| Message ID | CO1PR17MB541952EE4072214813CB05C8E10E2@CO1PR17MB5419.namprd17.prod.outlook.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2] usb: gadget: f_fs: Fix a race condition when processing setup packets. | expand |
On Thu, Apr 18, 2024 at 04:45:12PM +0000, Chris Wulff wrote: > If the USB driver passes a pointer into the TRB buffer for creq, this > buffer can be overwritten with the status response as soon as the event > is queued. This can make the final check return USB_GADGET_DELAYED_STATUS > when it shouldn't. Instead use the stored wLength. > > Signed-off-by: Chris Wulff <chris.wulff@biamp.com> > --- > v2: Added signoff > > drivers/usb/gadget/function/f_fs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c > index bffbc1dc651f..8d72acf9a760 100644 > --- a/drivers/usb/gadget/function/f_fs.c > +++ b/drivers/usb/gadget/function/f_fs.c > @@ -3803,7 +3803,7 @@ static int ffs_func_setup(struct usb_function *f, > __ffs_event_add(ffs, FUNCTIONFS_SETUP); > spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); > > - return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0; > + return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0; > } What commit id does this fix? And should it be backported to older kernels? And again, please cc: the relevent maintainer/developers on your changes so they know to read them. thanks, greg k-h
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index bffbc1dc651f..8d72acf9a760 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -3803,7 +3803,7 @@ static int ffs_func_setup(struct usb_function *f, __ffs_event_add(ffs, FUNCTIONFS_SETUP); spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); - return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0; + return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0; } static bool ffs_func_req_match(struct usb_function *f,
If the USB driver passes a pointer into the TRB buffer for creq, this buffer can be overwritten with the status response as soon as the event is queued. This can make the final check return USB_GADGET_DELAYED_STATUS when it shouldn't. Instead use the stored wLength. Signed-off-by: Chris Wulff <chris.wulff@biamp.com> --- v2: Added signoff drivers/usb/gadget/function/f_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)