diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-11-01 15:08:04 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-11-01 15:08:04 -0700 |
| commit | 528a506e4bcd77dfce5d405e73a95e340bb6e8fd (patch) | |
| tree | 2ed701d69aea839b461ca8a9107a7b59692d3452 /drivers/usb/gadget/function/f_fs.c | |
| parent | 4f4274af7009890f0d4724909bf9038193955489 (diff) | |
| parent | 9c19db5b11487da704d29dee48345c4841831bac (diff) | |
Merge tag 'usb-3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB fixes from Greg KH:
"Here are a bunch of USB fixes for 3.18-rc3.
Mostly usb-serial device ids and gadget fixes for issues that have
been reported. Full details are in the shortlog.
All of these have been in linux-next for a while"
* tag 'usb-3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (42 commits)
usb: chipidea: Fix oops when removing the ci_hdrc module
usb: gadget: function: Fixed the return value on error path
usb: dwc2: gadget: disable phy before turning off power regulators
usb: gadget: function: Remove redundant usb_free_all_descriptors
usb: dwc3: gadget: Properly initialize LINK TRB
usb: dwc2: gadget: fix gadget unregistration in udc_stop() function
usb: dwc2: Bits in bitfield should add up to 32
usb: dwc2: gadget: sparse warning of context imbalance
usb: gadget: udc: core: fix kernel oops with soft-connect
usb: musb: musb_dsps: fix NULL pointer in suspend
usb: musb: dsps: start OTG timer on resume again
usb: gadget: loopback: don't queue requests to bogus endpoints
usb: ffs: fix regression when quirk_ep_out_aligned_size flag is set
usb: gadget: f_fs: remove redundant ffs_data_get()
usb: gadget: udc: USB_GADGET_XILINX should depend on HAS_DMA
Revert "usb: dwc3: dwc3-omap: Disable/Enable only wrapper interrupts in prepare/complete"
usb: gadget: composite: enable BESL support
usb: musb: cppi41: restart hrtimer only if not yet done
usb: dwc3: ep0: fix Data Phase for transfer sizes aligned to wMaxPacketSize
usb: serial: ftdi_sio: add "bricked" FTDI device PID
...
Diffstat (limited to 'drivers/usb/gadget/function/f_fs.c')
| -rw-r--r-- | drivers/usb/gadget/function/f_fs.c | 42 |
1 files changed, 34 insertions, 8 deletions
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 7c6771d027a2..63314ede7ba6 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -647,15 +647,26 @@ static void ffs_user_copy_worker(struct work_struct *work) if (io_data->read && ret > 0) { int i; size_t pos = 0; + + /* + * Since req->length may be bigger than io_data->len (after + * being rounded up to maxpacketsize), we may end up with more + * data then user space has space for. + */ + ret = min_t(int, ret, io_data->len); + use_mm(io_data->mm); for (i = 0; i < io_data->nr_segs; i++) { + size_t len = min_t(size_t, ret - pos, + io_data->iovec[i].iov_len); + if (!len) + break; if (unlikely(copy_to_user(io_data->iovec[i].iov_base, - &io_data->buf[pos], - io_data->iovec[i].iov_len))) { + &io_data->buf[pos], len))) { ret = -EFAULT; break; } - pos += io_data->iovec[i].iov_len; + pos += len; } unuse_mm(io_data->mm); } @@ -687,7 +698,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) struct ffs_epfile *epfile = file->private_data; struct ffs_ep *ep; char *data = NULL; - ssize_t ret, data_len; + ssize_t ret, data_len = -EINVAL; int halt; /* Are we still active? */ @@ -787,13 +798,30 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) /* Fire the request */ struct usb_request *req; + /* + * Sanity Check: even though data_len can't be used + * uninitialized at the time I write this comment, some + * compilers complain about this situation. + * In order to keep the code clean from warnings, data_len is + * being initialized to -EINVAL during its declaration, which + * means we can't rely on compiler anymore to warn no future + * changes won't result in data_len being used uninitialized. + * For such reason, we're adding this redundant sanity check + * here. + */ + if (unlikely(data_len == -EINVAL)) { + WARN(1, "%s: data_len == -EINVAL\n", __func__); + ret = -EINVAL; + goto error_lock; + } + if (io_data->aio) { req = usb_ep_alloc_request(ep->ep, GFP_KERNEL); if (unlikely(!req)) goto error_lock; req->buf = data; - req->length = io_data->len; + req->length = data_len; io_data->buf = data; io_data->ep = ep->ep; @@ -815,7 +843,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) req = ep->req; req->buf = data; - req->length = io_data->len; + req->length = data_len; req->context = &done; req->complete = ffs_epfile_io_complete; @@ -2663,8 +2691,6 @@ static inline struct f_fs_opts *ffs_do_functionfs_bind(struct usb_function *f, func->conf = c; func->gadget = c->cdev->gadget; - ffs_data_get(func->ffs); - /* * in drivers/usb/gadget/configfs.c:configfs_composite_bind() * configurations are bound in sequence with list_for_each_entry, |