<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/usb/gadget/function/f_fs.c, branch linux-6.2.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait</title>
<updated>2023-01-24T17:19:39+00:00</updated>
<author>
<name>Udipto Goswami</name>
<email>quic_ugoswami@quicinc.com</email>
</author>
<published>2023-01-24T09:11:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=921deb9da15851425ccbb6ee409dc2fd8fbdfe6b'/>
<id>921deb9da15851425ccbb6ee409dc2fd8fbdfe6b</id>
<content type='text'>
__ffs_ep0_queue_wait executes holding the spinlock of &amp;ffs-&gt;ev.waitq.lock
and unlocks it after the assignments to usb_request are done.
However in the code if the request is already NULL we bail out returning
-EINVAL but never unlocked the spinlock.

Fix this by adding spin_unlock_irq &amp;ffs-&gt;ev.waitq.lock before returning.

Fixes: 6a19da111057 ("usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait")
Reviewed-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Udipto Goswami &lt;quic_ugoswami@quicinc.com&gt;
Link: https://lore.kernel.org/r/20230124091149.18647-1-quic_ugoswami@quicinc.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
__ffs_ep0_queue_wait executes holding the spinlock of &amp;ffs-&gt;ev.waitq.lock
and unlocks it after the assignments to usb_request are done.
However in the code if the request is already NULL we bail out returning
-EINVAL but never unlocked the spinlock.

Fix this by adding spin_unlock_irq &amp;ffs-&gt;ev.waitq.lock before returning.

Fixes: 6a19da111057 ("usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait")
Reviewed-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Udipto Goswami &lt;quic_ugoswami@quicinc.com&gt;
Link: https://lore.kernel.org/r/20230124091149.18647-1-quic_ugoswami@quicinc.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Ensure ep0req is dequeued before free_request</title>
<updated>2023-01-17T16:07:06+00:00</updated>
<author>
<name>Udipto Goswami</name>
<email>quic_ugoswami@quicinc.com</email>
</author>
<published>2022-12-15T05:29:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ce405d561b020e5a46340eb5146805a625dcacee'/>
<id>ce405d561b020e5a46340eb5146805a625dcacee</id>
<content type='text'>
As per the documentation, function usb_ep_free_request guarantees
the request will not be queued or no longer be re-queued (or
otherwise used). However, with the current implementation it
doesn't make sure that the request in ep0 isn't reused.

Fix this by dequeuing the ep0req on functionfs_unbind before
freeing the request to align with the definition.

Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
Signed-off-by: Udipto Goswami &lt;quic_ugoswami@quicinc.com&gt;
Tested-by: Krishna Kurapati &lt;quic_kriskura@quicinc.com&gt;
Link: https://lore.kernel.org/r/20221215052906.8993-3-quic_ugoswami@quicinc.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
As per the documentation, function usb_ep_free_request guarantees
the request will not be queued or no longer be re-queued (or
otherwise used). However, with the current implementation it
doesn't make sure that the request in ep0 isn't reused.

Fix this by dequeuing the ep0req on functionfs_unbind before
freeing the request to align with the definition.

Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
Signed-off-by: Udipto Goswami &lt;quic_ugoswami@quicinc.com&gt;
Tested-by: Krishna Kurapati &lt;quic_kriskura@quicinc.com&gt;
Link: https://lore.kernel.org/r/20221215052906.8993-3-quic_ugoswami@quicinc.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait</title>
<updated>2023-01-17T16:07:06+00:00</updated>
<author>
<name>Udipto Goswami</name>
<email>quic_ugoswami@quicinc.com</email>
</author>
<published>2022-12-15T05:29:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6a19da111057f69214b97c62fb0ac59023970850'/>
<id>6a19da111057f69214b97c62fb0ac59023970850</id>
<content type='text'>
While performing fast composition switch, there is a possibility that the
process of ffs_ep0_write/ffs_ep0_read get into a race condition
due to ep0req being freed up from functionfs_unbind.

Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait
by taking a lock &amp;ffs-&gt;ev.waitq.lock. However, the functionfs_unbind isn't
bounded so it can go ahead and mark the ep0req to NULL, and since there
is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free.

Fix this by making a serialized execution between the two functions using
a mutex_lock(ffs-&gt;mutex).

Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
Signed-off-by: Udipto Goswami &lt;quic_ugoswami@quicinc.com&gt;
Tested-by: Krishna Kurapati &lt;quic_kriskura@quicinc.com&gt;
Link: https://lore.kernel.org/r/20221215052906.8993-2-quic_ugoswami@quicinc.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
While performing fast composition switch, there is a possibility that the
process of ffs_ep0_write/ffs_ep0_read get into a race condition
due to ep0req being freed up from functionfs_unbind.

Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait
by taking a lock &amp;ffs-&gt;ev.waitq.lock. However, the functionfs_unbind isn't
bounded so it can go ahead and mark the ep0req to NULL, and since there
is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free.

Fix this by making a serialized execution between the two functions using
a mutex_lock(ffs-&gt;mutex).

Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
Signed-off-by: Udipto Goswami &lt;quic_ugoswami@quicinc.com&gt;
Tested-by: Krishna Kurapati &lt;quic_kriskura@quicinc.com&gt;
Link: https://lore.kernel.org/r/20221215052906.8993-2-quic_ugoswami@quicinc.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: stricter integer overflow checks</title>
<updated>2022-09-07T14:23:22+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2022-09-01T14:59:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f57004b9d96755cd6a243b51c267be4016b4563c'/>
<id>f57004b9d96755cd6a243b51c267be4016b4563c</id>
<content type='text'>
This from static analysis.  The vla_item() takes a size and adds it to
the total.  It has a built in integer overflow check so if it encounters
an integer overflow anywhere then it records the total as SIZE_MAX.

However there is an issue here because the "lang_count*(needed_count+1)"
multiplication can overflow.  Technically the "lang_count + 1" addition
could overflow too, but that would be detected and is harmless.  Fix
both using the new size_add() and size_mul() functions.

Fixes: e6f3862fa1ec ("usb: gadget: FunctionFS: Remove VLAIS usage from gadget code")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Link: https://lore.kernel.org/r/YxDI3lMYomE7WCjn@kili
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This from static analysis.  The vla_item() takes a size and adds it to
the total.  It has a built in integer overflow check so if it encounters
an integer overflow anywhere then it records the total as SIZE_MAX.

However there is an issue here because the "lang_count*(needed_count+1)"
multiplication can overflow.  Technically the "lang_count + 1" addition
could overflow too, but that would be detected and is harmless.  Fix
both using the new size_add() and size_mul() functions.

Fixes: e6f3862fa1ec ("usb: gadget: FunctionFS: Remove VLAIS usage from gadget code")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Link: https://lore.kernel.org/r/YxDI3lMYomE7WCjn@kili
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: move from strlcpy with unused retval to strscpy</title>
<updated>2022-08-19T09:08:54+00:00</updated>
<author>
<name>Wolfram Sang</name>
<email>wsa+renesas@sang-engineering.com</email>
</author>
<published>2022-08-18T21:01:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b7db5733a5ace9acc1f3104c9050c5aa1363f13b'/>
<id>b7db5733a5ace9acc1f3104c9050c5aa1363f13b</id>
<content type='text'>
Follow the advice of the below link and prefer 'strscpy' in this
subsystem. Conversion is 1:1 because the return value is not used.
Generated by a coccinelle script.

Link: https://lore.kernel.org/r/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/
Reviewed-by: Richard Leitner &lt;richard.leitner@skidata.com&gt;
Reviewed-by: Laurent Pinchart &lt;laurent.pinchart+renesas@ideasonboard.com&gt;
Acked-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
Signed-off-by: Wolfram Sang &lt;wsa+renesas@sang-engineering.com&gt;
Link: https://lore.kernel.org/r/20220818210116.7517-1-wsa+renesas@sang-engineering.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Follow the advice of the below link and prefer 'strscpy' in this
subsystem. Conversion is 1:1 because the return value is not used.
Generated by a coccinelle script.

Link: https://lore.kernel.org/r/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/
Reviewed-by: Richard Leitner &lt;richard.leitner@skidata.com&gt;
Reviewed-by: Laurent Pinchart &lt;laurent.pinchart+renesas@ideasonboard.com&gt;
Acked-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
Signed-off-by: Wolfram Sang &lt;wsa+renesas@sang-engineering.com&gt;
Link: https://lore.kernel.org/r/20220818210116.7517-1-wsa+renesas@sang-engineering.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: change ep-&gt;ep safe in ffs_epfile_io()</title>
<updated>2022-06-10T12:45:38+00:00</updated>
<author>
<name>Linyu Yuan</name>
<email>quic_linyyuan@quicinc.com</email>
</author>
<published>2022-06-10T12:17:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0698f0209d8032e8869525aeb68f65ee7fde12ad'/>
<id>0698f0209d8032e8869525aeb68f65ee7fde12ad</id>
<content type='text'>
In ffs_epfile_io(), when read/write data in blocking mode, it will wait
the completion in interruptible mode, if task receive a signal, it will
terminate the wait, at same time, if function unbind occurs,
ffs_func_unbind() will kfree all eps, ffs_epfile_io() still try to
dequeue request by dereferencing ep which may become invalid.

Fix it by add ep spinlock and will not dereference ep if it is not valid.

Cc: &lt;stable@vger.kernel.org&gt; # 5.15
Reported-by: Michael Wu &lt;michael@allwinnertech.com&gt;
Tested-by: Michael Wu &lt;michael@allwinnertech.com&gt;
Reviewed-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Linyu Yuan &lt;quic_linyyuan@quicinc.com&gt;
Link: https://lore.kernel.org/r/1654863478-26228-3-git-send-email-quic_linyyuan@quicinc.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In ffs_epfile_io(), when read/write data in blocking mode, it will wait
the completion in interruptible mode, if task receive a signal, it will
terminate the wait, at same time, if function unbind occurs,
ffs_func_unbind() will kfree all eps, ffs_epfile_io() still try to
dequeue request by dereferencing ep which may become invalid.

Fix it by add ep spinlock and will not dereference ep if it is not valid.

Cc: &lt;stable@vger.kernel.org&gt; # 5.15
Reported-by: Michael Wu &lt;michael@allwinnertech.com&gt;
Tested-by: Michael Wu &lt;michael@allwinnertech.com&gt;
Reviewed-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Linyu Yuan &lt;quic_linyyuan@quicinc.com&gt;
Link: https://lore.kernel.org/r/1654863478-26228-3-git-send-email-quic_linyyuan@quicinc.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: change ep-&gt;status safe in ffs_epfile_io()</title>
<updated>2022-06-10T12:45:38+00:00</updated>
<author>
<name>Linyu Yuan</name>
<email>quic_linyyuan@quicinc.com</email>
</author>
<published>2022-06-10T12:17:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fb1f16d74e263baa4ad11e31e28b68f144aa55ed'/>
<id>fb1f16d74e263baa4ad11e31e28b68f144aa55ed</id>
<content type='text'>
If a task read/write data in blocking mode, it will wait the completion
in ffs_epfile_io(), if function unbind occurs, ffs_func_unbind() will
kfree ffs ep, once the task wake up, it still dereference the ffs ep to
obtain the request status.

Fix it by moving the request status to io_data which is stack-safe.

Cc: &lt;stable@vger.kernel.org&gt; # 5.15
Reported-by: Michael Wu &lt;michael@allwinnertech.com&gt;
Tested-by: Michael Wu &lt;michael@allwinnertech.com&gt;
Reviewed-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Linyu Yuan &lt;quic_linyyuan@quicinc.com&gt;
Link: https://lore.kernel.org/r/1654863478-26228-2-git-send-email-quic_linyyuan@quicinc.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If a task read/write data in blocking mode, it will wait the completion
in ffs_epfile_io(), if function unbind occurs, ffs_func_unbind() will
kfree ffs ep, once the task wake up, it still dereference the ffs ep to
obtain the request status.

Fix it by moving the request status to io_data which is stack-safe.

Cc: &lt;stable@vger.kernel.org&gt; # 5.15
Reported-by: Michael Wu &lt;michael@allwinnertech.com&gt;
Tested-by: Michael Wu &lt;michael@allwinnertech.com&gt;
Reviewed-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Linyu Yuan &lt;quic_linyyuan@quicinc.com&gt;
Link: https://lore.kernel.org/r/1654863478-26228-2-git-send-email-quic_linyyuan@quicinc.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge 5.17-rc4 into usb-next</title>
<updated>2022-02-14T08:04:36+00:00</updated>
<author>
<name>Greg Kroah-Hartman</name>
<email>gregkh@linuxfoundation.org</email>
</author>
<published>2022-02-14T08:04:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fbd533e90d239e17d9427a6481ae60be25680cb7'/>
<id>fbd533e90d239e17d9427a6481ae60be25680cb7</id>
<content type='text'>
We need the USB fixes in here as well.

Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We need the USB fixes in here as well.

Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: f_fs: Fix use-after-free for epfile</title>
<updated>2022-01-31T10:22:05+00:00</updated>
<author>
<name>Udipto Goswami</name>
<email>quic_ugoswami@quicinc.com</email>
</author>
<published>2022-01-27T04:09:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ebe2b1add1055b903e2acd86b290a85297edc0b3'/>
<id>ebe2b1add1055b903e2acd86b290a85297edc0b3</id>
<content type='text'>
Consider a case where ffs_func_eps_disable is called from
ffs_func_disable as part of composition switch and at the
same time ffs_epfile_release get called from userspace.
ffs_epfile_release will free up the read buffer and call
ffs_data_closed which in turn destroys ffs-&gt;epfiles and
mark it as NULL. While this was happening the driver has
already initialized the local epfile in ffs_func_eps_disable
which is now freed and waiting to acquire the spinlock. Once
spinlock is acquired the driver proceeds with the stale value
of epfile and tries to free the already freed read buffer
causing use-after-free.

Following is the illustration of the race:

      CPU1                                  CPU2

   ffs_func_eps_disable
   epfiles (local copy)
					ffs_epfile_release
					ffs_data_closed
					if (last file closed)
					ffs_data_reset
					ffs_data_clear
					ffs_epfiles_destroy
spin_lock
dereference epfiles

Fix this races by taking epfiles local copy &amp; assigning it under
spinlock and if epfiles(local) is null then update it in ffs-&gt;epfiles
then finally destroy it.
Extending the scope further from the race, protecting the ep related
structures, and concurrent accesses.

Fixes: a9e6f83c2df1 ("usb: gadget: f_fs: stop sleeping in ffs_func_eps_disable")
Co-developed-by: Udipto Goswami &lt;quic_ugoswami@quicinc.com&gt;
Reviewed-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Pratham Pratap &lt;quic_ppratap@quicinc.com&gt;
Signed-off-by: Udipto Goswami &lt;quic_ugoswami@quicinc.com&gt;
Link: https://lore.kernel.org/r/1643256595-10797-1-git-send-email-quic_ugoswami@quicinc.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Consider a case where ffs_func_eps_disable is called from
ffs_func_disable as part of composition switch and at the
same time ffs_epfile_release get called from userspace.
ffs_epfile_release will free up the read buffer and call
ffs_data_closed which in turn destroys ffs-&gt;epfiles and
mark it as NULL. While this was happening the driver has
already initialized the local epfile in ffs_func_eps_disable
which is now freed and waiting to acquire the spinlock. Once
spinlock is acquired the driver proceeds with the stale value
of epfile and tries to free the already freed read buffer
causing use-after-free.

Following is the illustration of the race:

      CPU1                                  CPU2

   ffs_func_eps_disable
   epfiles (local copy)
					ffs_epfile_release
					ffs_data_closed
					if (last file closed)
					ffs_data_reset
					ffs_data_clear
					ffs_epfiles_destroy
spin_lock
dereference epfiles

Fix this races by taking epfiles local copy &amp; assigning it under
spinlock and if epfiles(local) is null then update it in ffs-&gt;epfiles
then finally destroy it.
Extending the scope further from the race, protecting the ep related
structures, and concurrent accesses.

Fixes: a9e6f83c2df1 ("usb: gadget: f_fs: stop sleeping in ffs_func_eps_disable")
Co-developed-by: Udipto Goswami &lt;quic_ugoswami@quicinc.com&gt;
Reviewed-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Pratham Pratap &lt;quic_ppratap@quicinc.com&gt;
Signed-off-by: Udipto Goswami &lt;quic_ugoswami@quicinc.com&gt;
Link: https://lore.kernel.org/r/1643256595-10797-1-git-send-email-quic_ugoswami@quicinc.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Use struct_size() and flex_array_size() helpers</title>
<updated>2022-01-26T13:02:15+00:00</updated>
<author>
<name>Gustavo A. R. Silva</name>
<email>gustavoars@kernel.org</email>
</author>
<published>2022-01-20T22:29:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4213e92ef7ec24b52e34f8a869e4213abca3dc6e'/>
<id>4213e92ef7ec24b52e34f8a869e4213abca3dc6e</id>
<content type='text'>
Make use of the struct_size() and flex_array_size() helpers instead of
an open-coded version, in order to avoid any potential type mistakes
or integer overflows that, in the worst scenario, could lead to heap
overflows.

Also, address the following sparse warnings:
drivers/usb/gadget/function/f_fs.c:922:23: warning: using sizeof on a flexible structure

Link: https://github.com/KSPP/linux/issues/174
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Gustavo A. R. Silva &lt;gustavoars@kernel.org&gt;
Link: https://lore.kernel.org/r/20220120222933.GA35155@embeddedor
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Make use of the struct_size() and flex_array_size() helpers instead of
an open-coded version, in order to avoid any potential type mistakes
or integer overflows that, in the worst scenario, could lead to heap
overflows.

Also, address the following sparse warnings:
drivers/usb/gadget/function/f_fs.c:922:23: warning: using sizeof on a flexible structure

Link: https://github.com/KSPP/linux/issues/174
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Gustavo A. R. Silva &lt;gustavoars@kernel.org&gt;
Link: https://lore.kernel.org/r/20220120222933.GA35155@embeddedor
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
