linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2] usb: gadget: f_fs: Fix a race condition when processing setup packets.
@ 2024-04-23 18:02 Chris Wulff
  0 siblings, 0 replies; 3+ messages in thread
From: Chris Wulff @ 2024-04-23 18:02 UTC (permalink / raw)
  To: linux-usb
  Cc: Greg KH, Jerry Zhang, Christian Brauner, Jan Kara, Jeff Layton,
	Paul Cercueil, Kees Cook, Chris Wulff, Uttkarsh Aggarwal,
	Dmitry Antipov, linux-kernel, linux-stable

If the USB driver passes a pointer into the TRB buffer for creq, this
buffer can be overwritten with the status response as soon as the event
is queued. This can make the final check return USB_GADGET_DELAYED_STATUS
when it shouldn't. Instead use the stored wLength.

Fixes: 4d644abf2569 ("usb: gadget: f_fs: Only return delayed status when len is 0")
Signed-off-by: Chris Wulff <chris.wulff@biamp.com>
---
v2: Added fixes tag

 drivers/usb/gadget/function/f_fs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index bffbc1dc651f..8d72acf9a760 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -3803,7 +3803,7 @@ static int ffs_func_setup(struct usb_function *f,
 	__ffs_event_add(ffs, FUNCTIONFS_SETUP);
 	spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
 
-	return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
+	return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
 }
 
 static bool ffs_func_req_match(struct usb_function *f,
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] usb: gadget: f_fs: Fix a race condition when processing setup  packets.
  2024-04-18 16:45 Chris Wulff
@ 2024-04-21 10:17 ` Greg KH
  0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2024-04-21 10:17 UTC (permalink / raw)
  To: Chris Wulff; +Cc: linux-usb

On Thu, Apr 18, 2024 at 04:45:12PM +0000, Chris Wulff wrote:
> If the USB driver passes a pointer into the TRB buffer for creq, this
> buffer can be overwritten with the status response as soon as the event
> is queued. This can make the final check return USB_GADGET_DELAYED_STATUS
> when it shouldn't. Instead use the stored wLength.
> 
> Signed-off-by: Chris Wulff <chris.wulff@biamp.com>
> ---
> v2: Added signoff
> 
>  drivers/usb/gadget/function/f_fs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
> index bffbc1dc651f..8d72acf9a760 100644
> --- a/drivers/usb/gadget/function/f_fs.c
> +++ b/drivers/usb/gadget/function/f_fs.c
> @@ -3803,7 +3803,7 @@ static int ffs_func_setup(struct usb_function *f,
>  	__ffs_event_add(ffs, FUNCTIONFS_SETUP);
>  	spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
>  
> -	return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
> +	return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
>  }

What commit id does this fix?

And should it be backported to older kernels?

And again, please cc: the relevent maintainer/developers on your changes
so they know to read them.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH v2] usb: gadget: f_fs: Fix a race condition when processing setup  packets.
@ 2024-04-18 16:45 Chris Wulff
  2024-04-21 10:17 ` Greg KH
  0 siblings, 1 reply; 3+ messages in thread
From: Chris Wulff @ 2024-04-18 16:45 UTC (permalink / raw)
  To: linux-usb

If the USB driver passes a pointer into the TRB buffer for creq, this
buffer can be overwritten with the status response as soon as the event
is queued. This can make the final check return USB_GADGET_DELAYED_STATUS
when it shouldn't. Instead use the stored wLength.

Signed-off-by: Chris Wulff <chris.wulff@biamp.com>
---
v2: Added signoff

 drivers/usb/gadget/function/f_fs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index bffbc1dc651f..8d72acf9a760 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -3803,7 +3803,7 @@ static int ffs_func_setup(struct usb_function *f,
 	__ffs_event_add(ffs, FUNCTIONFS_SETUP);
 	spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
 
-	return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
+	return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
 }
 
 static bool ffs_func_req_match(struct usb_function *f,
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-04-23 18:02 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-23 18:02 [PATCH v2] usb: gadget: f_fs: Fix a race condition when processing setup packets Chris Wulff
  -- strict thread matches above, loose matches on Subject: below --
2024-04-18 16:45 Chris Wulff
2024-04-21 10:17 ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).