From: Dan Carpenter <dan.carpenter@oracle.com>
To: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Michal Nazarewicz <mina86@mina86.com>,
Lars-Peter Clausen <lars@metafoo.de>,
Robert Baldyga <r.baldyga@samsung.com>,
Al Viro <viro@ZenIV.linux.org.uk>,
Daniel Walter <dwalter@sigma-star.at>,
"Du, Changbin" <changbin.du@intel.com>,
Rui Miguel Silva <rui.silva@linaro.org>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: [patch v2] usb: f_fs: off by one bug in _ffs_func_bind()
Date: Sat, 28 May 2016 04:48:10 +0000 [thread overview]
Message-ID: <20160528044810.GA4107@mwanda> (raw)
In-Reply-To: <20160528044618.GQ11011@mwanda>
This loop is supposed to set all the .num[] values to -1 but it's off by
one so it skips the first element and sets one element past the end of
the array.
I've cleaned up the loop a little as well.
Fixes: ddf8abd25994 ('USB: f_fs: the FunctionFS driver')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: move the eps_ptr assignment outside the loop.
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 73515d5..d26eb64 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2729,6 +2729,7 @@ static int _ffs_func_bind(struct usb_configuration *c,
func->ffs->ss_descs_count;
int fs_len, hs_len, ss_len, ret, i;
+ struct ffs_ep *eps_ptr;
/* Make it a single chunk, less management later on */
vla_group(d);
@@ -2777,12 +2778,9 @@ static int _ffs_func_bind(struct usb_configuration *c,
ffs->raw_descs_length);
memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz);
- for (ret = ffs->eps_count; ret; --ret) {
- struct ffs_ep *ptr;
-
- ptr = vla_ptr(vlabuf, d, eps);
- ptr[ret].num = -1;
- }
+ eps_ptr = vla_ptr(vlabuf, d, eps);
+ for (i = 0; i < ffs->eps_count; i++)
+ eps_ptr[i].num = -1;
/* Save pointers
* d_eps = vlabuf, func->eps used to kfree vlabuf later
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Michal Nazarewicz <mina86@mina86.com>,
Lars-Peter Clausen <lars@metafoo.de>,
Robert Baldyga <r.baldyga@samsung.com>,
Al Viro <viro@ZenIV.linux.org.uk>,
Daniel Walter <dwalter@sigma-star.at>,
"Du, Changbin" <changbin.du@intel.com>,
Rui Miguel Silva <rui.silva@linaro.org>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: [patch v2] usb: f_fs: off by one bug in _ffs_func_bind()
Date: Sat, 28 May 2016 07:48:10 +0300 [thread overview]
Message-ID: <20160528044810.GA4107@mwanda> (raw)
In-Reply-To: <20160528044618.GQ11011@mwanda>
This loop is supposed to set all the .num[] values to -1 but it's off by
one so it skips the first element and sets one element past the end of
the array.
I've cleaned up the loop a little as well.
Fixes: ddf8abd25994 ('USB: f_fs: the FunctionFS driver')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: move the eps_ptr assignment outside the loop.
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 73515d5..d26eb64 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2729,6 +2729,7 @@ static int _ffs_func_bind(struct usb_configuration *c,
func->ffs->ss_descs_count;
int fs_len, hs_len, ss_len, ret, i;
+ struct ffs_ep *eps_ptr;
/* Make it a single chunk, less management later on */
vla_group(d);
@@ -2777,12 +2778,9 @@ static int _ffs_func_bind(struct usb_configuration *c,
ffs->raw_descs_length);
memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz);
- for (ret = ffs->eps_count; ret; --ret) {
- struct ffs_ep *ptr;
-
- ptr = vla_ptr(vlabuf, d, eps);
- ptr[ret].num = -1;
- }
+ eps_ptr = vla_ptr(vlabuf, d, eps);
+ for (i = 0; i < ffs->eps_count; i++)
+ eps_ptr[i].num = -1;
/* Save pointers
* d_eps == vlabuf, func->eps used to kfree vlabuf later
next prev parent reply other threads:[~2016-05-28 4:48 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-27 11:23 [patch] usb: f_fs: off by one bug in _ffs_func_bind() Dan Carpenter
2016-05-27 11:45 ` walter harms
2016-05-27 12:23 ` Michal Nazarewicz
2016-05-27 17:25 ` walter harms
2016-05-28 4:46 ` Dan Carpenter
2016-05-28 4:48 ` Dan Carpenter [this message]
2016-05-28 4:48 ` [patch v2] " Dan Carpenter
2016-05-28 9:05 ` walter harms
2016-05-28 9:05 ` walter harms
2016-05-28 10:16 ` Michal Nazarewicz
2016-05-28 10:16 ` Michal Nazarewicz
2016-05-28 10:15 ` [patch] " Michal Nazarewicz
2016-05-28 10:53 ` Dan Carpenter
2016-05-28 11:05 ` Dan Carpenter
2016-05-28 12:01 ` Michal Nazarewicz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160528044810.GA4107@mwanda \
--to=dan.carpenter@oracle.com \
--cc=balbi@kernel.org \
--cc=changbin.du@intel.com \
--cc=dwalter@sigma-star.at \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=lars@metafoo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mina86@mina86.com \
--cc=r.baldyga@samsung.com \
--cc=rui.silva@linaro.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.