On Thu, Apr 18, 2024 at 04:45:12PM +0000, Chris Wulff wrote: > If the USB driver passes a pointer into the TRB buffer for creq, this > buffer can be overwritten with the status response as soon as the event > is queued. This can make the final check return USB_GADGET_DELAYED_STATUS > when it shouldn't. Instead use the stored wLength. > > Signed-off-by: Chris Wulff <chris.wulff@xxxxxxxxx> > --- > v2: Added signoff > > drivers/usb/gadget/function/f_fs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c > index bffbc1dc651f..8d72acf9a760 100644 > --- a/drivers/usb/gadget/function/f_fs.c > +++ b/drivers/usb/gadget/function/f_fs.c > @@ -3803,7 +3803,7 @@ static int ffs_func_setup(struct usb_function *f, > __ffs_event_add(ffs, FUNCTIONFS_SETUP); > spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); > > - return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0; > + return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0; > } What commit id does this fix? And should it be backported to older kernels? And again, please cc: the relevent maintainer/developers on your changes so they know to read them. thanks, greg k-h
