USB: serial: iuu_phoenix: fix led-activity helpers

The set-led command is eight bytes long and starts with a command byte
followed by six bytes of RGB data and ends with a byte encoding a
frequency (see iuu_led() and iuu_rgbf_fill_buffer()).

The led activity helpers had a few long-standing bugs which corrupted
the command packets by inserting a second command byte and thereby
offsetting the RGB data and dropping the frequency in non-xmas mode.

In xmas mode, a related off-by-one error left the frequency field
uninitialised.

Fixes: 60a8fc017103 ("USB: add iuu_phoenix driver")
Reported-by: George Spelvin <lkml@sdf.org>
Link: https://lore.kernel.org/r/20200716085056.31471-1-johan@kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>

diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c
index 6336616fee499d0cf3cabd972f5158477b17d8fe..9da0e25bb0ea5691f5c614a4140050fcc759c3c2 100644 (file)
--- a/drivers/usb/serial/iuu_phoenix.c
+++ b/drivers/usb/serial/iuu_phoenix.c
@@ -350,10 +350,11 @@ static void iuu_led_activity_on(struct urb *urb)
 {
        struct usb_serial_port *port = urb->context;
        char *buf_ptr = port->write_urb->transfer_buffer;
-       *buf_ptr++ = IUU_SET_LED;
+
        if (xmas) {
-               get_random_bytes(buf_ptr, 6);
-               *(buf_ptr+7) = 1;
+               buf_ptr[0] = IUU_SET_LED;
+               get_random_bytes(buf_ptr + 1, 6);
+               buf_ptr[7] = 1;
        } else {
                iuu_rgbf_fill_buffer(buf_ptr, 255, 255, 0, 0, 0, 0, 255);
        }
@@ -370,13 +371,14 @@ static void iuu_led_activity_off(struct urb *urb)
 {
        struct usb_serial_port *port = urb->context;
        char *buf_ptr = port->write_urb->transfer_buffer;
+
        if (xmas) {
                iuu_rxcmd(urb);
                return;
-       } else {
-               *buf_ptr++ = IUU_SET_LED;
-               iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255);
        }
+
+       iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255);
+
        usb_fill_bulk_urb(port->write_urb, port->serial->dev,
                          usb_sndbulkpipe(port->serial->dev,
                                          port->bulk_out_endpointAddress),