| Message ID | 20220303102656.1661407-4-mathias.nyman@linux.intel.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | xhci cleanups and fixes for usb-next | expand |
Hi, On 3.3.2022 12.26, Mathias Nyman wrote: > From: Anssi Hannula <anssi.hannula@bitwise.fi> > > xhci_decode_ctrl_ctx() returns the untouched buffer as-is if both "drop" > and "add" parameters are zero. > > Fix the function to return an empty string in that case. > > It was not immediately clear from the possible call chains whether this > issue is currently actually triggerable or not. > > Note that before commit 4843b4b5ec64 ("xhci: fix even more unsafe memory > Cc: stable@vger.kernel.org > usage in xhci tracing") the result effect in the failure case was different > as a static buffer was used here, but the code still worked incorrectly. You added the Cc-stable line a few lines too early above :) > Fixes: 90d6d5731da7 ("xhci: Add tracing for input control context") > Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi> > Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> > > commit 4843b4b5ec64 ("xhci: fix even more unsafe memory usage in xhci tracing") > --- > drivers/usb/host/xhci.h | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h > index 1d83ddace482..473a33ce299e 100644 > --- a/drivers/usb/host/xhci.h > +++ b/drivers/usb/host/xhci.h > @@ -2468,6 +2468,8 @@ static inline const char *xhci_decode_ctrl_ctx(char *str, > unsigned int bit; > int ret = 0; > > + str[0] = '\0'; > + > if (drop) { > ret = sprintf(str, "Drop:"); > for_each_set_bit(bit, &drop, 32)
On 3.3.2022 12.43, Anssi Hannula wrote: > Hi, > > On 3.3.2022 12.26, Mathias Nyman wrote: >> From: Anssi Hannula <anssi.hannula@bitwise.fi> >> >> xhci_decode_ctrl_ctx() returns the untouched buffer as-is if both "drop" >> and "add" parameters are zero. >> >> Fix the function to return an empty string in that case. >> >> It was not immediately clear from the possible call chains whether this >> issue is currently actually triggerable or not. >> >> Note that before commit 4843b4b5ec64 ("xhci: fix even more unsafe memory >> Cc: stable@vger.kernel.org >> usage in xhci tracing") the result effect in the failure case was different >> as a static buffer was used here, but the code still worked incorrectly. > > You added the Cc-stable line a few lines too early above :) Oops, copypaste accident. I'll resubmit Thanks -Mathias
diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index 1d83ddace482..473a33ce299e 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -2468,6 +2468,8 @@ static inline const char *xhci_decode_ctrl_ctx(char *str, unsigned int bit; int ret = 0; + str[0] = '\0'; + if (drop) { ret = sprintf(str, "Drop:"); for_each_set_bit(bit, &drop, 32)