USB: Do not pass negative length to snoop_urb()

commit 9d02b42614149ebccf12c9c580601ed01bd83070 upstream. When `echo Y > /sys/module/usbcore/parameters/usbfs_snoop` and usb_control_msg() returns error, a lot of kernel memory is dumped to dmesg until unhandled kernel paging request occurs. Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Michal Sojka <sojkam1@fel.cvut.cz> 2011-03-15 16:41:47 +0100
committer: Greg Kroah-Hartman <gregkh@suse.de> 2011-03-27 11:36:14 -0700
commit: 247a28d9277bfadf22c4b1afd9e28a24b7dbf912 (patch)
tree: 8b904e0ef6679e013585f38a8773a523c3ebb190 /drivers
parent: e30d586e1ec3a54ab8f573aa47f64cd5b5d29029 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index a7131ad630f..37518dfdeb9 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -802,7 +802,7 @@ static int proc_control(struct dev_state *ps, void __user *arg)
 				    tbuf, ctrl.wLength, tmo);
 		usb_lock_device(dev);
 		snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
-			tbuf, i);
+			  tbuf, max(i, 0));
 		if ((i > 0) && ctrl.wLength) {
 			if (copy_to_user(ctrl.data, tbuf, i)) {
 				free_page((unsigned long)tbuf);
author	Michal Sojka <sojkam1@fel.cvut.cz>	2011-03-15 16:41:47 +0100
committer	Greg Kroah-Hartman <gregkh@suse.de>	2011-03-27 11:36:14 -0700
commit	247a28d9277bfadf22c4b1afd9e28a24b7dbf912 (patch)
tree	8b904e0ef6679e013585f38a8773a523c3ebb190 /drivers
parent	e30d586e1ec3a54ab8f573aa47f64cd5b5d29029 (diff)