Re: [greybus-dev] PATCH 1/1: greybus/usb: handle unspecified lengths in hub_control
From: Greg KH
Date: Thu Feb 12 2026 - 06:44:07 EST
On Wed, Feb 11, 2026 at 11:02:17PM +0100, Jose A. Perez de Azpillaga wrote:
> >From 1e099b581fe475905509b9d600015ea2500b8cf8 Mon Sep 17 00:00:00 2001
> From: "Jose A. Perez de Azpillaga" <azpijr@xxxxxxxxx>
> Date: Wed, 11 Feb 2026 22:54:40 +0100
> Subject: [PATCH] greybus/usb: handle unspecified lengths in hub_control
Something went wrong with your email client to include this in the
changelog area. Perhaps use git send-email instead?
>
> Fixes the FIXME in hub_control where response length was not handled correctly.
Can you wrap these lines at 72 columns like the editor asks?
>
> Signed-off-by: Jose A. Perez de Azpillaga <azpijr@xxxxxxxxx>
> ---
> drivers/staging/greybus/usb.c | 16 +++++++++++-----
> 1 file changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/staging/greybus/usb.c b/drivers/staging/greybus/usb.c
> index 475f24f20cd4..f5f5a4863ddc 100644
> --- a/drivers/staging/greybus/usb.c
> +++ b/drivers/staging/greybus/usb.c
> @@ -105,8 +105,10 @@ static int hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, u16 wIndex,
> size_t response_size;
> int ret;
>
> - /* FIXME: handle unspecified lengths */
> - response_size = sizeof(*response) + wLength;
> + /* Calculate expected response size */
> + response_size = sizeof(*response);
> + if (wLength)
> + response_size += wLength;
How is this handling an unspecified length?
>
> operation = gb_operation_create(dev->connection,
> GB_USB_TYPE_HUB_CONTROL,
> @@ -127,9 +129,13 @@ static int hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, u16 wIndex,
> goto out;
>
> if (wLength) {
> - /* Greybus core has verified response size */
> - response = operation->response->payload;
> - memcpy(buf, response->buf, wLength);
> + size_t actual_size = operation->response->payload_size - sizeof(*response);
> + size_t copy_size = min(wLength, actual_size);
> +
> + if (copy_size) {
> + response = operation->response->payload;
> + memcpy(buf, response->buf, copy_size);
> + }
Sorry, but I do not understand this change. How was this tested?
thanks,
greg k-h