usb: raw-gadget: Fix copy_to/from_user() checks (a7b77835) · Commits · EulixOS / Software / Kernel

drivers/usb/gadget/legacy/raw_gadget.c

+22 −24

Original line number	Original line	Diff line number	Diff line
	@@ -400,9 +400,8 @@ static int raw_ioctl_init(struct raw_dev *dev, unsigned long value)
	char *udc_device_name;		char *udc_device_name;
	unsigned long flags;		unsigned long flags;

	ret = copy_from_user(&arg, (void __user *)value, sizeof(arg));		if (copy_from_user(&arg, (void __user *)value, sizeof(arg)))
	if (ret)		return -EFAULT;
	return ret;

	switch (arg.speed) {		switch (arg.speed) {
	case USB_SPEED_UNKNOWN:		case USB_SPEED_UNKNOWN:
	@@ -509,15 +508,13 @@ static int raw_ioctl_run(struct raw_dev *dev, unsigned long value)

	static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value)		static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value)
	{		{
	int ret = 0;
	struct usb_raw_event arg;		struct usb_raw_event arg;
	unsigned long flags;		unsigned long flags;
	struct usb_raw_event *event;		struct usb_raw_event *event;
	uint32_t length;		uint32_t length;

	ret = copy_from_user(&arg, (void __user *)value, sizeof(arg));		if (copy_from_user(&arg, (void __user *)value, sizeof(arg)))
	if (ret)		return -EFAULT;
	return ret;

	spin_lock_irqsave(&dev->lock, flags);		spin_lock_irqsave(&dev->lock, flags);
	if (dev->state != STATE_DEV_RUNNING) {		if (dev->state != STATE_DEV_RUNNING) {
	@@ -545,20 +542,19 @@ static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value)
	return -ENODEV;		return -ENODEV;
	}		}
	length = min(arg.length, event->length);		length = min(arg.length, event->length);
	ret = copy_to_user((void __user *)value, event,		if (copy_to_user((void __user )value, event, sizeof(event) + length))
	sizeof(*event) + length);		return -EFAULT;
	return ret;
			return 0;
	}		}

	static void raw_alloc_io_data(struct usb_raw_ep_io io, void __user *ptr,		static void raw_alloc_io_data(struct usb_raw_ep_io io, void __user *ptr,
	bool get_from_user)		bool get_from_user)
	{		{
	int ret;
	void *data;		void *data;

	ret = copy_from_user(io, ptr, sizeof(*io));		if (copy_from_user(io, ptr, sizeof(*io)))
	if (ret)		return ERR_PTR(-EFAULT);
	return ERR_PTR(ret);
	if (io->ep >= USB_RAW_MAX_ENDPOINTS)		if (io->ep >= USB_RAW_MAX_ENDPOINTS)
	return ERR_PTR(-EINVAL);		return ERR_PTR(-EINVAL);
	if (!usb_raw_io_flags_valid(io->flags))		if (!usb_raw_io_flags_valid(io->flags))
	@@ -673,12 +669,13 @@ static int raw_ioctl_ep0_read(struct raw_dev *dev, unsigned long value)
	if (IS_ERR(data))		if (IS_ERR(data))
	return PTR_ERR(data);		return PTR_ERR(data);
	ret = raw_process_ep0_io(dev, &io, data, false);		ret = raw_process_ep0_io(dev, &io, data, false);
	if (ret < 0) {		if (ret)
	kfree(data);		goto free;
	return ret;
	}
	length = min(io.length, (unsigned int)ret);		length = min(io.length, (unsigned int)ret);
	ret = copy_to_user((void __user *)(value + sizeof(io)), data, length);		if (copy_to_user((void __user *)(value + sizeof(io)), data, length))
			ret = -EFAULT;
			free:
	kfree(data);		kfree(data);
	return ret;		return ret;
	}		}
	@@ -967,12 +964,13 @@ static int raw_ioctl_ep_read(struct raw_dev *dev, unsigned long value)
	if (IS_ERR(data))		if (IS_ERR(data))
	return PTR_ERR(data);		return PTR_ERR(data);
	ret = raw_process_ep_io(dev, &io, data, false);		ret = raw_process_ep_io(dev, &io, data, false);
	if (ret < 0) {		if (ret)
	kfree(data);		goto free;
	return ret;
	}
	length = min(io.length, (unsigned int)ret);		length = min(io.length, (unsigned int)ret);
	ret = copy_to_user((void __user *)(value + sizeof(io)), data, length);		if (copy_to_user((void __user *)(value + sizeof(io)), data, length))
			ret = -EFAULT;
			free:
	kfree(data);		kfree(data);
	return ret;		return ret;
	}		}