linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [patch v2] usb: f_fs: off by one bug in _ffs_func_bind()
       [not found] <20160528044618.GQ11011@mwanda>
@ 2016-05-28  4:48 ` Dan Carpenter
  2016-05-28  9:05   ` walter harms
  2016-05-28 10:16   ` Michal Nazarewicz
  0 siblings, 2 replies; 3+ messages in thread
From: Dan Carpenter @ 2016-05-28  4:48 UTC (permalink / raw)
  To: Felipe Balbi
  Cc: Greg Kroah-Hartman, Michal Nazarewicz, Lars-Peter Clausen,
	Robert Baldyga, Al Viro, Daniel Walter, Du, Changbin,
	Rui Miguel Silva, linux-usb, linux-kernel, kernel-janitors

This loop is supposed to set all the .num[] values to -1 but it's off by
one so it skips the first element and sets one element past the end of
the array.

I've cleaned up the loop a little as well.

Fixes: ddf8abd25994 ('USB: f_fs: the FunctionFS driver')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: move the eps_ptr assignment outside the loop.

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 73515d5..d26eb64 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2729,6 +2729,7 @@ static int _ffs_func_bind(struct usb_configuration *c,
 		func->ffs->ss_descs_count;
 
 	int fs_len, hs_len, ss_len, ret, i;
+	struct ffs_ep *eps_ptr;
 
 	/* Make it a single chunk, less management later on */
 	vla_group(d);
@@ -2777,12 +2778,9 @@ static int _ffs_func_bind(struct usb_configuration *c,
 	       ffs->raw_descs_length);
 
 	memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz);
-	for (ret = ffs->eps_count; ret; --ret) {
-		struct ffs_ep *ptr;
-
-		ptr = vla_ptr(vlabuf, d, eps);
-		ptr[ret].num = -1;
-	}
+	eps_ptr = vla_ptr(vlabuf, d, eps);
+	for (i = 0; i < ffs->eps_count; i++)
+		eps_ptr[i].num = -1;
 
 	/* Save pointers
 	 * d_eps == vlabuf, func->eps used to kfree vlabuf later

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [patch v2] usb: f_fs: off by one bug in _ffs_func_bind()
  2016-05-28  4:48 ` [patch v2] usb: f_fs: off by one bug in _ffs_func_bind() Dan Carpenter
@ 2016-05-28  9:05   ` walter harms
  2016-05-28 10:16   ` Michal Nazarewicz
  1 sibling, 0 replies; 3+ messages in thread
From: walter harms @ 2016-05-28  9:05 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Felipe Balbi, Greg Kroah-Hartman, Michal Nazarewicz,
	Lars-Peter Clausen, Robert Baldyga, Al Viro, Daniel Walter, Du,
	Changbin, Rui Miguel Silva, linux-usb, linux-kernel,
	kernel-janitors

much better readable than the original.
nice work

re,
 wh

Am 28.05.2016 06:48, schrieb Dan Carpenter:
> This loop is supposed to set all the .num[] values to -1 but it's off by
> one so it skips the first element and sets one element past the end of
> the array.
> 
> I've cleaned up the loop a little as well.
> 
> Fixes: ddf8abd25994 ('USB: f_fs: the FunctionFS driver')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: move the eps_ptr assignment outside the loop.
> 
> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
> index 73515d5..d26eb64 100644
> --- a/drivers/usb/gadget/function/f_fs.c
> +++ b/drivers/usb/gadget/function/f_fs.c
> @@ -2729,6 +2729,7 @@ static int _ffs_func_bind(struct usb_configuration *c,
>  		func->ffs->ss_descs_count;
>  
>  	int fs_len, hs_len, ss_len, ret, i;
> +	struct ffs_ep *eps_ptr;
>  
>  	/* Make it a single chunk, less management later on */
>  	vla_group(d);
> @@ -2777,12 +2778,9 @@ static int _ffs_func_bind(struct usb_configuration *c,
>  	       ffs->raw_descs_length);
>  
>  	memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz);
> -	for (ret = ffs->eps_count; ret; --ret) {
> -		struct ffs_ep *ptr;
> -
> -		ptr = vla_ptr(vlabuf, d, eps);
> -		ptr[ret].num = -1;
> -	}
> +	eps_ptr = vla_ptr(vlabuf, d, eps);
> +	for (i = 0; i < ffs->eps_count; i++)
> +		eps_ptr[i].num = -1;
>  
>  	/* Save pointers
>  	 * d_eps == vlabuf, func->eps used to kfree vlabuf later
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [patch v2] usb: f_fs: off by one bug in _ffs_func_bind()
  2016-05-28  4:48 ` [patch v2] usb: f_fs: off by one bug in _ffs_func_bind() Dan Carpenter
  2016-05-28  9:05   ` walter harms
@ 2016-05-28 10:16   ` Michal Nazarewicz
  1 sibling, 0 replies; 3+ messages in thread
From: Michal Nazarewicz @ 2016-05-28 10:16 UTC (permalink / raw)
  To: Dan Carpenter, Felipe Balbi
  Cc: Greg Kroah-Hartman, Lars-Peter Clausen, Robert Baldyga, Al Viro,
	Daniel Walter, Du, Changbin, Rui Miguel Silva, linux-usb,
	linux-kernel, kernel-janitors

On Sat, May 28 2016, Dan Carpenter wrote:
> This loop is supposed to set all the .num[] values to -1 but it's off by
> one so it skips the first element and sets one element past the end of
> the array.
>
> I've cleaned up the loop a little as well.
>
> Fixes: ddf8abd25994 ('USB: f_fs: the FunctionFS driver')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Acked-by: Michal Nazarewicz <mina86@mina86.com>

> ---
> v2: move the eps_ptr assignment outside the loop.
>
> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
> index 73515d5..d26eb64 100644
> --- a/drivers/usb/gadget/function/f_fs.c
> +++ b/drivers/usb/gadget/function/f_fs.c
> @@ -2729,6 +2729,7 @@ static int _ffs_func_bind(struct usb_configuration *c,
>  		func->ffs->ss_descs_count;
>  
>  	int fs_len, hs_len, ss_len, ret, i;
> +	struct ffs_ep *eps_ptr;
>  
>  	/* Make it a single chunk, less management later on */
>  	vla_group(d);
> @@ -2777,12 +2778,9 @@ static int _ffs_func_bind(struct usb_configuration *c,
>  	       ffs->raw_descs_length);
>  
>  	memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz);
> -	for (ret = ffs->eps_count; ret; --ret) {
> -		struct ffs_ep *ptr;
> -
> -		ptr = vla_ptr(vlabuf, d, eps);
> -		ptr[ret].num = -1;
> -	}
> +	eps_ptr = vla_ptr(vlabuf, d, eps);
> +	for (i = 0; i < ffs->eps_count; i++)
> +		eps_ptr[i].num = -1;
>  
>  	/* Save pointers
>  	 * d_eps == vlabuf, func->eps used to kfree vlabuf later

-- 
Best regards
ミハウ “𝓶𝓲𝓷𝓪86” ナザレヴイツ
«If at first you don’t succeed, give up skydiving»

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-05-28 10:16 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20160528044618.GQ11011@mwanda>
2016-05-28  4:48 ` [patch v2] usb: f_fs: off by one bug in _ffs_func_bind() Dan Carpenter
2016-05-28  9:05   ` walter harms
2016-05-28 10:16   ` Michal Nazarewicz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).