Re: [PATCH] usb: dwc3: gadget: Don't setup more than requested

Thinh Nguyen wrote:

The sgl may be allocated larger than the requested length. Check the usb_request->length and make sure that we don't setup the TRB to send/receive more than requested.

Cc: stable@vger.kernel.org Fixes: a31e63b608ff ("usb: dwc3: gadget: Correct handling of scattergather lists") Signed-off-by: Thinh Nguyen thinhn@synopsys.com

---

drivers/usb/dwc3/gadget.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 4ca3e197bee4..95ec39e42409 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -1040,7 +1040,8 @@ static void dwc3_prepare_one_trb(struct dwc3_ep *dep, unsigned no_interrupt = req->request.no_interrupt; if (req->request.num_sgs > 0) {

• length = sg_dma_len(req->start_sg);
  

• length = min_t(unsigned int, req->request.length,
  

• 	       sg_dma_len(req->start_sg));
  

  dma = sg_dma_address(req->start_sg); } else { length = req->request.length;

Don't pick this up yet. This change only covers single SG entry. I'll send a v2 after more testing.

BR, Thinh