On Tue, Sep 09 2014, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > We need "idx" to be signed for the error handling to work. > > Fixes: 6d5c1c77bbf9 ('usb: gadget: f_fs: fix the redundant ep files problem') > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Acked-by: Michal Nazarewicz <mina86@xxxxxxxxxx> > --- > Btw, there is a sparse warning: > > drivers/usb/gadget/function/f_fs.c:401:44: warning: Variable length array is used. > > The risk here is that the array would be too large. I don't know the > code well enough to say if it can be triggered, but from an outsider > perspective it looks scary (security implications). There should be a > comment explaining why it can't be used to overflow the 8k stack. n in that function can be at most 4 and usb_functionfs_event is 20 bytes long so this takes at most 80 bytes. Having said that, I can prepare a patch that converts the array to one with compile-time size if desired. > > diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c > index 0dc3552..7ad7137 100644 > --- a/drivers/usb/gadget/function/f_fs.c > +++ b/drivers/usb/gadget/function/f_fs.c > @@ -2393,7 +2393,8 @@ static int __ffs_func_bind_do_descs(enum ffs_entity_type type, u8 *valuep, > struct usb_endpoint_descriptor *ds = (void *)desc; > struct ffs_function *func = priv; > struct ffs_ep *ffs_ep; > - unsigned ep_desc_id, idx; > + unsigned ep_desc_id; > + int idx; > static const char *speed_names[] = { "full", "high", "super" }; > > if (type != FFS_DESCRIPTOR) -- Best regards, _ _ .o. | Liege of Serenely Enlightened Majesty of o' \,=./ `o ..o | Computer Science, Michał “mina86” Nazarewicz (o o) ooo +--<mpn@xxxxxxxxxx>--<xmpp:mina86@xxxxxxxxxx>--ooO--(_)--Ooo-- -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html