If an event occurs while the hid debugfs is forwarding events, list->tail
is updated during copy_to_user().
Remove the gotos and use a regular while-loop to empty the queue.
Second benefit, it checks that we are not writing more than count bytes
to the user-space output buffer.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxxx>
---
drivers/hid/hid-debug.c | 27 +++++++++++----------------
1 file changed, 11 insertions(+), 16 deletions(-)
diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c
index 094cbcf..1dc8104 100644
--- a/drivers/hid/hid-debug.c
+++ b/drivers/hid/hid-debug.c
@@ -1000,6 +1000,7 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer,
size_t count, loff_t *ppos)
{
struct hid_debug_list *list = file->private_data;
+ char *buf_head;
int ret = 0, len;
DECLARE_WAITQUEUE(wait, current);
@@ -1039,28 +1040,22 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer,
goto out;
/* pass the ringbuffer contents to userspace */
-copy_rest:
- if (list->tail == list->head)
- goto out;
- if (list->tail > list->head) {
- len = list->tail - list->head;
+ while (list->tail != list->head && ret < count) {
+ buf_head = &list->hid_debug_buf[list->head];
- if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
- ret = -EFAULT;
- goto out;
- }
- ret += len;
- list->head += len;
- } else {
- len = HID_DEBUG_BUFSIZE - list->head;
+ if (list->tail > list->head)
+ len = list->tail - list->head;
+ else
+ len = HID_DEBUG_BUFSIZE - list->head;
+
+ len = min(count - ret, len);
- if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
+ if (copy_to_user(buffer + ret, buf_head, len)) {
ret = -EFAULT;
goto out;
}
- list->head = 0;
ret += len;
- goto copy_rest;
+ list->head = (list->head + len) % HID_DEBUG_BUFSIZE;
}
}
--
1.8.1.4
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
