[PATCH 4.14 43/54] usb: gadget: f_fs: Process all descriptors during bind

From: Greg Kroah-Hartman
Date: Mon Feb 26 2018 - 15:26:05 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.15 11/64] X.509: fix BUG_ON() when hash algorithm is unsupported"
Previous message: Greg Kroah-Hartman: "[PATCH 4.14 42/54] Revert "usb: musb: host: dont start next rx urb if current one failed""
In reply to: Greg Kroah-Hartman: "[PATCH 4.14 42/54] Revert "usb: musb: host: dont start next rx urb if current one failed""
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 34/54] arm64: Disable unhandled signal log messages by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

4.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jack Pham <jackp@xxxxxxxxxxxxxx>

commit 6cf439e0d37463e42784271179c8a308fd7493c6 upstream.

During _ffs_func_bind(), the received descriptors are evaluated
to prepare for binding with the gadget in order to allocate
endpoints and optionally set up OS descriptors. However, the
high- and super-speed descriptors are only parsed based on
whether the gadget_is_dualspeed() and gadget_is_superspeed()
calls are true, respectively.

This is a problem in case a userspace program always provides
all of the {full,high,super,OS} descriptors when configuring a
function. Then, for example if a gadget device is not capable
of SuperSpeed, the call to ffs_do_descs() for the SS descriptors
is skipped, resulting in an incorrect offset calculation for
the vla_ptr when moving on to the OS descriptors that follow.
This causes ffs_do_os_descs() to fail as it is now looking at
the SS descriptors' offset within the raw_descs buffer instead.

_ffs_func_bind() should evaluate the descriptors unconditionally,
so remove the checks for gadget speed.

Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support")
Cc: stable@xxxxxxxxxxxxxxx
Co-Developed-by: Mayank Rana <mrana@xxxxxxxxxxxxxx>
Signed-off-by: Mayank Rana <mrana@xxxxxxxxxxxxxx>
Signed-off-by: Jack Pham <jackp@xxxxxxxxxxxxxx>
Signed-off-by: Felipe Balbi <felipe.balbi@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/usb/gadget/function/f_fs.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2980,10 +2980,8 @@ static int _ffs_func_bind(struct usb_con
struct ffs_data *ffs = func->ffs;

const int full = !!func->ffs->fs_descs_count;
- const int high = gadget_is_dualspeed(func->gadget) &&
- func->ffs->hs_descs_count;
- const int super = gadget_is_superspeed(func->gadget) &&
- func->ffs->ss_descs_count;
+ const int high = !!func->ffs->hs_descs_count;
+ const int super = !!func->ffs->ss_descs_count;

int fs_len, hs_len, ss_len, ret, i;
struct ffs_ep *eps_ptr;

Next message: Greg Kroah-Hartman: "[PATCH 4.15 11/64] X.509: fix BUG_ON() when hash algorithm is unsupported"
Previous message: Greg Kroah-Hartman: "[PATCH 4.14 42/54] Revert "usb: musb: host: dont start next rx urb if current one failed""
In reply to: Greg Kroah-Hartman: "[PATCH 4.14 42/54] Revert "usb: musb: host: dont start next rx urb if current one failed""
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 34/54] arm64: Disable unhandled signal log messages by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]