From 3343f376d4bae98ec11fd104e0e211b275e754b8 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Thu, 22 Apr 2021 12:00:54 +0300 Subject: usb: gadget: prevent a ternary sign expansion bug The problem is that "req->actual" is a u32, "req->status" is an int, and iocb->ki_complete() takes a long. We would expect that a negative error code in "req->status" would translate to a negative long value. But what actually happens is that because "req->actual" is a u32, the error codes is type promoted to a high positive value and then remains a positive value when it is cast to long. (No sign expansion). We can fix this by casting "req->status" to long. Acked-by: Felipe Balbi Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YIE7RrBPLWc3XtMg@mwanda Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/legacy/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'drivers/usb') diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c index 71e7d10dd76b..cd8e2737947b 100644 --- a/drivers/usb/gadget/legacy/inode.c +++ b/drivers/usb/gadget/legacy/inode.c @@ -498,7 +498,8 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req) iocb->private = NULL; /* aio_complete() reports bytes-transferred _and_ faults */ - iocb->ki_complete(iocb, req->actual ? req->actual : req->status, + iocb->ki_complete(iocb, + req->actual ? req->actual : (long)req->status, req->status); } else { /* ep_copy_to_user() won't report both; we hide some faults */ -- cgit v1.2.3