From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-Id: <20120504204227.207027961@linuxfoundation.org> Date: Fri, 04 May 2012 13:42:57 -0700 From: Greg KH To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk, Fernandez Gonzalo , Laurent Pinchart Subject: [ 33/75] usb gadget: uvc: uvc_request_data::length field must be signed In-Reply-To: <20120504204258.GA12552@kroah.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.3-stable review patch. If anyone has any objections, please let me know. ------------------ From: Laurent Pinchart commit 6f6543f53f9ce136e01d7114bf6f0818ca54fb41 upstream. The field is used to pass the UVC request data length, but can also be used to signal an error when setting it to a negative value. Switch from unsigned int to __s32. Reported-by: Fernandez Gonzalo Signed-off-by: Laurent Pinchart Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/uvc.h | 2 +- drivers/usb/gadget/uvc_v4l2.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/drivers/usb/gadget/uvc.h +++ b/drivers/usb/gadget/uvc.h @@ -28,7 +28,7 @@ struct uvc_request_data { - unsigned int length; + __s32 length; __u8 data[60]; }; --- a/drivers/usb/gadget/uvc_v4l2.c +++ b/drivers/usb/gadget/uvc_v4l2.c @@ -39,7 +39,7 @@ uvc_send_response(struct uvc_device *uvc if (data->length < 0) return usb_ep_set_halt(cdev->gadget->ep0); - req->length = min(uvc->event_length, data->length); + req->length = min_t(unsigned int, uvc->event_length, data->length); req->zero = data->length < uvc->event_length; req->dma = DMA_ADDR_INVALID;