USB: Do not pass negative length to snoop_urb()

When `echo Y > /sys/module/usbcore/parameters/usbfs_snoop` and
usb_control_msg() returns error, a lot of kernel memory is dumped to dmesg
until unhandled kernel paging request occurs.

Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index a7131ad630f9ad54535205017352ee10175df384..37518dfdeb987188089eb43c3147417ce14615a9 100644 (file)
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -802,7 +802,7 @@ static int proc_control(struct dev_state *ps, void __user *arg)
                                    tbuf, ctrl.wLength, tmo);
                usb_lock_device(dev);
                snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
-                       tbuf, i);
+                         tbuf, max(i, 0));
                if ((i > 0) && ctrl.wLength) {
                        if (copy_to_user(ctrl.data, tbuf, i)) {
                                free_page((unsigned long)tbuf);