Commit c4d7362a authored by Thinh Nguyen's avatar Thinh Nguyen Committed by Greg Kroah-Hartman

usb: dwc3: gadget: Don't setup more than requested

[ Upstream commit 5d187c04 ]

The SG list may be set up with entry size more than the requested
length. Check the usb_request->length and make sure that we don't setup
the TRBs to send/receive more than requested. This case may occur when
the SG entry is allocated up to a certain minimum size, but the request
length is less than that. It can also occur when the request is reused
for a different request length.

Cc: <stable@vger.kernel.org> # v4.18+
Fixes: a31e63b6 ("usb: dwc3: gadget: Correct handling of scattergather lists")
Signed-off-by: default avatarThinh Nguyen <thinhn@synopsys.com>
Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 2d037285
...@@ -1017,26 +1017,24 @@ static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb, ...@@ -1017,26 +1017,24 @@ static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb,
* dwc3_prepare_one_trb - setup one TRB from one request * dwc3_prepare_one_trb - setup one TRB from one request
* @dep: endpoint for which this request is prepared * @dep: endpoint for which this request is prepared
* @req: dwc3_request pointer * @req: dwc3_request pointer
* @trb_length: buffer size of the TRB
* @chain: should this TRB be chained to the next? * @chain: should this TRB be chained to the next?
* @node: only for isochronous endpoints. First TRB needs different type. * @node: only for isochronous endpoints. First TRB needs different type.
*/ */
static void dwc3_prepare_one_trb(struct dwc3_ep *dep, static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
struct dwc3_request *req, unsigned chain, unsigned node) struct dwc3_request *req, unsigned int trb_length,
unsigned chain, unsigned node)
{ {
struct dwc3_trb *trb; struct dwc3_trb *trb;
unsigned int length;
dma_addr_t dma; dma_addr_t dma;
unsigned stream_id = req->request.stream_id; unsigned stream_id = req->request.stream_id;
unsigned short_not_ok = req->request.short_not_ok; unsigned short_not_ok = req->request.short_not_ok;
unsigned no_interrupt = req->request.no_interrupt; unsigned no_interrupt = req->request.no_interrupt;
if (req->request.num_sgs > 0) { if (req->request.num_sgs > 0)
length = sg_dma_len(req->start_sg);
dma = sg_dma_address(req->start_sg); dma = sg_dma_address(req->start_sg);
} else { else
length = req->request.length;
dma = req->request.dma; dma = req->request.dma;
}
trb = &dep->trb_pool[dep->trb_enqueue]; trb = &dep->trb_pool[dep->trb_enqueue];
...@@ -1048,7 +1046,7 @@ static void dwc3_prepare_one_trb(struct dwc3_ep *dep, ...@@ -1048,7 +1046,7 @@ static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
req->num_trbs++; req->num_trbs++;
__dwc3_prepare_one_trb(dep, trb, dma, length, chain, node, __dwc3_prepare_one_trb(dep, trb, dma, trb_length, chain, node,
stream_id, short_not_ok, no_interrupt); stream_id, short_not_ok, no_interrupt);
} }
...@@ -1058,16 +1056,27 @@ static void dwc3_prepare_one_trb_sg(struct dwc3_ep *dep, ...@@ -1058,16 +1056,27 @@ static void dwc3_prepare_one_trb_sg(struct dwc3_ep *dep,
struct scatterlist *sg = req->start_sg; struct scatterlist *sg = req->start_sg;
struct scatterlist *s; struct scatterlist *s;
int i; int i;
unsigned int length = req->request.length;
unsigned int remaining = req->request.num_mapped_sgs unsigned int remaining = req->request.num_mapped_sgs
- req->num_queued_sgs; - req->num_queued_sgs;
/*
* If we resume preparing the request, then get the remaining length of
* the request and resume where we left off.
*/
for_each_sg(req->request.sg, s, req->num_queued_sgs, i)
length -= sg_dma_len(s);
for_each_sg(sg, s, remaining, i) { for_each_sg(sg, s, remaining, i) {
unsigned int length = req->request.length;
unsigned int maxp = usb_endpoint_maxp(dep->endpoint.desc); unsigned int maxp = usb_endpoint_maxp(dep->endpoint.desc);
unsigned int rem = length % maxp; unsigned int rem = length % maxp;
unsigned int trb_length;
unsigned chain = true; unsigned chain = true;
trb_length = min_t(unsigned int, length, sg_dma_len(s));
length -= trb_length;
/* /*
* IOMMU driver is coalescing the list of sgs which shares a * IOMMU driver is coalescing the list of sgs which shares a
* page boundary into one and giving it to USB driver. With * page boundary into one and giving it to USB driver. With
...@@ -1075,7 +1084,7 @@ static void dwc3_prepare_one_trb_sg(struct dwc3_ep *dep, ...@@ -1075,7 +1084,7 @@ static void dwc3_prepare_one_trb_sg(struct dwc3_ep *dep,
* sgs passed. So mark the chain bit to false if it isthe last * sgs passed. So mark the chain bit to false if it isthe last
* mapped sg. * mapped sg.
*/ */
if (i == remaining - 1) if ((i == remaining - 1) || !length)
chain = false; chain = false;
if (rem && usb_endpoint_dir_out(dep->endpoint.desc) && !chain) { if (rem && usb_endpoint_dir_out(dep->endpoint.desc) && !chain) {
...@@ -1085,7 +1094,7 @@ static void dwc3_prepare_one_trb_sg(struct dwc3_ep *dep, ...@@ -1085,7 +1094,7 @@ static void dwc3_prepare_one_trb_sg(struct dwc3_ep *dep,
req->needs_extra_trb = true; req->needs_extra_trb = true;
/* prepare normal TRB */ /* prepare normal TRB */
dwc3_prepare_one_trb(dep, req, true, i); dwc3_prepare_one_trb(dep, req, trb_length, true, i);
/* Now prepare one extra TRB to align transfer size */ /* Now prepare one extra TRB to align transfer size */
trb = &dep->trb_pool[dep->trb_enqueue]; trb = &dep->trb_pool[dep->trb_enqueue];
...@@ -1096,7 +1105,7 @@ static void dwc3_prepare_one_trb_sg(struct dwc3_ep *dep, ...@@ -1096,7 +1105,7 @@ static void dwc3_prepare_one_trb_sg(struct dwc3_ep *dep,
req->request.short_not_ok, req->request.short_not_ok,
req->request.no_interrupt); req->request.no_interrupt);
} else { } else {
dwc3_prepare_one_trb(dep, req, chain, i); dwc3_prepare_one_trb(dep, req, trb_length, chain, i);
} }
/* /*
...@@ -1111,6 +1120,16 @@ static void dwc3_prepare_one_trb_sg(struct dwc3_ep *dep, ...@@ -1111,6 +1120,16 @@ static void dwc3_prepare_one_trb_sg(struct dwc3_ep *dep,
req->num_queued_sgs++; req->num_queued_sgs++;
/*
* The number of pending SG entries may not correspond to the
* number of mapped SG entries. If all the data are queued, then
* don't include unused SG entries.
*/
if (length == 0) {
req->num_pending_sgs -= req->request.num_mapped_sgs - req->num_queued_sgs;
break;
}
if (!dwc3_calc_trbs_left(dep)) if (!dwc3_calc_trbs_left(dep))
break; break;
} }
...@@ -1130,7 +1149,7 @@ static void dwc3_prepare_one_trb_linear(struct dwc3_ep *dep, ...@@ -1130,7 +1149,7 @@ static void dwc3_prepare_one_trb_linear(struct dwc3_ep *dep,
req->needs_extra_trb = true; req->needs_extra_trb = true;
/* prepare normal TRB */ /* prepare normal TRB */
dwc3_prepare_one_trb(dep, req, true, 0); dwc3_prepare_one_trb(dep, req, length, true, 0);
/* Now prepare one extra TRB to align transfer size */ /* Now prepare one extra TRB to align transfer size */
trb = &dep->trb_pool[dep->trb_enqueue]; trb = &dep->trb_pool[dep->trb_enqueue];
...@@ -1147,7 +1166,7 @@ static void dwc3_prepare_one_trb_linear(struct dwc3_ep *dep, ...@@ -1147,7 +1166,7 @@ static void dwc3_prepare_one_trb_linear(struct dwc3_ep *dep,
req->needs_extra_trb = true; req->needs_extra_trb = true;
/* prepare normal TRB */ /* prepare normal TRB */
dwc3_prepare_one_trb(dep, req, true, 0); dwc3_prepare_one_trb(dep, req, length, true, 0);
/* Now prepare one extra TRB to handle ZLP */ /* Now prepare one extra TRB to handle ZLP */
trb = &dep->trb_pool[dep->trb_enqueue]; trb = &dep->trb_pool[dep->trb_enqueue];
...@@ -1157,7 +1176,7 @@ static void dwc3_prepare_one_trb_linear(struct dwc3_ep *dep, ...@@ -1157,7 +1176,7 @@ static void dwc3_prepare_one_trb_linear(struct dwc3_ep *dep,
req->request.short_not_ok, req->request.short_not_ok,
req->request.no_interrupt); req->request.no_interrupt);
} else { } else {
dwc3_prepare_one_trb(dep, req, false, 0); dwc3_prepare_one_trb(dep, req, length, false, 0);
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment