From: guoweibin <guoweibin@inspur.com>
Date: Mon, 25 Jul 2022 19:27:49 +0800
Subject: [PATCH] usb: musb: Fix musb_gadget.c rxstate overflow bug

when the rxstate function executes the 'goto buffer_aint_mapped' code
branch, it will always copy the fifocnt bytes data to request->buf,
which may cause request->buf out of bounds..

Fix it by add the length check :
fifocnt = min_t(unsigned, request->length - request->actual, fifocnt);

Signed-off-by: guoweibin <guoweibin@inspur.com>
---
 drivers/usb/musb/musb_gadget.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
index 51274b87f46c..dc67fff8e941 100644
--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -760,6 +760,9 @@ static void rxstate(struct musb *musb, struct musb_request *req)
 			musb_writew(epio, MUSB_RXCSR, csr);
 
 buffer_aint_mapped:
+			fifo_count = min_t(unsigned int,
+					request->length - request->actual,
+					(unsigned int)fifo_count);
 			musb_read_fifo(musb_ep->hw_ep, fifo_count, (u8 *)
 					(request->buf + request->actual));
 			request->actual += fifo_count;
-- 
2.17.1

On Mon, Sep 05, 2022 at 09:02:12AM +0800, guoweibin wrote:
> From: guoweibin <guoweibin@inspur.com>
> Date: Mon, 25 Jul 2022 19:27:49 +0800
> Subject: [PATCH] usb: musb: Fix musb_gadget.c rxstate overflow bug

Odd, this shouldn't be in the body of the email if you use 'git
send-email', how did you send it?

> 
> when the rxstate function executes the 'goto buffer_aint_mapped' code
> branch, it will always copy the fifocnt bytes data to request->buf,
> which may cause request->buf out of bounds..
> 
> Fix it by add the length check :
> fifocnt = min_t(unsigned, request->length - request->actual, fifocnt);
> 
> Signed-off-by: guoweibin <guoweibin@inspur.com>

I need a "full" name, not just an email alias as a name for a
signed-off-by:  Please fix that up and resend a v2.

And what commit does this fix?

thanks,

greg k-h