summaryrefslogtreecommitdiffstats
path: root/drivers/usb
diff options
context:
space:
mode:
authorChuansheng Liu <chuansheng.liu@intel.com>2014-03-04 15:34:57 +0800
committerFelipe Balbi <balbi@ti.com>2014-03-07 10:03:25 -0600
commitcfe919b53b807ab32e89e1c662c6d242948449bd (patch)
treedee085b60f958e3ca72ce924ce2a46ac246a82a5 /drivers/usb
parent8bebbe8dc6145303db05964fb09657aac2a7e909 (diff)
downloadlinux-cfe919b53b807ab32e89e1c662c6d242948449bd.tar.gz
linux-cfe919b53b807ab32e89e1c662c6d242948449bd.tar.bz2
linux-cfe919b53b807ab32e89e1c662c6d242948449bd.zip
usb: gadget: return the right length in ffs_epfile_io()
When the request length is aligned to maxpacketsize, sometimes the return length ret > the user space requested len. At that time, we will use min_t(size_t, ret, len) to limit the size in case of user data buffer overflow. But we need return the min_t(size_t, ret, len) to tell the user space rightly also. [ balbi@ti.com: also fix comment's indentation ] Acked-by: Michal Nazarewicz <mina86@mina86.com> Reviewed-by: David Cohen <david.a.cohen@linux.intel.com> Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com> Signed-off-by: Felipe Balbi <balbi@ti.com>
Diffstat (limited to 'drivers/usb')
-rw-r--r--drivers/usb/gadget/f_fs.c28
1 files changed, 15 insertions, 13 deletions
diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c
index 42f7a0e4be59..b2e922dcb404 100644
--- a/drivers/usb/gadget/f_fs.c
+++ b/drivers/usb/gadget/f_fs.c
@@ -838,19 +838,21 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
ret = -EINTR;
usb_ep_dequeue(ep->ep, req);
} else {
- /*
- * XXX We may end up silently droping data here.
- * Since data_len (i.e. req->length) may be bigger
- * than len (after being rounded up to maxpacketsize),
- * we may end up with more data then user space has
- * space for.
- */
- ret = ep->status;
- if (io_data->read && ret > 0 &&
- unlikely(copy_to_user(io_data->buf, data,
- min_t(size_t, ret,
- io_data->len))))
- ret = -EFAULT;
+ /*
+ * XXX We may end up silently droping data
+ * here. Since data_len (i.e. req->length) may
+ * be bigger than len (after being rounded up
+ * to maxpacketsize), we may end up with more
+ * data then user space has space for.
+ */
+ ret = ep->status;
+ if (io_data->read && ret > 0) {
+ ret = min_t(size_t, ret, io_data->len);
+
+ if (unlikely(copy_to_user(io_data->buf,
+ data, ret)))
+ ret = -EFAULT;
+ }
}
kfree(data);
}