USB: gadget: bRequestType is a bitfield, not a enum

[ Upstream commit f08adf5add9a071160c68bb2a61d697f39ab0758 ]

Szymon rightly pointed out that the previous check for the endpoint
direction in bRequestType was not looking at only the bit involved, but
rather the whole value.  Normally this is ok, but for some request
types, bits other than bit 8 could be set and the check for the endpoint
length could not stall correctly.

Fix that up by only checking the single bit.

Mot-CRs-fixed: (CR)
CVE-Fixed: CVE-2021-39685
Bug: 210292376

Change-Id: I7d924c81c41c003bf048ab995c52562df239e563
Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests")
Cc: Felipe Balbi <balbi@kernel.org>
Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Gajjala Chakradhar <gajjalac@motorola.com>
Reviewed-on: https://gerrit.mot.com/2197707
SME-Granted: SME Approvals Granted
SLTApproved: Slta Waiver
Tested-by: Jira Key
Reviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>
Submit-Approved: Jira Key
(cherry picked from commit 830a43080a0b05cd77863647699c4f97b3849ac8)

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 4e47dc05e7686ea020f25806e44b495d640f7718..c718cc1bc04389c5c1211330aeccc0884d3538be 100644 (file)
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1578,14 +1578,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
        u8                              endp;
 
        if (w_length > USB_COMP_EP0_BUFSIZ) {
-               if (ctrl->bRequestType == USB_DIR_OUT) {
-                       goto done;
-               } else {
+               if (ctrl->bRequestType & USB_DIR_IN) {
                        /* Cast away the const, we are going to overwrite on purpose. */
                        __le16 *temp = (__le16 *)&ctrl->wLength;
 
                        *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
                        w_length = USB_COMP_EP0_BUFSIZ;
+               } else {
+                       goto done;
                }
        }
 

diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
index f1c5a22704b2814bf0926586851a756ce389f36a..e8818ad973e4bb379f9e0b446dadeab3330b5bfc 100644 (file)
--- a/drivers/usb/gadget/legacy/dbgp.c
+++ b/drivers/usb/gadget/legacy/dbgp.c
@@ -345,14 +345,14 @@ static int dbgp_setup(struct usb_gadget *gadget,
        u16 len = 0;
 
        if (length > DBGP_REQ_LEN) {
-               if (ctrl->bRequestType == USB_DIR_OUT) {
-                       return err;
-               } else {
+               if (ctrl->bRequestType & USB_DIR_IN) {
                        /* Cast away the const, we are going to overwrite on purpose. */
                        __le16 *temp = (__le16 *)&ctrl->wLength;
 
                        *temp = cpu_to_le16(DBGP_REQ_LEN);
                        length = DBGP_REQ_LEN;
+               } else {
+                       return err;
                }
        }
 

diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index 8d8b5c86a437454e6961cc0bd152137f591c29a5..d730a5c2b4fe183778f97287bdeb92bae9757bb0 100644 (file)
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -1339,14 +1339,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
        u16                             w_length = le16_to_cpu(ctrl->wLength);
 
        if (w_length > RBUF_SIZE) {
-               if (ctrl->bRequestType == USB_DIR_OUT) {
-                       return value;
-               } else {
+               if (ctrl->bRequestType & USB_DIR_IN) {
                        /* Cast away the const, we are going to overwrite on purpose. */
                        __le16 *temp = (__le16 *)&ctrl->wLength;
 
                        *temp = cpu_to_le16(RBUF_SIZE);
                        w_length = RBUF_SIZE;
+               } else {
+                       return value;
                }
        }