifo_count, (u8 *) (request->buf + request->actual)); request->actual += fifo_count; |