From: Dan Carpenter <dan.carpenter@oracle.com>
To: Sean Young <sean@mess.org>
Cc: Phong Tran <tranmanphong@gmail.com>,
mchehab@kernel.org, gregkh@linuxfoundation.org,
allison@lohutok.net, tglx@linutronix.de,
syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
glider@google.com, syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] media: dvb: check return value digitv_ctrl_msg
Date: Wed, 15 Jan 2020 21:15:18 +0300 [thread overview]
Message-ID: <20200115181315.GG9562@kadam> (raw)
In-Reply-To: <20200115180116.GA21151@kadam>
On Wed, Jan 15, 2020 at 09:01:17PM +0300, Dan Carpenter wrote:
> On Wed, Jan 15, 2020 at 05:32:26PM +0000, Sean Young wrote:
> > Hello,
> >
> > On Tue, Dec 03, 2019 at 07:41:38AM +0700, Phong Tran wrote:
> > > For fixing syzbot "KMSAN: uninit-value in digitv_rc_query"
> > >
> > > In scenario testing for syzbot, failure reading from
> > > digitv_ctrl_msg() [1].
> > >
> > > Eg:
> > > [ 91.846657][ T3844] dvb-usb: bulk message failed: -22 (7/0)
> > >
> > > digitv_rc_query() always return 0. But in this case a wrong thing happens.
> > >
> > > Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com
> > > Tested-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com
> >
> > A fix for this was already merged I'm afraid, see commit eecc70d22ae5
> > ("media: digitv: don't continue if remote control state can't be read").
> >
> > > [1]: https://syzkaller.appspot.com/text?tag=CrashLog&x=16860a63600000
> > > [2]: https://groups.google.com/d/msg/syzkaller-bugs/-TXIJAZ0J9Q/T4PEUQoeAQAJ
> > >
> > > Signed-off-by: Phong Tran <tranmanphong@gmail.com>
> > > ---
> > > drivers/media/usb/dvb-usb/digitv.c | 12 ++++++++----
> > > 1 file changed, 8 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/drivers/media/usb/dvb-usb/digitv.c b/drivers/media/usb/dvb-usb/digitv.c
> > > index dd5bb230cec1..61bc8945e6b9 100644
> > > --- a/drivers/media/usb/dvb-usb/digitv.c
> > > +++ b/drivers/media/usb/dvb-usb/digitv.c
> > > @@ -231,17 +231,21 @@ static struct rc_map_table rc_map_digitv_table[] = {
> > > static int digitv_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
> > > {
> > > int i;
> > > - u8 key[5];
> > > + u8 key[5] = { 0 };
> >
> > The merged commit does not change this line. Why was this changed?
> >
>
> It would fix the problem that key[0] is never initialized... But the
> correct fix is to make key 4 elements long and delete key[0].
Phong,
Presumably you can fix this? You will have to renumber key[1] to
key[0] and key[2] to key[1] etc... Add a fixes tag.
Fixes: 774c0de4aed4 ("V4L/DVB (4616): [PATCH] Nebula DigiTV USB RC support")
Otherwise if you want I can send the patch.
regards,
dan carpenter
prev parent reply other threads:[~2020-01-15 18:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-08 17:04 KMSAN: uninit-value in digitv_rc_query syzbot
2019-12-03 0:41 ` [PATCH] media: dvb: check return value digitv_ctrl_msg Phong Tran
2020-01-15 17:32 ` Sean Young
2020-01-15 18:01 ` Dan Carpenter
2020-01-15 18:15 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200115181315.GG9562@kadam \
--to=dan.carpenter@oracle.com \
--cc=allison@lohutok.net \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=sean@mess.org \
--cc=syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=tranmanphong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.