On Wed, Jul 27, 2022 at 08:43:34AM +0000, Andy Guo (郭卫斌) wrote: > From: guoweibin <guoweibin@xxxxxxxxxx> Your From: in your email has your real name, why not use that instead of just putting your email alias here? > > when the rxstate function executes the 'goto buffer_aint_mapped' code > branch, it will always copy the fifocnt bytes data to request->buf, > which may cause request->buf out of bounds. for Ethernet-over-USB will > cause skb_over_panic when a packet larger than mtu is recived. How can we get a bigger packet than mtu? > > Fix it by add the length check : > fifocnt = min_t(unsigned, request->length - request->actual, fifocnt); > > Signed-off-by: guoweibin <guoweibin@xxxxxxxxxx> Same here. > --- > v2: > -fix format error > drivers/usb/musb/musb_gadget.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c > index 51274b87f46c..4ad5a1f31d7e 100644 > --- a/drivers/usb/musb/musb_gadget.c > +++ b/drivers/usb/musb/musb_gadget.c > @@ -760,6 +760,7 @@ static void rxstate(struct musb *musb, struct musb_request *req) > musb_writew(epio, MUSB_RXCSR, csr); > > buffer_aint_mapped: > + fifo_count = min_t(unsigned, request->length - request->actual, fifo_count); Why the case to "unsigned"? And if we get a too big packet, shouldn't we drop it? And what does this have to do with a usb-ethernet device, this is in the generic musb code, not an ethernet driver. thanks, greg k-h
