usb: musb: Fix musb_gadget.c rxstate overflow bug - starfive-tech/linux.git - StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror)

diff options

author	Robin Guo <guoweibin@inspur.com>	2022-09-06 05:21:19 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-09-22 16:52:30 +0300
commit	eea4c860c3b366369eff0489d94ee4f0571d467d (patch)
tree	4c3e6bc5887f8ceff2266cc1cb17bb91079590e9 /fs/btrfs/locking.c
parent	93440d1fdf0a8d15857d755650fdcfc29c04e1f2 (diff)
download	linux-eea4c860c3b366369eff0489d94ee4f0571d467d.tar.xz

usb: musb: Fix musb_gadget.c rxstate overflow bug

The usb function device call musb_gadget_queue() adds the passed request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz) and (is_buffer_mapped(req) return false),the rxstate() will copy all data in fifo to request->buf which may cause request->buf out of bounds. Fix it by add the length check : fifocnt = min_t(unsigned, request->length - request->actual, fifocnt); Signed-off-by: Robin Guo <guoweibin@inspur.com> Link: https://lore.kernel.org/r/20220906102119.1b071d07a8391ff115e6d1ef@inspur.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'fs/btrfs/locking.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: