[PATCH 4.9 132/212] USB: serial: iuu_phoenix: fix led-activity helpers

Thu, 20 Aug 2020 04:52:19 -0700 

From: Johan Hovold <jo...@kernel.org>

[ Upstream commit de37458f8c2bfc465500a1dd0d15dbe96d2a698c ]

The set-led command is eight bytes long and starts with a command byte
followed by six bytes of RGB data and ends with a byte encoding a
frequency (see iuu_led() and iuu_rgbf_fill_buffer()).

The led activity helpers had a few long-standing bugs which corrupted
the command packets by inserting a second command byte and thereby
offsetting the RGB data and dropping the frequency in non-xmas mode.

In xmas mode, a related off-by-one error left the frequency field
uninitialised.

Fixes: 60a8fc017103 ("USB: add iuu_phoenix driver")
Reported-by: George Spelvin <l...@sdf.org>
Link: https://lore.kernel.org/r/20200716085056.31471-1-jo...@kernel.org
Reviewed-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
 drivers/usb/serial/iuu_phoenix.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c
index d6ac1f472b779..bdeb2b2489549 100644
--- a/drivers/usb/serial/iuu_phoenix.c
+++ b/drivers/usb/serial/iuu_phoenix.c
@@ -369,10 +369,11 @@ static void iuu_led_activity_on(struct urb *urb)
        struct usb_serial_port *port = urb->context;
        int result;
        char *buf_ptr = port->write_urb->transfer_buffer;
-       *buf_ptr++ = IUU_SET_LED;
+
        if (xmas) {
-               get_random_bytes(buf_ptr, 6);
-               *(buf_ptr+7) = 1;
+               buf_ptr[0] = IUU_SET_LED;
+               get_random_bytes(buf_ptr + 1, 6);
+               buf_ptr[7] = 1;
        } else {
                iuu_rgbf_fill_buffer(buf_ptr, 255, 255, 0, 0, 0, 0, 255);
        }
@@ -390,13 +391,14 @@ static void iuu_led_activity_off(struct urb *urb)
        struct usb_serial_port *port = urb->context;
        int result;
        char *buf_ptr = port->write_urb->transfer_buffer;
+
        if (xmas) {
                iuu_rxcmd(urb);
                return;
-       } else {
-               *buf_ptr++ = IUU_SET_LED;
-               iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255);
        }
+
+       iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255);
+
        usb_fill_bulk_urb(port->write_urb, port->serial->dev,
                          usb_sndbulkpipe(port->serial->dev,
                                          port->bulk_out_endpointAddress),
-- 
2.25.1

Reply via email to