From 5d6ae4f0da8a64a185074dabb1b2f8c148efa741 Mon Sep 17 00:00:00 2001 From: Chris Dickens Date: Sun, 31 Dec 2017 18:59:42 -0800 Subject: usb: gadget: composite: fix incorrect handling of OS desc requests When handling an OS descriptor request, one of the first operations is to zero out the request buffer using the wLength from the setup packet. There is no bounds checking, so a wLength > 4096 would clobber memory adjacent to the request buffer. Fix this by taking the min of wLength and the request buffer length prior to the memset. While at it, define the buffer length in a header file so that magic numbers don't appear throughout the code. When returning data to the host, the data length should be the min of the wLength and the valid data we have to return. Currently we are returning wLength, thus requests for a wLength greater than the amount of data in the OS descriptor buffer would return invalid (albeit zero'd) data following the valid descriptor data. Fix this by counting the number of bytes when constructing the data and using this when determining the length of the request. Signed-off-by: Chris Dickens Signed-off-by: Felipe Balbi --- include/linux/usb/composite.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include/linux/usb') diff --git a/include/linux/usb/composite.h b/include/linux/usb/composite.h index cef0e44601f8..4b6b9283fa7b 100644 --- a/include/linux/usb/composite.h +++ b/include/linux/usb/composite.h @@ -54,6 +54,9 @@ /* big enough to hold our biggest descriptor */ #define USB_COMP_EP0_BUFSIZ 1024 +/* OS feature descriptor length <= 4kB */ +#define USB_COMP_EP0_OS_DESC_BUFSIZ 4096 + #define USB_MS_TO_HS_INTERVAL(x) (ilog2((x * 1000 / 125)) + 1) struct usb_configuration; -- cgit v1.2.3-70-g09d2 From aaeab02ddcc830e31c33cdb72a3c117b2d499ae2 Mon Sep 17 00:00:00 2001 From: Benjamin Herrenschmidt Date: Fri, 23 Mar 2018 13:44:06 +1100 Subject: usb/gadget: Add an EP dispose() callback for EP lifetime tracking Some UDC may want to allocate endpoints dynamically, either because the HW supports an arbitrary large number or because (like the Aspeed BMC SoCs), the pool of HW endpoints is shared between multiple gadgets. The allocation side can be done rather easily using the existing match_ep() UDC hook. However we have no good place to "free" them. This implements a "simple" variant of this, which calls an EP dispose callback on all EPs associated with a gadget when the composite device gets unbound. This is required by my upcoming Aspeed vHub driver. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Felipe Balbi --- drivers/usb/gadget/composite.c | 16 ++++++++++++++++ include/linux/usb/gadget.h | 1 + 2 files changed, 17 insertions(+) (limited to 'include/linux/usb') diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index 1924e20f6e8c..63a7cb87514a 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -2142,6 +2142,7 @@ end: void composite_dev_cleanup(struct usb_composite_dev *cdev) { struct usb_gadget_string_container *uc, *tmp; + struct usb_ep *ep, *tmp_ep; list_for_each_entry_safe(uc, tmp, &cdev->gstrings, list) { list_del(&uc->list); @@ -2163,6 +2164,21 @@ void composite_dev_cleanup(struct usb_composite_dev *cdev) } cdev->next_string_id = 0; device_remove_file(&cdev->gadget->dev, &dev_attr_suspended); + + /* + * Some UDC backends have a dynamic EP allocation scheme. + * + * In that case, the dispose() callback is used to notify the + * backend that the EPs are no longer in use. + * + * Note: The UDC backend can remove the EP from the ep_list as + * a result, so we need to use the _safe list iterator. + */ + list_for_each_entry_safe(ep, tmp_ep, + &cdev->gadget->ep_list, ep_list) { + if (ep->ops->dispose) + ep->ops->dispose(ep); + } } static int composite_bind(struct usb_gadget *gadget, diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h index 66a5cff7ee14..e3424234b23a 100644 --- a/include/linux/usb/gadget.h +++ b/include/linux/usb/gadget.h @@ -129,6 +129,7 @@ struct usb_ep_ops { int (*enable) (struct usb_ep *ep, const struct usb_endpoint_descriptor *desc); int (*disable) (struct usb_ep *ep); + void (*dispose) (struct usb_ep *ep); struct usb_request *(*alloc_request) (struct usb_ep *ep, gfp_t gfp_flags); -- cgit v1.2.3-70-g09d2