usb: gadget: f_fs: Fix a race condition when processing setup packets.

crwulff · gregkh · commit 0aea736ddb87 · 2024-04-23T16:26:10.000-07:00
If the USB driver passes a pointer into the TRB buffer for creq, this buffer can be overwritten with the status response as soon as the event is queued. This can make the final check return USB_GADGET_DELAYED_STATUS when it shouldn't. Instead use the stored wLength. Fixes: 4d644ab ("usb: gadget: f_fs: Only return delayed status when len is 0") Cc: stable <stable@kernel.org> Signed-off-by: Chris Wulff <chris.wulff@biamp.com> Link: https://lore.kernel.org/r/CO1PR17MB5419BD664264A558B2395E28E1112@CO1PR17MB5419.namprd17.prod.outlook.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
@@ -3811,7 +3811,7 @@ static int ffs_func_setup(struct usb_function *f,
 	__ffs_event_add(ffs, FUNCTIONFS_SETUP);
 	spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
 
-	return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
+	return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
 }
 
 static bool ffs_func_req_match(struct usb_function *f,

Original file line number	Diff line number	Diff line change
`@@ -3811,7 +3811,7 @@ static int ffs_func_setup(struct usb_function *f,`
`3811`	`3811`	`__ffs_event_add(ffs, FUNCTIONFS_SETUP);`
`3812`	`3812`	`spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);`
`3813`	`3813`
`3814`		`- return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;`
	`3814`	`+ return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;`
`3815`	`3815`	`}`
`3816`	`3816`
`3817`	`3817`	`static bool ffs_func_req_match(struct usb_function *f,`