This is a note to let you know that I've just added the patch titled
usb: fotg210-hcd: delete an incorrect bounds test
to the 6.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
usb-fotg210-hcd-delete-an-incorrect-bounds-test.patch
and it can be found in the queue-6.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 7fbcd195e2b8cc952e4aeaeb50867b798040314c Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Wed, 13 Dec 2023 16:22:43 +0300
Subject: usb: fotg210-hcd: delete an incorrect bounds test
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
commit 7fbcd195e2b8cc952e4aeaeb50867b798040314c upstream.
Here "temp" is the number of characters that we have written and "size"
is the size of the buffer. The intent was clearly to say that if we have
written to the end of the buffer then stop.
However, for that to work the comparison should have been done on the
original "size" value instead of the "size -= temp" value. Not only
will that not trigger when we want to, but there is a small chance that
it will trigger incorrectly before we want it to and we break from the
loop slightly earlier than intended.
This code was recently changed from using snprintf() to scnprintf(). With
snprintf() we likely would have continued looping and passed a negative
size parameter to snprintf(). This would have triggered an annoying
WARN(). Now that we have converted to scnprintf() "size" will never
drop below 1 and there is no real need for this test. We could change
the condition to "if (temp <= 1) goto done;" but just deleting the test
is cleanest.
Fixes: 7d50195f6c50 ("usb: host: Faraday fotg210-hcd driver")
Cc: stable <stable@xxxxxxxxxx>
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reviewed-by: Linus Walleij <linus.walleij@xxxxxxxxxx>
Reviewed-by: Lee Jones <lee@xxxxxxxxxx>
Link: https://lore.kernel.org/r/ZXmwIwHe35wGfgzu@suswa
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/usb/fotg210/fotg210-hcd.c | 3 ---
1 file changed, 3 deletions(-)
--- a/drivers/usb/fotg210/fotg210-hcd.c
+++ b/drivers/usb/fotg210/fotg210-hcd.c
@@ -428,8 +428,6 @@ static void qh_lines(struct fotg210_hcd
temp = size;
size -= temp;
next += temp;
- if (temp == size)
- goto done;
}
temp = snprintf(next, size, "\n");
@@ -439,7 +437,6 @@ static void qh_lines(struct fotg210_hcd
size -= temp;
next += temp;
-done:
*sizep = size;
*nextp = next;
}
Patches currently in stable-queue which might be from dan.carpenter@xxxxxxxxxx are
queue-6.6/net-mlx5e-fix-error-codes-in-alloc_branch_attr.patch
queue-6.6/usb-fotg210-hcd-delete-an-incorrect-bounds-test.patch
queue-6.6/net-mlx5e-fix-error-code-in-mlx5e_tc_action_miss_map.patch
