From patchwork Tue Apr 23 18:02:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chris Wulff X-Patchwork-Id: 791441 Received: from mx0a-0068d901.pphosted.com (mx0a-0068d901.pphosted.com [205.220.168.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E4BCD13E404; Tue, 23 Apr 2024 18:02:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.168.35 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713895365; cv=fail; b=RPxFzlwUkU2CrdSSGmFsKx/gTFcntqrsyD4S6ktnGUomvSVIs8U8wh3Gn1M+lnHZA9Ge+2697JvNe+6r6ZSYgYeOqUk1lkAydw1UFPIP0U5v28eljZ+xxcoFwtOhogwMgsdXVaWFD+lH2cGZT3isGBO1lHwRB48sdM/Fg2P2Kps= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713895365; c=relaxed/simple; bh=7FPMhlh7ZFtKH73DPBsEVSX39vQ1F6251Nt9ooOrfhM=; h=From:To:CC:Subject:Date:Message-ID:Content-Type:MIME-Version; b=FV2iYIvJ1g0q9FFqNvHGXC1/yOHLMLCwryLVbfHEVY8zYk9rEWO9eiPdSQ8gs4PkoTwbOY7Hr5TDDdCXly6y2yyLHhjDK9SalnBjt7VVmxkDAp2cIRBCzZZL1u9SBZzmOXcIyk6BQVWMERJzdxr0H6R+oVTzUa9H76N5H2y/0mA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=biamp.com; spf=pass smtp.mailfrom=biamp.com; dkim=pass (2048-bit key) header.d=biamp.com header.i=@biamp.com header.b=Fys1V/uy; dkim=pass (2048-bit key) header.d=biamp.com header.i=@biamp.com header.b=q/Ahbnq+; arc=fail smtp.client-ip=205.220.168.35 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=biamp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=biamp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=biamp.com header.i=@biamp.com header.b="Fys1V/uy"; dkim=pass (2048-bit key) header.d=biamp.com header.i=@biamp.com header.b="q/Ahbnq+" Received: from pps.filterd (m0278264.ppops.net [127.0.0.1]) by mx0b-0068d901.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 43NAgcnm003261; Tue, 23 Apr 2024 11:02:19 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=biamp.com; h= from:to:cc:subject:date:message-id:content-type :content-transfer-encoding:mime-version; s=proofpoint; bh=Q1QsPp 2T2R827UkuHUM0Hd+fkSaZ7sjMKFRuKioKVzE=; b=Fys1V/uy7oHIBLQlUZzMhi nCJaQ1CZ8QZQ36pGa0NGgGC9SFHyCvW0gKfm9wUCpdiCQY05qJ1HIrJvJBgW9x4T srodLeAsrqesCye5O346EW4htsqS8Sme5FCy5zADG8fF6S13jUvtTC/VM8GlMMKn OwJcNkH0dc6X6jvsg1jKyUKgeMmhPoPoa1jMSW+S3Y569LluJMsvR2OkfiWBbHoh lUec4jsDJNjevMQjYh2pLc7som6vP63++Y75z3YrQgQWP730bE7o95MGVe/Du5PI 9FX08WToRncmX6rXf9ERbPuzuxqyIbus69uG2SDtTHjnQ3HR8QbopcASl6wOMTmg == Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2169.outbound.protection.outlook.com [104.47.57.169]) by mx0b-0068d901.pphosted.com (PPS) with ESMTPS id 3xmcrg27jf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 Apr 2024 11:02:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QHFk/Xhsrall4YQl9WQEmAjyjKyCVOPPO2PXnEayxq6su2rDer7Dt6iOodmMx+jkzd5lT229aH5jko9ZR7rlrNJeYuLFsDZGID9oqdxwFnXUymTbz0SPbkIp5HKHvJVgD0hJt+Nh5EflqrE5M/BTsdNdtnAJuV25PCSMeaOhOJB3uKVx4UQeR2V7bqQT10v1JQdoP42wtUdpAIEJJSnWXJibrsYAuX07cxWZnjiGmK3U9IcFnqB/iNTEOiEbIyNrbdE+vbAbIrfZDIdm18lMa9NXEfHeYnAvhyrdsZt+WK8f6daEKIMypL/gxhIZgrZB+o3pBoTNc5KF0Vr1/9/8FA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Q1QsPp2T2R827UkuHUM0Hd+fkSaZ7sjMKFRuKioKVzE=; b=WutJc23UGcsSZC17mTUbHHG6ubsQd3ET9ekBOb748UlcC5z8v72iSFQTPYurt4MU8GTt5qQpn6aWNEbfhohhtdaEJKHg8tVGCaDKkHPUV4/AGvSzTFrRn4q1W5jCd4E+rEyj/o77PdnonkI2wRqD6zLIl6dYAbjphCJGx353GbmasVPkOL4e9O9DqYhxxRFjnkhxlcMmeDWGl0hqkgZ1OS49blcdUmLVYXeGmozB/QVLt8D1g5vJofGe2wLM2pVQWmkfh9aaJJMhvpKTuOp93R/NTtsYcoJE03eU+J1uQHLuUY9miQ5AQ6GmzFDLFa6R6HXOW3XbsUvRG8n/cy1rBQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=biamp.com; dmarc=pass action=none header.from=biamp.com; dkim=pass header.d=biamp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=biamp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q1QsPp2T2R827UkuHUM0Hd+fkSaZ7sjMKFRuKioKVzE=; b=q/Ahbnq+2aP8WUMK13CBEvmFX1U+A73gwCsjoKQ95Hp5KiR2vstl+0Or6EeAlmSYG5He/9ryg80CNuQCLkopp7C8A4qNlEiv2+hlL86MzeNCHk1He26qoadvNOKrXcHM/cqj8xGJ8IPd7vY6KAGqf+P88G02hsc+oaJBjY38mtusbfiMhG2alDjHhj7xgEI1WRRopB5RxwGElXgjr15sGVy07qzeHHjyE8P4GIQFsUCj5953ngZSF+VCTGDNxlYDfTxKjJjI3djMvVCec5JJV1W2nkgqTshSbARjY1GFg1O+RaDOYQwOK4PUZW2g8F/XT+uD2PNvOOqKQShMGDcP/Q== Received: from CO1PR17MB5419.namprd17.prod.outlook.com (2603:10b6:303:ec::17) by DS1PR17MB7372.namprd17.prod.outlook.com (2603:10b6:8:1ea::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7519.22; Tue, 23 Apr 2024 18:02:15 +0000 Received: from CO1PR17MB5419.namprd17.prod.outlook.com ([fe80::f48:ee61:a81b:d555]) by CO1PR17MB5419.namprd17.prod.outlook.com ([fe80::f48:ee61:a81b:d555%4]) with mapi id 15.20.7472.044; Tue, 23 Apr 2024 18:02:15 +0000 From: Chris Wulff To: "linux-usb@vger.kernel.org" CC: Greg KH , Jerry Zhang , Christian Brauner , Jan Kara , Jeff Layton , Paul Cercueil , Kees Cook , Chris Wulff , Uttkarsh Aggarwal , Dmitry Antipov , "linux-kernel@vger.kernel.org" , "linux-stable@vger.kernel.org" Subject: [PATCH v2] usb: gadget: f_fs: Fix a race condition when processing setup packets. Thread-Topic: [PATCH v2] usb: gadget: f_fs: Fix a race condition when processing setup packets. Thread-Index: AQHalafczYpH7+1HsEStkrnAIKpzKw== Date: Tue, 23 Apr 2024 18:02:15 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: CO1PR17MB5419:EE_|DS1PR17MB7372:EE_ x-ms-office365-filtering-correlation-id: 73662cce-5214-4495-19b0-08dc63bf824d x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; ARA:13230031|366007|376005|1800799015|7416005|38070700009; x-microsoft-antispam-message-info: =?iso-8859-1?q?e6vlqzkuwTiBczs1jxzZvxfaJ1?= =?iso-8859-1?q?6ByrIkcgcD1VJ5hOnkR1eglk8wquP2OYzwu6c4zqUJSkSKBDB4Hkobg8Pjh5?= =?iso-8859-1?q?UZlew01a5X03K0toRRth3WcsPu5XD6m/61/+ouNQfjG5HnzJKxqsoCzaY4Mh?= =?iso-8859-1?q?c7tQHbSXvWFYCdwAyZUM6MCtEHw0TnMiIW6OvH4SRuUwpyrtsQ58Q6mej3Ra?= =?iso-8859-1?q?Top0Nv8vnuOVr0aq68etDrAGiP1uk5/a/F9DXnVqBH5sNlfn0RtYpdhZ8wUb?= =?iso-8859-1?q?Q7kIhNGkz5D79bAihYbC1l7Nrrk1OZ5fNccFqyCctGo/pnULJMxXAHZ8XFFj?= =?iso-8859-1?q?mrP/MMiK75ElwqVQx8IJBrro52y232RNs/UymmwVDaElSI/+gDPy5od9ibnH?= =?iso-8859-1?q?pNvoPF8ytxgxipg+mclGbOCpXVq5r/4BHLIZqVwpSKg1o0dIVKqfLulmeFmz?= =?iso-8859-1?q?XCr9m2KJbatNVH5z4v0/Ry751WcBK5gfFGKWO0DfSF02ULspUIOgGxm0Bnz+?= =?iso-8859-1?q?7n3bfsqUB8Gh5DmZlym8WX7dVO7erZpTBf+5LX5lA8GEn8P9BYkF5uIqXeYn?= =?iso-8859-1?q?ZhPtcYaJhUAvv+a1mnFDWdiuRnjILcPWSzEv2U3FJiv6xmz+wFiqY/4l8fMh?= =?iso-8859-1?q?ZFYf+hI2v4spqGQjB0P7z/lufX/l57oXFsuvj+eRP1tqkrh5iBIax+rXN4E6?= =?iso-8859-1?q?1cOpYu3ys4zeQxLbTbHEbzqgWDliZ6DJ8+r83gwoPCV6cSiCR0uLdOCqyRPS?= =?iso-8859-1?q?vXHv/K4KGyYDqlf71zPrT6qld9/2rBGHjyxg9VE22Ta3+IyEIGLQWp3RTSss?= =?iso-8859-1?q?/+8LQuKiWL4/0aARvFD2RQ1IEX7eG4C9G4U7ooESLvBhJ5GJUwV33uQoPDAq?= =?iso-8859-1?q?2/7bafPpFH+l6G+hMx0P4KJPX3ENF6bhjwjlhpdstBmI4/KmUhhAdkBhzGJX?= =?iso-8859-1?q?BVNa1mmMM7D7G7ALcBnCAHAX8z02NJ1sYFZ16cQEfMVZdgaDbQxS9Fhauz/y?= =?iso-8859-1?q?lijApuopFSwRFCMELR4LgyuDcQbcoll0j3Wph3CNX1N3EZk/D6NZG6U0/78b?= =?iso-8859-1?q?z/T354OMMSeyoXVAAYHfbE59IG6zYPMvkCLatenpXowzZU5tiu90dF4mx6rX?= =?iso-8859-1?q?qbuNTQqQaRSq8KXBrvX3qqwwhKVWCNFTg6O057zohfaOTE7PB8qXMQ5neM3h?= =?iso-8859-1?q?srPWlBSkC7Cu7Ny68HFzel/kjNJg9u54hzcOaa1TKTqhcZAX8C1woVPcljME?= =?iso-8859-1?q?C0TmfDGj+t795IyCP9tUCtTjrxWEOmSaw/WtvzIxa1TZsznDbO4e/OmcKmGS?= =?iso-8859-1?q?1AzrokiSljrZGenbJnxcDaYudNu0eI8sF9grvOo61KDZzsgpX3on5gv2OFQF?= =?iso-8859-1?q?DSK3nvfqHtFNIn1S5KCA=3D=3D?= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR17MB5419.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366007)(376005)(1800799015)(7416005)(38070700009); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?q?ERL7bP7ciUHxjJP5/dEM40t?= =?iso-8859-1?q?aELAdhZoMpTlZP8jAB1YQ4NRFlO0Bf7okx9CpdeoW6UH1YlZ795GduEgIkwr?= =?iso-8859-1?q?Dt4n5A6rTOKpIwSMTOW8wc8bMNUan38MpdDrZYTJ9X+kC+teAuLMq82CC5e8?= =?iso-8859-1?q?OdKllPGaecE1a4rVrUzdwCxmcMUxzFoA4RYkrjK664agyeaj5VHlMcXlPEK/?= =?iso-8859-1?q?CL+YFgQGWcrofClLv/rcscBn7yWImCn522iz6ES8nKfwoaKssIUHl+OBR6/s?= =?iso-8859-1?q?IPJBhBErEYMe3L27eYeRe28rqbKory72RGBb/R4mHmhWJ2MuyFoc+SmA2hkZ?= =?iso-8859-1?q?b3s6WvPNjQUOQk1YySqqFEzSIsDVojbTySCSHeKwzQgJlDaNeMSaTXwcLTFU?= =?iso-8859-1?q?MzRxvufeUb0NliYo7nLQq9xYG7FYCQ6KuRUE78ZEy6J1CG8oTfcUlWoRzpxj?= =?iso-8859-1?q?QBsUoWxevygxUpJpKDeml9xNbNo5izL1CLm1OlgFRO8/c1/dzQiySqYZnGqt?= =?iso-8859-1?q?hdC0jUwi55JomRo0ORMWht1Cin2z/KSIQSRkUwg5YQkuByrKjes5vXw20Q6+?= =?iso-8859-1?q?5/e8xXjIXuNi5gVaFteIzBsD/WxOJg0q7bbv1ae/qDJmarwJgfcmceu3Ai1s?= =?iso-8859-1?q?PylvVqA36jcjlx+O0GVqWVgVJJI6VXiX7Zi9AVd7ZMgfNVL41rMc07tKYnlw?= =?iso-8859-1?q?rCvnXZcEfgB/Ah4as9o2bNApxdaD7JY1v1wO3JQvvXlvFDrvfyS3RX34xffA?= =?iso-8859-1?q?3weIW3I0HWHb1thBWOqjhSK9Qv37pHLLSl9AoCvOReVlb6kOPOSzWHdE8LPp?= =?iso-8859-1?q?Anh/fdfr1wuOdX0auwxYUHbk+KEGRi7MGsx49xh/aMTK3FUF5HkctSnLj88a?= =?iso-8859-1?q?vGPShl5XIJIuIaZJG7Vt/UdfV8zAX9wDVvIsaL/JsxAbZZa1taF0133pBPJf?= =?iso-8859-1?q?4Ms/8XzITQPVYIspNUeGytE6Z0EJ/IS07rbI1c+dEaefjDhLqpP2iT3mMQeH?= =?iso-8859-1?q?9RLtZdHRr2QCqEi1XRMukaesoT/Zqtbe7+mrvXW82hntsBMYMkIYN6MXF8Ec?= =?iso-8859-1?q?VjtGqsY6Ay7KbxnW3b0lf0Hp4/s4shEfXk2O8nkCK2Duj8jZZbTQPEpN82X+?= =?iso-8859-1?q?DP6tsbZx+IEK/CN6IOEq8DTSiBHyii2XhtA0Ds5dNvUITsYt9pz2QB6ONri6?= =?iso-8859-1?q?0hG452dRzGT1RFgacGO5QQ5u4vuWZBXJry4F8jGC6WLgZvqkPLe0aBh23AKF?= =?iso-8859-1?q?oQ53r5jjBK/QlLky+x5esv6XiWWVNqYIWpGErChns13d60N43z+ZA1dBAyIB?= =?iso-8859-1?q?jUh1h8IfD97TM2laqdyvSstmNZPyIfIrsjIcVFd5jvhpREJsDw0ka6HZWBqN?= =?iso-8859-1?q?ibNWlA8g91WgA8L5aSksuodD7mPO997edppRdWkn1EObdLiB7OM6LG0tQ1WV?= =?iso-8859-1?q?Uwm4bCAt2Q8MdfzPxIDYp8CU4YnFgCVkN76QGisJOXN6SIh3/+GoDN0z4vfF?= =?iso-8859-1?q?f5XF0k8wtx6MgxFdtxoyAeJe7WDMPdBW7l9r75jOYGZ7NTmo90DJs4tzrcmY?= =?iso-8859-1?q?gxDHLS6IVZUBoCLieOhF6V+XLcybYOL4niyjuckg91gDBbxQ8EuMrmtsLyzN?= =?iso-8859-1?q?dNg+2rjBOyeKd2SbF?= Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: biamp.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CO1PR17MB5419.namprd17.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 73662cce-5214-4495-19b0-08dc63bf824d X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2024 18:02:15.5599 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 341ac572-066c-46f6-bf06-b2d0c7ddf1be X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 37IF1sFu5johk6cYpt5+1qEFuv48wwpzTq8ExDBNlAZd34lKPkALkX0RbKWsIlwTqb0h7h67KyrHhL4moCfwzw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS1PR17MB7372 X-Proofpoint-ORIG-GUID: 2h1sFWbgM2KGY2qeadG8GfNq8zTC6iwa X-Proofpoint-GUID: 2h1sFWbgM2KGY2qeadG8GfNq8zTC6iwa If the USB driver passes a pointer into the TRB buffer for creq, this buffer can be overwritten with the status response as soon as the event is queued. This can make the final check return USB_GADGET_DELAYED_STATUS when it shouldn't. Instead use the stored wLength. Fixes: 4d644abf2569 ("usb: gadget: f_fs: Only return delayed status when len is 0") Signed-off-by: Chris Wulff --- v2: Added fixes tag drivers/usb/gadget/function/f_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index bffbc1dc651f..8d72acf9a760 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -3803,7 +3803,7 @@ static int ffs_func_setup(struct usb_function *f, __ffs_event_add(ffs, FUNCTIONFS_SETUP); spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); - return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0; + return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0; } static bool ffs_func_req_match(struct usb_function *f,