Re: [PATCH 07/11] Input: ims-pcu - fix logic error in packet reset
From: sashiko-bot@kernel.org
Date: 2026-05-23 06:25:07
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Incorrect DMA Buffer Free Size in ims_pcu_buffers_free
--
commit dc91d6796d4d3cd53758e89df06633851a88ea55
Author: Dmitry Torokhov [off-list ref]
Input: ims-pcu - fix logic error in packet reset
ims_pcu_reset_packet() incorrectly sets have_stx to true, which implies
that the start-of-packet delimiter has already been received. This
causes the protocol parser to skip waiting for the next STX byte and
potentially process garbage data.
Correctly set have_stx to false when resetting the packet state.
quoted hunk ↗ jump to hunk
diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c index 51b1cdc226e65..55e5599cf5107 100644 --- a/drivers/input/misc/ims-pcu.c +++ b/drivers/input/misc/ims-pcu.c@@ -440,7 +440,7 @@ static void ims_pcu_handle_response(struct ims_pcu *pcu) static void ims_pcu_reset_packet(struct ims_pcu *pcu) { - pcu->have_stx = true; + pcu->have_stx = false; pcu->have_dle = false; pcu->read_pos = 0; pcu->check_sum = 0;
[Severity: High]
This is a pre-existing issue, but I noticed a potential DMA API violation in
the ims_pcu_buffers_free() function.
Looking at drivers/input/misc/ims-pcu.c:ims_pcu_buffers_free():
static void ims_pcu_buffers_free(struct ims_pcu *pcu)
{
usb_kill_urb(pcu->urb_in);
usb_free_urb(pcu->urb_in);
usb_free_coherent(pcu->udev, pcu->max_out_size,
pcu->urb_in_buf, pcu->read_dma);
Should this use pcu->max_in_size instead of pcu->max_out_size when
freeing pcu->urb_in_buf? Using the incorrect length could cause memory
leaks or memory corruption within the DMA allocator.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260523050634.501509-1-dmitry.torokhov@gmail.com?part=7