The sgl may be allocated larger than the requested length. Check the
usb_request->length and make sure that we don't setup the TRB to
send/receive more than requested.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: a31e63b608ff ("usb: dwc3: gadget: Correct handling of scattergather lists")
Signed-off-by: Thinh Nguyen <thinhn@xxxxxxxxxxxx>
---
drivers/usb/dwc3/gadget.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 4ca3e197bee4..95ec39e42409 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1040,7 +1040,8 @@ static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
unsigned no_interrupt = req->request.no_interrupt;
if (req->request.num_sgs > 0) {
- length = sg_dma_len(req->start_sg);
+ length = min_t(unsigned int, req->request.length,
+ sg_dma_len(req->start_sg));
dma = sg_dma_address(req->start_sg);
} else {
length = req->request.length;
--
2.11.0
