diff options
author | Chuansheng Liu <chuansheng.liu@intel.com> | 2014-03-04 15:34:57 +0800 |
---|---|---|
committer | Felipe Balbi <balbi@ti.com> | 2014-03-07 10:03:25 -0600 |
commit | cfe919b53b807ab32e89e1c662c6d242948449bd (patch) | |
tree | dee085b60f958e3ca72ce924ce2a46ac246a82a5 /drivers/usb | |
parent | 8bebbe8dc6145303db05964fb09657aac2a7e909 (diff) | |
download | linux-cfe919b53b807ab32e89e1c662c6d242948449bd.tar.gz linux-cfe919b53b807ab32e89e1c662c6d242948449bd.tar.bz2 linux-cfe919b53b807ab32e89e1c662c6d242948449bd.zip |
usb: gadget: return the right length in ffs_epfile_io()
When the request length is aligned to maxpacketsize, sometimes
the return length ret > the user space requested len.
At that time, we will use min_t(size_t, ret, len) to limit the
size in case of user data buffer overflow.
But we need return the min_t(size_t, ret, len) to tell the user
space rightly also.
[ balbi@ti.com: also fix comment's indentation ]
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Reviewed-by: David Cohen <david.a.cohen@linux.intel.com>
Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Diffstat (limited to 'drivers/usb')
-rw-r--r-- | drivers/usb/gadget/f_fs.c | 28 |
1 files changed, 15 insertions, 13 deletions
diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c index 42f7a0e4be59..b2e922dcb404 100644 --- a/drivers/usb/gadget/f_fs.c +++ b/drivers/usb/gadget/f_fs.c @@ -838,19 +838,21 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) ret = -EINTR; usb_ep_dequeue(ep->ep, req); } else { - /* - * XXX We may end up silently droping data here. - * Since data_len (i.e. req->length) may be bigger - * than len (after being rounded up to maxpacketsize), - * we may end up with more data then user space has - * space for. - */ - ret = ep->status; - if (io_data->read && ret > 0 && - unlikely(copy_to_user(io_data->buf, data, - min_t(size_t, ret, - io_data->len)))) - ret = -EFAULT; + /* + * XXX We may end up silently droping data + * here. Since data_len (i.e. req->length) may + * be bigger than len (after being rounded up + * to maxpacketsize), we may end up with more + * data then user space has space for. + */ + ret = ep->status; + if (io_data->read && ret > 0) { + ret = min_t(size_t, ret, io_data->len); + + if (unlikely(copy_to_user(io_data->buf, + data, ret))) + ret = -EFAULT; + } } kfree(data); } |