Input: ims-pcu - fix out-of-bounds read in ims_pcu_irq() debug logging

The debug logging in ims_pcu_irq() unconditionally prints data from
pcu->urb_in_buf. However, if the interrupt fired for pcu->urb_ctrl, the
actual data resides in pcu->urb_ctrl_buf. If urb->actual_length for the
control URB exceeds pcu->max_in_size, this leads to an out-of-bounds
read.

Fix this by printing from the correct buffer associated with the URB.

Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Cc: stable@vger.kernel.org
Reported-by: Sashiko bot <sashiko-bot@kernel.org>
Assisted-by: Gemini:gemini-3.1-pro
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index 2b49d1a5473fc2093457a7e432312417d15a5e15..6bacd7e56e68db05b6091390c83dad05730c29a7 100644 (file)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1536,7 +1536,7 @@ static void ims_pcu_irq(struct urb *urb)
        }
 
        dev_dbg(pcu->dev, "%s: received %d: %*ph\n", __func__,
-               urb->actual_length, urb->actual_length, pcu->urb_in_buf);
+               urb->actual_length, urb->actual_length, urb->transfer_buffer);
 
        if (urb == pcu->urb_in)
                ims_pcu_process_data(pcu, urb);