From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752763AbcELJZc (ORCPT ); Thu, 12 May 2016 05:25:32 -0400 Received: from mga11.intel.com ([192.55.52.93]:60201 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751576AbcELJZb (ORCPT ); Thu, 12 May 2016 05:25:31 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.24,609,1455004800"; d="scan'208";a="978234633" From: Felipe Balbi To: "Du\, Changbin" , Al Viro Cc: "gregkh\@linuxfoundation.org" , "mina86\@mina86.com" , "rui.silva\@linaro.org" , "k.opasiak\@samsung.com" , "lars\@metafoo.de" , "linux-usb\@vger.kernel.org" , "linux-kernel\@vger.kernel.org" Subject: RE: [PATCH] usb: gadget: f_fs: report error if excess data received In-Reply-To: <87zirveixx.fsf@linux.intel.com> References: <1462961970-2001-1-git-send-email-changbin.du@intel.com> <87twi4g8s2.fsf@linux.intel.com> <0C18FE92A7765D4EB9EE5D38D86A563A05D2F01F@SHSMSX103.ccr.corp.intel.com> <87a8jvg43q.fsf@linux.intel.com> <0C18FE92A7765D4EB9EE5D38D86A563A05D2F156@SHSMSX103.ccr.corp.intel.com> <874ma3g1lq.fsf@linux.intel.com> <0C18FE92A7765D4EB9EE5D38D86A563A05D2F183@SHSMSX103.ccr.corp.intel.com> <87zirveixx.fsf@linux.intel.com> User-Agent: Notmuch/0.22+11~g124a67e (http://notmuchmail.org) Emacs/25.0.93.2 (x86_64-pc-linux-gnu) Date: Thu, 12 May 2016 12:22:56 +0300 Message-ID: <87wpmzeikv.fsf@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi again, Felipe Balbi writes: > @@ -811,7 +815,12 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) > */ > ret = interrupted ? -EINTR : ep->status; > if (io_data->read && ret > 0) { > - ret = copy_to_iter(data, ret, &io_data->data); > + if (ret > io_data->expected_len) > + pr_debug("FFS: size mismatch: %zd for %zd", > + ret, io_data->expected_len); > + > + ret = copy_to_iter(data, io_data->expected_len, > + &io_data->data); we need a min() here. Better version below: diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 73515d54e1cc..6c49b152f46e 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -156,6 +156,8 @@ struct ffs_io_data { struct usb_request *req; struct ffs_data *ffs; + + ssize_t expected_len; }; struct ffs_desc_helper { @@ -730,8 +732,10 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) * Controller may require buffer size to be aligned to * maxpacketsize of an out endpoint. */ - if (io_data->read) + if (io_data->read) { + io_data->expected_len = data_len; data_len = usb_ep_align_maybe(gadget, ep->ep, data_len); + } spin_unlock_irq(&epfile->ffs->eps_lock); data = kmalloc(data_len, GFP_KERNEL); @@ -811,7 +815,15 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) */ ret = interrupted ? -EINTR : ep->status; if (io_data->read && ret > 0) { - ret = copy_to_iter(data, ret, &io_data->data); + ssize_t bytes; + + if (ret > io_data->expected_len) + pr_debug("FFS: size mismatch: %zd for %zd", + ret, io_data->expected_len); + + bytes = min(ret, io_data->expected_len); + + ret = copy_to_iter(data, bytes, &io_data->data); if (!ret) ret = -EFAULT; } -- balbi