Patch "usb: gadget: f_fs: Fix a race condition when processing setup packets." has been added to the 6.8-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    usb: gadget: f_fs: Fix a race condition when processing setup packets.

to the 6.8-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-gadget-f_fs-fix-a-race-condition-when-processing-setup-packets.patch
and it can be found in the queue-6.8 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 0aea736ddb877b93f6d2dd8cf439840d6b4970a9 Mon Sep 17 00:00:00 2001
From: Chris Wulff <Chris.Wulff@xxxxxxxxx>
Date: Tue, 23 Apr 2024 18:02:15 +0000
Subject: usb: gadget: f_fs: Fix a race condition when processing setup packets.

From: Chris Wulff <Chris.Wulff@xxxxxxxxx>

commit 0aea736ddb877b93f6d2dd8cf439840d6b4970a9 upstream.

If the USB driver passes a pointer into the TRB buffer for creq, this
buffer can be overwritten with the status response as soon as the event
is queued. This can make the final check return USB_GADGET_DELAYED_STATUS
when it shouldn't. Instead use the stored wLength.

Fixes: 4d644abf2569 ("usb: gadget: f_fs: Only return delayed status when len is 0")
Cc: stable <stable@xxxxxxxxxx>
Signed-off-by: Chris Wulff <chris.wulff@xxxxxxxxx>
Link: https://lore.kernel.org/r/CO1PR17MB5419BD664264A558B2395E28E1112@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/usb/gadget/function/f_fs.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -3335,7 +3335,7 @@ static int ffs_func_setup(struct usb_fun
 	__ffs_event_add(ffs, FUNCTIONFS_SETUP);
 	spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
 
-	return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
+	return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
 }
 
 static bool ffs_func_req_match(struct usb_function *f,


Patches currently in stable-queue which might be from Chris.Wulff@xxxxxxxxx are

queue-6.8/usb-gadget-f_fs-fix-a-race-condition-when-processing-setup-packets.patch
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux