From: kernel test robot <lkp@intel.com>
To: pip-izony <eeodqql09@gmail.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: llvm@lists.linux.dev, oe-kbuild-all@lists.linux.dev,
linux-media@vger.kernel.org, Seungjin Bae <eeodqql09@gmail.com>,
Kyungtae Kim <Kyungtae.Kim@dartmouth.edu>,
Sanghoon Choi <csh0052@gmail.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] media: ttusb-dec: fix heap-buffer-overflow in ttusb_dec_process_urb_frame()
Date: Tue, 23 Dec 2025 09:17:43 +0800 [thread overview]
Message-ID: <202512230947.zdHvFcAE-lkp@intel.com> (raw)
In-Reply-To: <20251222054644.938208-2-eeodqql09@gmail.com>
Hi pip-izony,
kernel test robot noticed the following build errors:
[auto build test ERROR on linuxtv-media-pending/master]
[also build test ERROR on media-tree/master sailus-media-tree/master linus/master v6.19-rc2 next-20251219]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/pip-izony/media-ttusb-dec-fix-heap-buffer-overflow-in-ttusb_dec_process_urb_frame/20251222-134809
base: https://git.linuxtv.org/media-ci/media-pending.git master
patch link: https://lore.kernel.org/r/20251222054644.938208-2-eeodqql09%40gmail.com
patch subject: [PATCH v2] media: ttusb-dec: fix heap-buffer-overflow in ttusb_dec_process_urb_frame()
config: sparc64-allmodconfig (https://download.01.org/0day-ci/archive/20251223/202512230947.zdHvFcAE-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 185f5fd5ce4c65116ca8cf6df467a682ef090499)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251223/202512230947.zdHvFcAE-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202512230947.zdHvFcAE-lkp@intel.com/
All errors (new ones prefixed by >>):
>> drivers/media/usb/ttusb-dec/ttusb_dec.c:713:7: error: expected ')'
713 | __func__);
| ^
drivers/media/usb/ttusb-dec/ttusb_dec.c:711:6: note: to match this '('
711 | dev_warn(&dec->udev->dev,
| ^
include/linux/dev_printk.h:156:2: note: expanded from macro 'dev_warn'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ^
include/linux/dev_printk.h:109:3: note: expanded from macro 'dev_printk_index_wrap'
109 | dev_printk_index_emit(level, fmt); \
| ^
include/linux/dev_printk.h:105:2: note: expanded from macro 'dev_printk_index_emit'
105 | printk_index_subsys_emit("%s %s: ", level, fmt)
| ^
include/linux/printk.h:479:2: note: expanded from macro 'printk_index_subsys_emit'
479 | __printk_index_emit(fmt, level, subsys_fmt_prefix)
| ^
include/linux/printk.h:436:27: note: expanded from macro '__printk_index_emit'
436 | if (__builtin_constant_p(_fmt) && __builtin_constant_p(_level)) { \
| ^
>> drivers/media/usb/ttusb-dec/ttusb_dec.c:713:7: error: expected ')'
713 | __func__);
| ^
drivers/media/usb/ttusb-dec/ttusb_dec.c:711:6: note: to match this '('
711 | dev_warn(&dec->udev->dev,
| ^
include/linux/dev_printk.h:156:2: note: expanded from macro 'dev_warn'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ^
include/linux/dev_printk.h:109:3: note: expanded from macro 'dev_printk_index_wrap'
109 | dev_printk_index_emit(level, fmt); \
| ^
include/linux/dev_printk.h:105:2: note: expanded from macro 'dev_printk_index_emit'
105 | printk_index_subsys_emit("%s %s: ", level, fmt)
| ^
include/linux/printk.h:479:2: note: expanded from macro 'printk_index_subsys_emit'
479 | __printk_index_emit(fmt, level, subsys_fmt_prefix)
| ^
include/linux/printk.h:445:32: note: expanded from macro '__printk_index_emit'
445 | .fmt = __builtin_constant_p(_fmt) ? (_fmt) : NULL, \
| ^
>> drivers/media/usb/ttusb-dec/ttusb_dec.c:713:7: error: expected ')'
713 | __func__);
| ^
drivers/media/usb/ttusb-dec/ttusb_dec.c:711:6: note: to match this '('
711 | dev_warn(&dec->udev->dev,
| ^
include/linux/dev_printk.h:156:2: note: expanded from macro 'dev_warn'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ^
include/linux/dev_printk.h:109:3: note: expanded from macro 'dev_printk_index_wrap'
109 | dev_printk_index_emit(level, fmt); \
| ^
include/linux/dev_printk.h:105:2: note: expanded from macro 'dev_printk_index_emit'
105 | printk_index_subsys_emit("%s %s: ", level, fmt)
| ^
include/linux/printk.h:479:2: note: expanded from macro 'printk_index_subsys_emit'
479 | __printk_index_emit(fmt, level, subsys_fmt_prefix)
| ^
include/linux/printk.h:445:41: note: expanded from macro '__printk_index_emit'
445 | .fmt = __builtin_constant_p(_fmt) ? (_fmt) : NULL, \
| ^
>> drivers/media/usb/ttusb-dec/ttusb_dec.c:713:7: error: expected ')'
713 | __func__);
| ^
drivers/media/usb/ttusb-dec/ttusb_dec.c:711:6: note: to match this '('
711 | dev_warn(&dec->udev->dev,
| ^
include/linux/dev_printk.h:156:2: note: expanded from macro 'dev_warn'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ^
include/linux/dev_printk.h:110:10: note: expanded from macro 'dev_printk_index_wrap'
110 | _p_func(dev, fmt, ##__VA_ARGS__); \
| ^
4 errors generated.
vim +713 drivers/media/usb/ttusb-dec/ttusb_dec.c
640
641 static void ttusb_dec_process_urb_frame(struct ttusb_dec *dec, u8 *b,
642 int length)
643 {
644 swap_bytes(b, length);
645
646 while (length) {
647 switch (dec->packet_state) {
648
649 case 0:
650 case 1:
651 case 2:
652 if (*b++ == 0xaa)
653 dec->packet_state++;
654 else
655 dec->packet_state = 0;
656
657 length--;
658 break;
659
660 case 3:
661 if (*b == 0x00) {
662 dec->packet_state++;
663 dec->packet_length = 0;
664 } else if (*b != 0xaa) {
665 dec->packet_state = 0;
666 }
667
668 b++;
669 length--;
670 break;
671
672 case 4:
673 dec->packet[dec->packet_length++] = *b++;
674
675 if (dec->packet_length == 2) {
676 if (dec->packet[0] == 'A' &&
677 dec->packet[1] == 'V') {
678 dec->packet_type =
679 TTUSB_DEC_PACKET_PVA;
680 dec->packet_state++;
681 } else if (dec->packet[0] == 'S') {
682 dec->packet_type =
683 TTUSB_DEC_PACKET_SECTION;
684 dec->packet_state++;
685 } else if (dec->packet[0] == 0x00) {
686 dec->packet_type =
687 TTUSB_DEC_PACKET_EMPTY;
688 dec->packet_payload_length = 2;
689 dec->packet_state = 7;
690 } else {
691 printk("%s: unknown packet type: %02x%02x\n",
692 __func__,
693 dec->packet[0], dec->packet[1]);
694 dec->packet_state = 0;
695 }
696 }
697
698 length--;
699 break;
700
701 case 5:
702 dec->packet[dec->packet_length++] = *b++;
703
704 if (dec->packet_type == TTUSB_DEC_PACKET_PVA &&
705 dec->packet_length == 8) {
706 int len = 8 +
707 (dec->packet[6] << 8) +
708 dec->packet[7];
709
710 if (len > MAX_PVA_LENGTH + 4) {
711 dev_warn(&dec->udev->dev,
712 "%s: packet too long - discarding\n"
> 713 __func__);
714 dec->packet_state = 0;
715 } else {
716 dec->packet_state++;
717 dec->packet_payload_length = len;
718 }
719 } else if (dec->packet_type ==
720 TTUSB_DEC_PACKET_SECTION &&
721 dec->packet_length == 5) {
722 dec->packet_state++;
723 dec->packet_payload_length = 5 +
724 ((dec->packet[3] & 0x0f) << 8) +
725 dec->packet[4];
726 }
727
728 length--;
729 break;
730
731 case 6: {
732 int remainder = dec->packet_payload_length -
733 dec->packet_length;
734
735 if (length >= remainder) {
736 memcpy(dec->packet + dec->packet_length,
737 b, remainder);
738 dec->packet_length += remainder;
739 b += remainder;
740 length -= remainder;
741 dec->packet_state++;
742 } else {
743 memcpy(&dec->packet[dec->packet_length],
744 b, length);
745 dec->packet_length += length;
746 length = 0;
747 }
748
749 break;
750 }
751
752 case 7: {
753 int tail = 4;
754
755 dec->packet[dec->packet_length++] = *b++;
756
757 if (dec->packet_type == TTUSB_DEC_PACKET_SECTION &&
758 dec->packet_payload_length % 2)
759 tail++;
760
761 if (dec->packet_length ==
762 dec->packet_payload_length + tail) {
763 ttusb_dec_process_packet(dec);
764 dec->packet_state = 0;
765 }
766
767 length--;
768 break;
769 }
770
771 default:
772 printk("%s: illegal packet state encountered.\n",
773 __func__);
774 dec->packet_state = 0;
775 }
776 }
777 }
778
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
prev parent reply other threads:[~2025-12-23 1:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-22 0:20 [PATCH] media: ttusb-dec: fix heap-buffer-overflow in ttusb_dec_process_urb_frame() pip-izony
2025-12-22 5:46 ` [PATCH v2] " pip-izony
2025-12-23 0:31 ` kernel test robot
2025-12-23 1:01 ` [PATCH v3] " pip-izony
2025-12-30 19:50 ` [PATCH v4] " pip-izony
2025-12-23 1:17 ` kernel test robot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202512230947.zdHvFcAE-lkp@intel.com \
--to=lkp@intel.com \
--cc=Kyungtae.Kim@dartmouth.edu \
--cc=csh0052@gmail.com \
--cc=eeodqql09@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=mchehab@kernel.org \
--cc=oe-kbuild-all@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.