When the request length is aligned to maxpacketsize, sometimes
the return length ret > the user space requested len.
At that time, we will use min_t(size_t, ret, len) to limit the
size in case of user data buffer overflow.
But we need return the min_t(size_t, ret, len) to tell the user
space rightly also.
Signed-off-by: Chuansheng Liu <[email protected]>
---
drivers/usb/gadget/f_fs.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c
index 2b43343..31ee7af 100644
--- a/drivers/usb/gadget/f_fs.c
+++ b/drivers/usb/gadget/f_fs.c
@@ -687,10 +687,12 @@ static ssize_t ffs_epfile_io(struct file *file,
* space for.
*/
ret = ep->status;
- if (read && ret > 0 &&
- unlikely(copy_to_user(buf, data,
- min_t(size_t, ret, len))))
- ret = -EFAULT;
+ if (read && ret > 0) {
+ ret = min_t(size_t, ret, len);
+
+ if (unlikely(copy_to_user(buf, data, ret)))
+ ret = -EFAULT;
+ }
}
}
--
1.9.rc0
On Thu, Feb 27, 2014 at 01:15:25PM +0100, Michal Nazarewicz wrote:
> On Thu, Feb 27 2014, Chuansheng Liu <[email protected]> wrote:
> > When the request length is aligned to maxpacketsize, sometimes
> > the return length ret > the user space requested len.
> >
> > At that time, we will use min_t(size_t, ret, len) to limit the
> > size in case of user data buffer overflow.
> >
> > But we need return the min_t(size_t, ret, len) to tell the user
> > space rightly also.
> >
> > Signed-off-by: Chuansheng Liu <[email protected]>
>
> Acked-by: Michal Nazarewicz <[email protected]>
Reviewed-by: David Cohen <[email protected]>
IMHO it makes sense to push this patch to 3.14-rc since it is an
extension of usb gadget's quick_ep_out_aligned_size merged on 3.14-rc1
Br, David Cohen