Re: [PATCH v2] Input: penmount: bound packet buffer indices in IRQ path

Next message: Dan Williams: "Re: [PATCH] cxl/hdm: fix a warning in devm_remove_action()"
Previous message: Guixin Liu: "Re: [PATCH 2/2] PCI/MSI: Update MSI-X irq domain hwsize"
In reply to: Andy Shevchenko: "Re: [PATCH v2] Input: penmount: bound packet buffer indices in IRQ path"
Next in thread: Pengpeng Hou: "Re: [PATCH v2] Input: penmount: bound packet buffer indices in IRQ path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Torokhov

Date: Tue Mar 24 2026 - 21:36:54 EST

Hi Pengpeng,

On Tue, Mar 24, 2026 at 09:14:42PM +0800, Pengpeng Hou wrote:
> pm_interrupt() stores each incoming byte into pm->data[] before the
> packet parser gets a chance to reset pm->idx. If the incoming serial
> stream never matches one of the expected packet headers, pm->idx can
> advance past the fixed receive buffer and the next IRQ will write beyond
> PM_MAX_LENGTH.

How will it advance? The handlers do:

if (byte_0_check() && pm->packetsize == ++pm->idx)
...

If we never match any of the protocols then pm->idx will never advance
past 0 (and we will keep overwriting the first byte of the packet
array).

Does your analyzer miss the "short-circuiting" nature of && operator?

Thanks.

--
Dmitry