aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/usb/gadget
diff options
context:
space:
mode:
authorChuansheng Liu <chuansheng.liu@intel.com>2014-03-04 02:34:57 -0500
committerFelipe Balbi <balbi@ti.com>2014-03-07 11:03:25 -0500
commitcfe919b53b807ab32e89e1c662c6d242948449bd (patch)
treedee085b60f958e3ca72ce924ce2a46ac246a82a5 /drivers/usb/gadget
parent8bebbe8dc6145303db05964fb09657aac2a7e909 (diff)
usb: gadget: return the right length in ffs_epfile_io()
When the request length is aligned to maxpacketsize, sometimes the return length ret > the user space requested len. At that time, we will use min_t(size_t, ret, len) to limit the size in case of user data buffer overflow. But we need return the min_t(size_t, ret, len) to tell the user space rightly also. [ balbi@ti.com: also fix comment's indentation ] Acked-by: Michal Nazarewicz <mina86@mina86.com> Reviewed-by: David Cohen <david.a.cohen@linux.intel.com> Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com> Signed-off-by: Felipe Balbi <balbi@ti.com>
Diffstat (limited to 'drivers/usb/gadget')
-rw-r--r--drivers/usb/gadget/f_fs.c28
1 files changed, 15 insertions, 13 deletions
diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c
index 42f7a0e4be59..b2e922dcb404 100644
--- a/drivers/usb/gadget/f_fs.c
+++ b/drivers/usb/gadget/f_fs.c
@@ -838,19 +838,21 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
838 ret = -EINTR; 838 ret = -EINTR;
839 usb_ep_dequeue(ep->ep, req); 839 usb_ep_dequeue(ep->ep, req);
840 } else { 840 } else {
841 /* 841 /*
842 * XXX We may end up silently droping data here. 842 * XXX We may end up silently droping data
843 * Since data_len (i.e. req->length) may be bigger 843 * here. Since data_len (i.e. req->length) may
844 * than len (after being rounded up to maxpacketsize), 844 * be bigger than len (after being rounded up
845 * we may end up with more data then user space has 845 * to maxpacketsize), we may end up with more
846 * space for. 846 * data then user space has space for.
847 */ 847 */
848 ret = ep->status; 848 ret = ep->status;
849 if (io_data->read && ret > 0 && 849 if (io_data->read && ret > 0) {
850 unlikely(copy_to_user(io_data->buf, data, 850 ret = min_t(size_t, ret, io_data->len);
851 min_t(size_t, ret, 851
852 io_data->len)))) 852 if (unlikely(copy_to_user(io_data->buf,
853 ret = -EFAULT; 853 data, ret)))
854 ret = -EFAULT;
855 }
854 } 856 }
855 kfree(data); 857 kfree(data);
856 } 858 }