From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754439AbcEPQfU (ORCPT <rfc822;w@1wt.eu>);
	Mon, 16 May 2016 12:35:20 -0400
Received: from mailout2.w1.samsung.com ([210.118.77.12]:21925 "EHLO
	mailout2.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754396AbcEPQfR (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 16 May 2016 12:35:17 -0400
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
X-AuditID: cbfec7f5-f792a6d000001302-b4-5739f6c1f459
Content-transfer-encoding: 8BIT
Subject: Re: [PATCH] usb: gadget: f_fs: report error if excess data received
To: Michal Nazarewicz <mina86@mina86.com>,
        "Du, Changbin" <changbin.du@intel.com>,
        Felipe Balbi <felipe.balbi@linux.intel.com>,
        Alan Stern <stern@rowland.harvard.edu>
References: <1462961970-2001-1-git-send-email-changbin.du@intel.com>
 <xa1td1omf0od.fsf@mina86.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
        "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
        "rui.silva@linaro.org" <rui.silva@linaro.org>,
        "lars@metafoo.de" <lars@metafoo.de>,
        "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
From: Krzysztof Opasiak <k.opasiak@samsung.com>
Message-id: <5739F6C0.1000202@samsung.com>
Date: Mon, 16 May 2016 18:35:12 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.6.0
In-reply-to: <xa1td1omf0od.fsf@mina86.com>
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBLMWRmVeSWpSXmKPExsVy+t/xq7oHv1mGG3TtU7bYePE4k8X8m0kW
	zYvXs1ksmTyf1eLyrjlsFouWtTJbLDjewmrxeF83u8WE3xfYLM7/Pc7qwOWxeM9LJo871/aw
	ecw7Geixf+4ado8lbw6xeqz784rJY/bdH4wenzfJeWx68pYpgDOKyyYlNSezLLVI3y6BK+NE
	W3TBbM6KjzfOsjcwzmLvYuTkkBAwkfi15AszhC0mceHeerYuRi4OIYGljBILzm9kBEnwCghK
	/Jh8j6WLkYODWUBe4silbAhTXWLKlFyI8ueMEismbwIrFxbwkTi8eBnYHBGBNYwSzz+2gi0Q
	EkiR+PbmBQtIgllgG5PElyOXwYayCehLzNslCrFLS+LrwYtsIDaLgKpEY/txJhBbVCBC4snc
	k4wg5ZxANcenuk5gFJiF5LpZCNfNQrhuASPzKkbR1NLkguKk9FwjveLE3OLSvHS95PzcTYyQ
	+Pi6g3HpMatDjAIcjEo8vALfLMKFWBPLiitzDzFKcDArifAu/GIZLsSbklhZlVqUH19UmpNa
	fIhRmoNFSZx35q73IUIC6YklqdmpqQWpRTBZJg5OqQZGw+I13ye9ZPWoWq1oM3vLu16zyflH
	pi9YPvFRclCVIXeemXHw9WcVnhNnVH/bqSqS1f5m0e1Yg/yY6CXKsySMn4Rst3ddN0vu39wu
	f73sB1orr3/SPHc9b0XU/S7XOJElutwmn4wbFx09G6wVUHCtqTj8dOFtVjflebsWM7rtN/vX
	u+ax75+bSizFGYmGWsxFxYkAoJpGx4sCAAA=
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


Hi Michal,

On 05/16/2016 06:05 PM, Michal Nazarewicz wrote:
> So I’ve been looking at AIO handling in f_fs and either I’m stupid or
> the code is broken.  Here’s part of ffs_user_copy_worker:
> 
> 	int ret = io_data->req->status ? io_data->req->status :
> 					 io_data->req->actual;
> 	if (io_data->read && ret > 0) {
> 		use_mm(io_data->mm);
> 		ret = copy_to_iter(io_data->buf, ret, &io_data->data);
> 		if (iov_iter_count(&io_data->data))
> 			ret = -EFAULT;
> 		unuse_mm(io_data->mm);
> 	}
> 
> First of all, shouldn’t the copy_to_iter invocation be:
> 
> 		if (copy_to_iter(io_data->buf, ret, &io_data->data))
>                 	ret = -EFAULT;
> 
> Second of all, if the request reads fewer bytes than user requested,
> iov_iter_count(…) will be non-zero (namely it will be the difference
> between user’s buffer size and data read).  This should not result in
> EFAULT though.
> 
> So, am I going crazy? Or does this need to be fixed as well?
> 

I think it has been already fixed:

http://permalink.gmane.org/gmane.linux.usb.general/139316

Cheers,
-- 
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics