Commit f670e9f
usb: dwc2: Fix endpoint direction check in ep_from_windex
dwc2_hsotg_process_req_status uses ep_from_windex() to retrieve
the endpoint for the index provided in the wIndex request param.
In a test-case with a rndis gadget running and sending a malformed
packet to it like:
dev.ctrl_transfer(
0x82, # bmRequestType
0x00, # bRequest
0x0000, # wValue
0x0001, # wIndex
0x00 # wLength
)
it is possible to cause a crash:
[ 217.533022] dwc2 ff300000.usb: dwc2_hsotg_process_req_status: USB_REQ_GET_STATUS
[ 217.559003] Unable to handle kernel read from unreadable memory at virtual address 0000000000000088
...
[ 218.313189] Call trace:
[ 218.330217] ep_from_windex+0x3c/0x54
[ 218.348565] usb_gadget_giveback_request+0x10/0x20
[ 218.368056] dwc2_hsotg_complete_request+0x144/0x184
This happens because ep_from_windex wants to compare the endpoint
direction even if index_to_ep() didn't return an endpoint due to
the direction not matching.
The fix is easy insofar that the actual direction check is already
happening when calling index_to_ep() which will return NULL if there
is no endpoint for the targeted direction, so the offending check
can go away completely.
Fixes: c6f5c05 ("usb: dwc2: gadget: add bi-directional endpoint support")
Cc: [email protected]
Reported-by: Gerhard Klostermeier <[email protected]>
Signed-off-by: Heiko Stuebner <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>1 parent 0e5a3c8 commit f670e9f
1 file changed
Lines changed: 1 addition & 7 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1543 | 1543 | | |
1544 | 1544 | | |
1545 | 1545 | | |
1546 | | - | |
1547 | 1546 | | |
1548 | 1547 | | |
1549 | 1548 | | |
| |||
1553 | 1552 | | |
1554 | 1553 | | |
1555 | 1554 | | |
1556 | | - | |
1557 | | - | |
1558 | | - | |
1559 | | - | |
1560 | | - | |
1561 | | - | |
| 1555 | + | |
1562 | 1556 | | |
1563 | 1557 | | |
1564 | 1558 | | |
| |||
0 commit comments