diff options
author | Chuansheng Liu <chuansheng.liu@intel.com> | 2014-03-04 02:34:57 -0500 |
---|---|---|
committer | Felipe Balbi <balbi@ti.com> | 2014-03-07 11:03:25 -0500 |
commit | cfe919b53b807ab32e89e1c662c6d242948449bd (patch) | |
tree | dee085b60f958e3ca72ce924ce2a46ac246a82a5 /drivers/usb/gadget | |
parent | 8bebbe8dc6145303db05964fb09657aac2a7e909 (diff) |
usb: gadget: return the right length in ffs_epfile_io()
When the request length is aligned to maxpacketsize, sometimes
the return length ret > the user space requested len.
At that time, we will use min_t(size_t, ret, len) to limit the
size in case of user data buffer overflow.
But we need return the min_t(size_t, ret, len) to tell the user
space rightly also.
[ balbi@ti.com: also fix comment's indentation ]
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Reviewed-by: David Cohen <david.a.cohen@linux.intel.com>
Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Diffstat (limited to 'drivers/usb/gadget')
-rw-r--r-- | drivers/usb/gadget/f_fs.c | 28 |
1 files changed, 15 insertions, 13 deletions
diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c index 42f7a0e4be59..b2e922dcb404 100644 --- a/drivers/usb/gadget/f_fs.c +++ b/drivers/usb/gadget/f_fs.c | |||
@@ -838,19 +838,21 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) | |||
838 | ret = -EINTR; | 838 | ret = -EINTR; |
839 | usb_ep_dequeue(ep->ep, req); | 839 | usb_ep_dequeue(ep->ep, req); |
840 | } else { | 840 | } else { |
841 | /* | 841 | /* |
842 | * XXX We may end up silently droping data here. | 842 | * XXX We may end up silently droping data |
843 | * Since data_len (i.e. req->length) may be bigger | 843 | * here. Since data_len (i.e. req->length) may |
844 | * than len (after being rounded up to maxpacketsize), | 844 | * be bigger than len (after being rounded up |
845 | * we may end up with more data then user space has | 845 | * to maxpacketsize), we may end up with more |
846 | * space for. | 846 | * data then user space has space for. |
847 | */ | 847 | */ |
848 | ret = ep->status; | 848 | ret = ep->status; |
849 | if (io_data->read && ret > 0 && | 849 | if (io_data->read && ret > 0) { |
850 | unlikely(copy_to_user(io_data->buf, data, | 850 | ret = min_t(size_t, ret, io_data->len); |
851 | min_t(size_t, ret, | 851 | |
852 | io_data->len)))) | 852 | if (unlikely(copy_to_user(io_data->buf, |
853 | ret = -EFAULT; | 853 | data, ret))) |
854 | ret = -EFAULT; | ||
855 | } | ||
854 | } | 856 | } |
855 | kfree(data); | 857 | kfree(data); |
856 | } | 858 | } |