Merge remote-tracking branch 'regulator/topic/core' into regulator-next

[cascardo/linux.git] / drivers / usb / gadget / function / f_fs.c

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 7c6771d..63314ed 100644 (file)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -647,15 +647,26 @@ static void ffs_user_copy_worker(struct work_struct *work)
        if (io_data->read && ret > 0) {
                int i;
                size_t pos = 0;
+
+               /*
+                * Since req->length may be bigger than io_data->len (after
+                * being rounded up to maxpacketsize), we may end up with more
+                * data then user space has space for.
+                */
+               ret = min_t(int, ret, io_data->len);
+
                use_mm(io_data->mm);
                for (i = 0; i < io_data->nr_segs; i++) {
+                       size_t len = min_t(size_t, ret - pos,
+                                       io_data->iovec[i].iov_len);
+                       if (!len)
+                               break;
                        if (unlikely(copy_to_user(io_data->iovec[i].iov_base,
-                                                &io_data->buf[pos],
-                                                io_data->iovec[i].iov_len))) {
+                                                &io_data->buf[pos], len))) {
                                ret = -EFAULT;
                                break;
                        }
-                       pos += io_data->iovec[i].iov_len;
+                       pos += len;
                }
                unuse_mm(io_data->mm);
        }
@@ -687,7 +698,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
        struct ffs_epfile *epfile = file->private_data;
        struct ffs_ep *ep;
        char *data = NULL;
-       ssize_t ret, data_len;
+       ssize_t ret, data_len = -EINVAL;
        int halt;
 
        /* Are we still active? */
@@ -787,13 +798,30 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
                /* Fire the request */
                struct usb_request *req;
 
+               /*
+                * Sanity Check: even though data_len can't be used
+                * uninitialized at the time I write this comment, some
+                * compilers complain about this situation.
+                * In order to keep the code clean from warnings, data_len is
+                * being initialized to -EINVAL during its declaration, which
+                * means we can't rely on compiler anymore to warn no future
+                * changes won't result in data_len being used uninitialized.
+                * For such reason, we're adding this redundant sanity check
+                * here.
+                */
+               if (unlikely(data_len == -EINVAL)) {
+                       WARN(1, "%s: data_len == -EINVAL\n", __func__);
+                       ret = -EINVAL;
+                       goto error_lock;
+               }
+
                if (io_data->aio) {
                        req = usb_ep_alloc_request(ep->ep, GFP_KERNEL);
                        if (unlikely(!req))
                                goto error_lock;
 
                        req->buf      = data;
-                       req->length   = io_data->len;
+                       req->length   = data_len;
 
                        io_data->buf = data;
                        io_data->ep = ep->ep;
@@ -815,7 +843,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 
                        req = ep->req;
                        req->buf      = data;
-                       req->length   = io_data->len;
+                       req->length   = data_len;
 
                        req->context  = &done;
                        req->complete = ffs_epfile_io_complete;
@@ -2663,8 +2691,6 @@ static inline struct f_fs_opts *ffs_do_functionfs_bind(struct usb_function *f,
        func->conf = c;
        func->gadget = c->cdev->gadget;
 
-       ffs_data_get(func->ffs);
-
        /*
         * in drivers/usb/gadget/configfs.c:configfs_composite_bind()
         * configurations are bound in sequence with list_for_each_entry,