From nobody Fri Apr 17 23:07:10 2026 Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48F894A02 for ; Thu, 12 Feb 2026 18:23:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770920594; cv=none; b=Qr9lDE+0NaN4bu5Q5jBbrIBcXcdOYRJWzjhnBXkNM6diAHIAenDONutUZuz3d+n8T51XvR9MAkqFTDmtIPOpIxPKMUBvOaZVQ6UdJKzquYUrXt6EPznbUNCLwZ8J2ONClwyV+mp9UBR24omUOfFtG8394cY0s73xD8PC0EbIncU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770920594; c=relaxed/simple; bh=mJv4PoyVkXJUNimyVda4kVSi9LacDMriVey0LufVbTU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Ssp0TYy5crBO+fkdMeUn4X4CKGLjv7jU2Wu11S+9rD1VTc1Ga5h9zLrCxx8gEczNY/55F5gP4EI93n+yobu4Q11M6RKS2THWJWMfXVPex7uvd6eqx80ocQpidPOFSVePXQw5BnQMARPy8yV6keXrnYQeIH0VGnbhSYAr23TepGY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=X12RuM5M; arc=none smtp.client-ip=209.85.221.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="X12RuM5M" Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-43621bf67ceso108561f8f.2 for ; Thu, 12 Feb 2026 10:23:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770920592; x=1771525392; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=17Xdzme54kplG7FjpS4Eo2pRn6CepEeazU/JbB6exrw=; b=X12RuM5MCYqWuojhA8L8vSuHQwE6npDcNk5t4fTqRzk3521/DfVgbGw99fQ4ogGtcF Z7QU6o0DV6klRNw3jOAmm3s1FypveqzkVirN2VTmCvEMC/EOyUilfDOgDXtpVTfxaX8U Wb+n/jIG94uU+2vS8NJdvYE0AeYywxPOpKS5DhhLJyhpTVus1VozfSP8vqQITfNForaE 3URsHuQ5RuXHIzZMHYvoU5nckpQXv9xwkHAOGoOUyf1KYmOQH7razxnOzEg8l9pMvsSN GD6HM96Dyhb86TCG1vOhuKI5zqB03W9O/OHIq72LVKWZzBbOeNBGsEs1Ct/JbDSANTJe beqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770920592; x=1771525392; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=17Xdzme54kplG7FjpS4Eo2pRn6CepEeazU/JbB6exrw=; b=kiHCqjuHvPP6E3FM0fFnlqzV+WUxo0JIX1Y1iLSdlovbnkNhe1xY+r0csFe4AHLnGQ YVorjKKmRjydr2vmSPXAoK7f94YWBESGmaZwaNkbeVdxsDE3YvmmTdWl1uX6oLyCQTZo 01e99ebcJYgBtmfFNUJ4UZ9NKrgneYKy2B2DpuAgKYHa72g12U7waGsr90sB4j3Mqpi0 yTfE5lQlSF1xGc7smWLibzrWzgRBKcqGYkM62Fw6qGL5rZeHfA03SK7KL/NYefP4o0qf 7SVqPVUfvE02X3HqZdfsv94bOWHCUrGAX7ZSBVnh8FZuggC85m6xTQF5js6WsWM5HsW7 uqFA== X-Forwarded-Encrypted: i=1; AJvYcCWwezFWusggta+raNW1GPZSr89NkqHk8wfA0pU2IVdjymR1uBJNSE2zjwa6cPfZx00IScEbsGnU9bs/ORs=@vger.kernel.org X-Gm-Message-State: AOJu0YyQZFn022miv0Z+Ag9EhDvsYqBtMrithK+Wb9yg8V39umT9zzLO w6EvUVfcSXTFfC74pGs59g16XfjOmI/UjkZ/GOajyQsz1u1iQKTOTlsQ X-Gm-Gg: AZuq6aKIVo8U+w4ZJYbsgv8i1AYXoCI0U2mlsTM5qEhUoVVq4FwO1+eCSViemCd3gv7 GTiWg9Cm+/s7j1CJwUPBf1XrdmpdxP43tIJ7Z/0QtZ9uKdoN3mZ7XAXS21RhT16BiER+JA2L7tx 8g6mCtgyw1NBRz1aPrUdnaTZGtii06RUr4ZY6hsOtg3dTzRKQ2BQiymokFtXrbBrXNeLwFQYnH0 GAG/cWqaINwiJ2kCsd8n6i/ThCWpkmea/pNkS0gwlTsTZvvCXnynyMA6Cvsp04+qLer03KXLeIZ 1vmrKy5sC8Vd6qA89vspVpC0WWf5ecyuZOYig+zgy0eE6SkppPaj5sjyBMHjnCBlBHli1NC8eV2 HRmaI7XFnskFscnSSd7HkTUQsG2ChMDySah8bkWw1/uAn0LdlUyZN9YCPlip0MiCrTeemo9owxv C/6B6APSrHD3qe4z0ORcY= X-Received: by 2002:a05:600c:3b8b:b0:480:1c10:5633 with SMTP id 5b1f17b1804b1-4837103f4dcmr525325e9.26.1770920591530; Thu, 12 Feb 2026 10:23:11 -0800 (PST) Received: from fedora ([83.231.69.9]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4835dcfafcdsm226953745e9.9.2026.02.12.10.23.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Feb 2026 10:23:10 -0800 (PST) From: "Jose A. Perez de Azpillaga" To: gregkh@linuxfoundation.org Cc: azpijr@gmail.com, greybus-dev@lists.linaro.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] greybus/usb: handle unspecified lengths in hub_control Date: Thu, 12 Feb 2026 19:23:06 +0100 Message-ID: <20260212182307.23777-1-azpijr@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <2026021222-fondue-celtic-0e2a@gregkh> References: <2026021222-fondue-celtic-0e2a@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Fixes the FIXME in hub_control where response length was not handled correctly. The previous implementation always added wLength to the expected response size, even when wLength was zero. The code also copied wLength bytes from the response buffer without validating the actual payload size returned by the Greybus operation. Compute the response size starting from the fixed header and only add wLength when it is non-zero. When copying data back to the caller, clamp the copy size to the actual payload length reported by the Greybus core. This avoids copying more data than what was actually returned by the Greybus operation. Tested by building the driver and issuing hub control requests with varying wLength values (including zero) and verifying correct behavior. Signed-off-by: Jose A. Perez de Azpillaga --- Changes in v2: - Document behavior when wLength =3D=3D 0 - Clamp memcpy() size to actual payload length - Add testing notes --- drivers/staging/greybus/usb.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/drivers/staging/greybus/usb.c b/drivers/staging/greybus/usb.c index 475f24f20cd4..f5f5a4863ddc 100644 --- a/drivers/staging/greybus/usb.c +++ b/drivers/staging/greybus/usb.c @@ -105,8 +105,10 @@ static int hub_control(struct usb_hcd *hcd, u16 typeRe= q, u16 wValue, u16 wIndex, size_t response_size; int ret; =20 - /* FIXME: handle unspecified lengths */ - response_size =3D sizeof(*response) + wLength; + /* Calculate expected response size */ + response_size =3D sizeof(*response); + if (wLength) + response_size +=3D wLength; =20 operation =3D gb_operation_create(dev->connection, GB_USB_TYPE_HUB_CONTROL, @@ -127,9 +129,13 @@ static int hub_control(struct usb_hcd *hcd, u16 typeRe= q, u16 wValue, u16 wIndex, goto out; =20 if (wLength) { - /* Greybus core has verified response size */ - response =3D operation->response->payload; - memcpy(buf, response->buf, wLength); + size_t actual_size =3D operation->response->payload_size - sizeof(*respo= nse); + size_t copy_size =3D min(wLength, actual_size); + + if (copy_size) { + response =3D operation->response->payload; + memcpy(buf, response->buf, copy_size); + } } out: gb_operation_put(operation); --=20 2.53.0