This is a note to let you know that I've just added the patch titled usb: gadget: align buffer size when allocating for OUT endpoint to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: usb-gadget-align-buffer-size-when-allocating-for-out-endpoint.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From e0466156ee2e944fb47a3fa00932c3698a6d2c67 Mon Sep 17 00:00:00 2001 From: "Felipe F. Tonello" <eu@xxxxxxxxxxxxxxxxx> Date: Mon, 8 Aug 2016 21:30:06 +0100 Subject: usb: gadget: align buffer size when allocating for OUT endpoint From: Felipe F. Tonello <eu@xxxxxxxxxxxxxxxxx> commit e0466156ee2e944fb47a3fa00932c3698a6d2c67 upstream. Using usb_ep_align() makes sure that the buffer size for OUT endpoints is always aligned with wMaxPacketSize (512 usually). This makes sure that no buffer has the wrong size, which can cause nasty bugs. Signed-off-by: Felipe F. Tonello <eu@xxxxxxxxxxxxxxxxx> Signed-off-by: Felipe Balbi <felipe.balbi@xxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/usb/gadget/u_f.c | 3 +++ drivers/usb/gadget/u_f.h | 16 +++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) --- a/drivers/usb/gadget/u_f.c +++ b/drivers/usb/gadget/u_f.c @@ -12,6 +12,7 @@ */ #include "u_f.h" +#include <linux/usb/ch9.h> struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len, int default_len) { @@ -20,6 +21,8 @@ struct usb_request *alloc_ep_req(struct req = usb_ep_alloc_request(ep, GFP_ATOMIC); if (req) { req->length = len ?: default_len; + if (usb_endpoint_dir_out(ep->desc)) + req->length = usb_ep_align(ep, req->length); req->buf = kmalloc(req->length, GFP_ATOMIC); if (!req->buf) { usb_ep_free_request(ep, req); --- a/drivers/usb/gadget/u_f.h +++ b/drivers/usb/gadget/u_f.h @@ -47,8 +47,22 @@ struct usb_ep; struct usb_request; -/* Requests allocated via alloc_ep_req() must be freed by free_ep_req(). */ +/** + * alloc_ep_req - returns a usb_request allocated by the gadget driver and + * allocates the request's buffer. + * + * @ep: the endpoint to allocate a usb_request + * @len: usb_requests's buffer suggested size + * @default_len: used if @len is not provided, ie, is 0 + * + * In case @ep direction is OUT, the @len will be aligned to ep's + * wMaxPacketSize. In order to avoid memory leaks or drops, *always* use + * usb_requests's length (req->length) to refer to the allocated buffer size. + * Requests allocated via alloc_ep_req() *must* be freed by free_ep_req(). + */ struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len, int default_len); + +/* Frees a usb_request previously allocated by alloc_ep_req() */ static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req) { kfree(req->buf); Patches currently in stable-queue which might be from eu@xxxxxxxxxxxxxxxxx are queue-4.4/usb-gadget-change-len-to-size_t-on-alloc_ep_req.patch queue-4.4/usb-gadget-define-free_ep_req-as-universal-function.patch queue-4.4/usb-gadget-fix-usb_ep_align_maybe-endianness-and-new-usb_ep_align.patch queue-4.4/usb-gadget-align-buffer-size-when-allocating-for-out-endpoint.patch