xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Forka 0
Codice Problemi Pull Requests Actions Pacchetti Progetti Rilasci Wiki Attività

usb: raw-gadget: Fix copy_to/from_user() checks

Sfoglia il codice sorgente 
The copy_to/from_user() functions return the number of bytes remaining
but we want to return negative error codes.  I changed a couple checks
in raw_ioctl_ep_read() and raw_ioctl_ep0_read() to show that we still
we returning zero on error.

Fixes: f2c2e71764 ("usb: gadget: add raw-gadget interface")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
This commit is contained in:
Dan Carpenter
2020-04-06 17:51:19 +03:00
committato da Felipe Balbi
parent 0666aa539e
commit a7b778357c
1 ha cambiato i file con 22 aggiunte e 24 eliminazioni
Scarica il file Patch Scarica il file Diff Expand all files Collapse all files

46
drivers/usb/gadget/legacy/raw_gadget.c
Vedi File

@@ -400,9 +400,8 @@ static int raw_ioctl_init(struct raw_dev *dev, unsigned long value)
char *udc_device_name;
unsigned long flags;
ret = copy_from_user(&arg, (void __user *)value, sizeof(arg));
if (ret)
return ret;
if (copy_from_user(&arg, (void __user *)value, sizeof(arg)))
return -EFAULT;
switch (arg.speed) {
case USB_SPEED_UNKNOWN:
@@ -509,15 +508,13 @@ out_unlock:
static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value)
{
int ret = 0;
struct usb_raw_event arg;
unsigned long flags;
struct usb_raw_event *event;
uint32_t length;
ret = copy_from_user(&arg, (void __user *)value, sizeof(arg));
if (ret)
return ret;
if (copy_from_user(&arg, (void __user *)value, sizeof(arg)))
return -EFAULT;
spin_lock_irqsave(&dev->lock, flags);
if (dev->state != STATE_DEV_RUNNING) {
@@ -545,20 +542,19 @@ static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value)
return -ENODEV;
}
length = min(arg.length, event->length);
ret = copy_to_user((void __user *)value, event,
sizeof(*event) + length);
return ret;
if (copy_to_user((void __user *)value, event, sizeof(*event) + length))
return -EFAULT;
return 0;
}
static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr,
bool get_from_user)
{
int ret;
void *data;
ret = copy_from_user(io, ptr, sizeof(*io));
if (ret)
return ERR_PTR(ret);
if (copy_from_user(io, ptr, sizeof(*io)))
return ERR_PTR(-EFAULT);
if (io->ep >= USB_RAW_MAX_ENDPOINTS)
return ERR_PTR(-EINVAL);
if (!usb_raw_io_flags_valid(io->flags))
@@ -673,12 +669,13 @@ static int raw_ioctl_ep0_read(struct raw_dev *dev, unsigned long value)
if (IS_ERR(data))
return PTR_ERR(data);
ret = raw_process_ep0_io(dev, &io, data, false);
if (ret < 0) {
kfree(data);
return ret;
}
if (ret)
goto free;
length = min(io.length, (unsigned int)ret);
ret = copy_to_user((void __user *)(value + sizeof(io)), data, length);
if (copy_to_user((void __user *)(value + sizeof(io)), data, length))
ret = -EFAULT;
free:
kfree(data);
return ret;
}
@@ -967,12 +964,13 @@ static int raw_ioctl_ep_read(struct raw_dev *dev, unsigned long value)
if (IS_ERR(data))
return PTR_ERR(data);
ret = raw_process_ep_io(dev, &io, data, false);
if (ret < 0) {
kfree(data);
return ret;
}
if (ret)
goto free;
length = min(io.length, (unsigned int)ret);
ret = copy_to_user((void __user *)(value + sizeof(io)), data, length);
if (copy_to_user((void __user *)(value + sizeof(io)), data, length))
ret = -EFAULT;
free:
kfree(data);
return ret;
}