mirror of
https://github.com/torvalds/linux.git
synced 2024-12-27 13:22:23 +00:00
f670e9f9c8
dwc2_hsotg_process_req_status uses ep_from_windex() to retrieve
the endpoint for the index provided in the wIndex request param.
In a test-case with a rndis gadget running and sending a malformed
packet to it like:
dev.ctrl_transfer(
0x82, # bmRequestType
0x00, # bRequest
0x0000, # wValue
0x0001, # wIndex
0x00 # wLength
)
it is possible to cause a crash:
[ 217.533022] dwc2 ff300000.usb: dwc2_hsotg_process_req_status: USB_REQ_GET_STATUS
[ 217.559003] Unable to handle kernel read from unreadable memory at virtual address 0000000000000088
...
[ 218.313189] Call trace:
[ 218.330217] ep_from_windex+0x3c/0x54
[ 218.348565] usb_gadget_giveback_request+0x10/0x20
[ 218.368056] dwc2_hsotg_complete_request+0x144/0x184
This happens because ep_from_windex wants to compare the endpoint
direction even if index_to_ep() didn't return an endpoint due to
the direction not matching.
The fix is easy insofar that the actual direction check is already
happening when calling index_to_ep() which will return NULL if there
is no endpoint for the targeted direction, so the offending check
can go away completely.
Fixes:
|
||
---|---|---|
.. | ||
atm | ||
c67x00 | ||
cdns3 | ||
chipidea | ||
class | ||
common | ||
core | ||
dwc2 | ||
dwc3 | ||
early | ||
gadget | ||
host | ||
image | ||
isp1760 | ||
misc | ||
mon | ||
mtu3 | ||
musb | ||
phy | ||
renesas_usbhs | ||
roles | ||
serial | ||
storage | ||
typec | ||
usbip | ||
Kconfig | ||
Makefile | ||
usb-skeleton.c |