From f199a80cfece94b67f9e3d2955666e47c6051517 Mon Sep 17 00:00:00 2001
From: Vincent Pelletier <plr.vincent@gmail.com>
Date: Tue, 17 Jan 2017 13:20:11 +0000
Subject: usb: gadger: f_fs: Do not copy past descriptor end.

Endpoint descriptors come in 2 sizes, struct usb_endpoint_descriptor being
the largest. Use bLength to stop on endpoint descriptor boundary, and not
2 bytes too far.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
---
 drivers/usb/gadget/function/f_fs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'drivers/usb/gadget/function/f_fs.c')

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 5e746adc8a2d..e126897a7fae 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1230,7 +1230,7 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code,
 			desc = epfile->ep->descs[desc_idx];
 
 			spin_unlock_irq(&epfile->ffs->eps_lock);
-			ret = copy_to_user((void *)value, desc, sizeof(*desc));
+			ret = copy_to_user((void *)value, desc, desc->bLength);
 			if (ret)
 				ret = -EFAULT;
 			return ret;
-- 
cgit 


From 41dc9ac163e76718d445a8149f8ce635375c8c38 Mon Sep 17 00:00:00 2001
From: Vincent Pelletier <plr.vincent@gmail.com>
Date: Mon, 23 Jan 2017 14:41:04 +0000
Subject: usb: gadget: f_fs: Accept up to 30 endpoints.

It is allowed by the USB specification to enabled same-address, opposite-
direction endpoints simultaneously, which means 30 non-zero endpoints
are allowed. So double eps_addrmap length to 30.
The original code only accepted 14 descriptors out of a likely intended 15
(as there are 15 endpoint addresses, ignoring direction), because the first
eps_addrmap entry is unused (it is a placeholder for endpoint zero). So
increase eps_addrmap length by one to 31.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
---
 drivers/usb/gadget/function/f_fs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'drivers/usb/gadget/function/f_fs.c')

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index e126897a7fae..f5d6bf527aac 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2101,7 +2101,7 @@ static int __ffs_data_do_entity(enum ffs_entity_type type,
 	case FFS_ENDPOINT:
 		d = (void *)desc;
 		helper->eps_count++;
-		if (helper->eps_count >= 15)
+		if (helper->eps_count >= FFS_MAX_EPS_COUNT)
 			return -EINVAL;
 		/* Check if descriptors for any speed were already parsed */
 		if (!helper->ffs->eps_count && !helper->ffs->interfaces_count)
-- 
cgit