Google Git
Sign in
android / kernel / msm / refs/tags/android-13.0.0_r0.66^1..refs/tags/android-13.0.0_r0.66 / .
commit84b42e6a786c622e1c3b4a4ac839c7a6f20d2497[log] [tgz]
authorevahuang <evahuang@google.com>Wed Feb 08 11:02:52 2023 +0800
committerevahuang <evahuang@google.com>Wed Feb 08 11:02:52 2023 +0800
treea43506b7e64a6e21310052727d5b576eb932eb45
parent3547aebef7e0ce66a8f2d609597141b0d740c74d [diff]
parentb0c425a2b5980d4562950a875e9c3eac8516399c [diff]
Merge branch 'android-msm-pixel-4.14-tm-security' into android-msm-pixel-4.14-tm-qpr2

APR 2023.1

Bug: 260597977
Change-Id: I019824b128e57d1cf730a4eaa4a402d2795f2291

diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
index 59e4a6b..6d83d2e 100644
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c

@@ -19,7 +19,7 @@
 #endif
 
 #ifdef CONFIG_USB_CONFIGFS_F_ACC
-extern int acc_ctrlrequest(struct usb_composite_dev *cdev,
+extern int acc_ctrlrequest_composite(struct usb_composite_dev *cdev,
 				const struct usb_ctrlrequest *ctrl);
 void acc_disconnect(void);
 #endif
@@ -1645,7 +1645,7 @@
 
 #ifdef CONFIG_USB_CONFIGFS_F_ACC
 	if (value < 0)
-		value = acc_ctrlrequest(cdev, c);
+		value = acc_ctrlrequest_composite(cdev, c);
 #endif
 
 	if (value < 0)

diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c
index 1ab2f96..f25c80a3 100644
--- a/drivers/usb/gadget/function/f_accessory.c
+++ b/drivers/usb/gadget/function/f_accessory.c

@@ -1077,6 +1077,26 @@
 }
 EXPORT_SYMBOL_GPL(acc_ctrlrequest);
 
+int acc_ctrlrequest_composite(struct usb_composite_dev *cdev,
+			      const struct usb_ctrlrequest *ctrl)
+{
+	u16 w_length = le16_to_cpu(ctrl->wLength);
+
+	if (w_length > USB_COMP_EP0_BUFSIZ) {
+		if (ctrl->bRequestType & USB_DIR_IN) {
+			/* Cast away the const, we are going to overwrite on purpose. */
+			__le16 *temp = (__le16 *)&ctrl->wLength;
+
+			*temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
+			w_length = USB_COMP_EP0_BUFSIZ;
+		} else {
+			return -EINVAL;
+		}
+	}
+	return acc_ctrlrequest(cdev, ctrl);
+}
+EXPORT_SYMBOL_GPL(acc_ctrlrequest_composite);
+
 static int
 __acc_function_bind(struct usb_configuration *c,
 			struct usb_function *f, bool configfs)

diff --git a/sound/core/control_compat.c b/sound/core/control_compat.c
index 3fc2166..00d826b 100644
--- a/sound/core/control_compat.c
+++ b/sound/core/control_compat.c

@@ -319,7 +319,9 @@
 	err = snd_power_wait(card, SNDRV_CTL_POWER_D0);
 	if (err < 0)
 		goto error;
+	down_read(&card->controls_rwsem);
 	err = snd_ctl_elem_read(card, data);
+	up_read(&card->controls_rwsem);
 	if (err < 0)
 		goto error;
 	err = copy_ctl_value_to_user(userdata, valuep, data, type, count);
@@ -347,7 +349,9 @@
 	err = snd_power_wait(card, SNDRV_CTL_POWER_D0);
 	if (err < 0)
 		goto error;
+	down_write(&card->controls_rwsem);
 	err = snd_ctl_elem_write(card, file, data);
+	up_write(&card->controls_rwsem);
 	if (err < 0)
 		goto error;
 	err = copy_ctl_value_to_user(userdata, valuep, data, type, count);