From: Anssi Hannula <anssi.hannula@xxxxxxxxxx> commit 3105bc977d7cbf2edc35e24cc7e009686f6e4a56 upstream. xhci_decode_usbsts() is expected to return a zero-terminated string by its only caller, xhci_stop_endpoint_command_watchdog(), which directly logs the return value: xhci_warn(xhci, "USBSTS:%s\n", xhci_decode_usbsts(str, usbsts)); However, if no recognized bits are set in usbsts, the function will return without having called any sprintf() and therefore return an untouched non-zero-terminated caller-provided buffer, causing garbage to be output to log. Fix that by always including the raw value in the output. Note that before commit 4843b4b5ec64 ("xhci: fix even more unsafe memory usage in xhci tracing") the result effect in the failure case was different as a static buffer was used here, but the code still worked incorrectly. Fixes: 9c1aa36efdae ("xhci: Show host status when watchdog triggers and host is assumed dead.") Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Anssi Hannula <anssi.hannula@xxxxxxxxxx> Signed-off-by: Mathias Nyman <mathias.nyman@xxxxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20220303110903.1662404-3-mathias.nyman@xxxxxxxxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/usb/host/xhci.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -2624,8 +2624,11 @@ static inline const char *xhci_decode_us { int ret = 0; + ret = sprintf(str, " 0x%08x", usbsts); + if (usbsts == ~(u32)0) - return " 0xffffffff"; + return str; + if (usbsts & STS_HALT) ret += sprintf(str + ret, " HCHalted"); if (usbsts & STS_FATAL)