[PATCH] usbdevfs: Fix broken scatter-gather transfer
From: Henrik Rydberg
Date: Thu Oct 11 2012 - 17:27:04 EST
The recently introduced handling of large bulk transfers is completely
broken; the same user page is read over and over again. Fixed with
this patch.
Cc: stable@xxxxxxxxxx
Signed-off-by: Henrik Rydberg <rydberg@xxxxxxxxxxx>
---
drivers/usb/core/devio.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index ebb8a9d..6e58b59 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1172,6 +1172,7 @@ static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb,
struct usb_ctrlrequest *dr = NULL;
unsigned int u, totlen, isofrmlen;
int i, ret, is_in, num_sgs = 0, ifnum = -1;
+ void __user *userbuf;
void *buf;
if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP |
@@ -1333,6 +1334,7 @@ static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb,
as->urb->num_sgs = num_sgs;
sg_init_table(as->urb->sg, as->urb->num_sgs);
+ userbuf = uurb->buffer;
totlen = uurb->buffer_length;
for (i = 0; i < as->urb->num_sgs; i++) {
u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen;
@@ -1344,11 +1346,12 @@ static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb,
sg_set_buf(&as->urb->sg[i], buf, u);
if (!is_in) {
- if (copy_from_user(buf, uurb->buffer, u)) {
+ if (copy_from_user(buf, userbuf, u)) {
ret = -EFAULT;
goto error;
}
}
+ userbuf += u;
totlen -= u;
}
} else if (uurb->buffer_length > 0) {
--
1.7.12.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/