Thinh Nguyen wrote:
> The sgl may be allocated larger than the requested length. Check the
> usb_request->length and make sure that we don't setup the TRB to
> send/receive more than requested.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: a31e63b608ff ("usb: dwc3: gadget: Correct handling of scattergather lists")
> Signed-off-by: Thinh Nguyen <thinhn@xxxxxxxxxxxx>
> ---
> drivers/usb/dwc3/gadget.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
> index 4ca3e197bee4..95ec39e42409 100644
> --- a/drivers/usb/dwc3/gadget.c
> +++ b/drivers/usb/dwc3/gadget.c
> @@ -1040,7 +1040,8 @@ static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
> unsigned no_interrupt = req->request.no_interrupt;
>
> if (req->request.num_sgs > 0) {
> - length = sg_dma_len(req->start_sg);
> + length = min_t(unsigned int, req->request.length,
> + sg_dma_len(req->start_sg));
> dma = sg_dma_address(req->start_sg);
> } else {
> length = req->request.length;
Don't pick this up yet. This change only covers single SG entry. I'll
send a v2 after more testing.
BR,
Thinh
