usb: gadget: prevent a ternary sign expansion bug

The problem is that "req->actual" is a u32, "req->status" is an int, and
iocb->ki_complete() takes a long.  We would expect that a negative error
code in "req->status" would translate to a negative long value.

But what actually happens is that because "req->actual" is a u32, the
error codes is type promoted to a high positive value and then remains
a positive value when it is cast to long.  (No sign expansion).

We can fix this by casting "req->status" to long.

Acked-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/YIE7RrBPLWc3XtMg@mwanda
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index 71e7d10..cd8e273 100644 (file)
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -498,7 +498,8 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req)
                iocb->private = NULL;
                /* aio_complete() reports bytes-transferred _and_ faults */
 
-               iocb->ki_complete(iocb, req->actual ? req->actual : req->status,
+               iocb->ki_complete(iocb,
+                               req->actual ? req->actual : (long)req->status,
                                req->status);
        } else {
                /* ep_copy_to_user() won't report both; we hide some faults */