From: Johan Hovold <johan@kernel.org>
To: Cen Zhang <rollkingzzc@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
zerocling0077@gmail.com, 2045gemini@gmail.com
Subject: Re: [PATCH] USB: serial: belkin_sa: validate interrupt status length
Date: Mon, 18 May 2026 16:38:11 +0200 [thread overview]
Message-ID: <agskU46ts6au5LmQ@hovoldconsulting.com> (raw)
In-Reply-To: <CAB7XQsGZg+wrSpCsjLXdZEsw2y9f73eNGOjYkbz_PLAbR1_C8g@mail.gmail.com>
On Mon, May 18, 2026 at 09:39:49PM +0800, Cen Zhang wrote:
> On Mon, May 18, 2026 at 01:07:05PM +0200, Johan Hovold wrote:
>
> > How was this issue found? Are you using some kind of static checker or
> > LLM?
>
> The initial lead came from an LLM-assisted local audit, not from a
> dedicated static checker. I then checked this path manually and validated
> the issue under KASAN with a small dummy_hcd/raw_gadget setup.
>
> The reproducer emulates a Belkin 050d:0103-compatible device with one
> interrupt-in endpoint whose wMaxPacketSize is 3. After belkin_sa bound and
> ttyUSB0 was opened once, the raw_gadget side completed 3-byte interrupt
> packets.
>
> The relevant part of the KASAN report as below:
>
> BUG: KASAN: slab-out-of-bounds in belkin_sa_read_int_callback+0xd3/0x290
> Read of size 1 at addr ffff8881029d2c43
Nice work. But please mention that this found with the help of an LLM in
the commit message as documented in:
- Documentation/process/submitting-patches.rst ("Using Assisted-by:")
- Documentation/process/coding-assistants.rst
> > You only need to verify urb->actual_length here (as actual_length <=
> > transfer_buffer_length).
>
> Agreed, thanks for pointing this out. I will send a v2 with the check
> reduced to:
>
> if (urb->actual_length < BELKIN_SA_MSR_INDEX + 1)
> goto exit;
>
> and update the commit message accordingly.
Sounds good, thanks.
Johan
next prev parent reply other threads:[~2026-05-18 14:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-16 4:24 [PATCH] USB: serial: belkin_sa: validate interrupt status length Zhang Cen
2026-05-18 11:07 ` Johan Hovold
2026-05-18 13:39 ` Cen Zhang
2026-05-18 14:38 ` Johan Hovold [this message]
2026-05-18 14:56 ` Cen Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agskU46ts6au5LmQ@hovoldconsulting.com \
--to=johan@kernel.org \
--cc=2045gemini@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=rollkingzzc@gmail.com \
--cc=zerocling0077@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.