USB: Do not pass negative length to snoop_urb()

When `echo Y > /sys/module/usbcore/parameters/usbfs_snoop` and usb_control_msg() returns error, a lot of kernel memory is dumped to dmesg until unhandled kernel paging request occurs. Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz> Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

USB: Do not pass negative length to snoop_urb()
When `echo Y > /sys/module/usbcore/parameters/usbfs_snoop` and usb_control_msg() returns error, a lot of kernel memory is dumped to dmesg until unhandled kernel paging request occurs. Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz> Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Michal Sojka · Greg Kroah-Hartman
1 parent 4bbba111d9
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
drivers/usb/core/devio.c
@@ -802,7 +802,7 @@
 				    tbuf, ctrl.wLength, tmo);
 		usb_lock_device(dev);
 		snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
-			tbuf, i);
+			  tbuf, max(i, 0));
 		if ((i > 0) && ctrl.wLength) {
 			if (copy_to_user(ctrl.data, tbuf, i)) {
 				free_page((unsigned long)tbuf);
...	...	@@ -802,7 +802,7 @@
802	802	tbuf, ctrl.wLength, tmo);
803	803	usb_lock_device(dev);
804	804	snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
805		- tbuf, i);
	805	+ tbuf, max(i, 0));
806	806	if ((i > 0) && ctrl.wLength) {
807	807	if (copy_to_user(ctrl.data, tbuf, i)) {
808	808	free_page((unsigned long)tbuf);