mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-27 21:03:32 +00:00
usb: gadget: f_fs: Fix a race condition when processing setup packets.
commit0aea736ddb
upstream. If the USB driver passes a pointer into the TRB buffer for creq, this buffer can be overwritten with the status response as soon as the event is queued. This can make the final check return USB_GADGET_DELAYED_STATUS when it shouldn't. Instead use the stored wLength. Fixes:4d644abf25
("usb: gadget: f_fs: Only return delayed status when len is 0") Cc: stable <stable@kernel.org> Signed-off-by: Chris Wulff <chris.wulff@biamp.com> Link: https://lore.kernel.org/r/CO1PR17MB5419BD664264A558B2395E28E1112@CO1PR17MB5419.namprd17.prod.outlook.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
c037e0ebc0
commit
af3f22e07d
1 changed files with 1 additions and 1 deletions
|
@ -3304,7 +3304,7 @@ static int ffs_func_setup(struct usb_function *f,
|
||||||
__ffs_event_add(ffs, FUNCTIONFS_SETUP);
|
__ffs_event_add(ffs, FUNCTIONFS_SETUP);
|
||||||
spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
|
spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
|
||||||
|
|
||||||
return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
|
return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool ffs_func_req_match(struct usb_function *f,
|
static bool ffs_func_req_match(struct usb_function *f,
|
||||||
|
|
Loading…
Reference in a new issue