From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oi1-f197.google.com (mail-oi1-f197.google.com [209.85.167.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73D9B224F3 for ; Sun, 21 Jun 2026 13:56:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.197 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782050184; cv=none; b=KmZftsOByNeVooJ5joAI3YBjArJuuViKl4hJmCUmlAw/ozg/goeAipSU1qLhC7tUjx4xPbZnVRy/rHhaUrdyq0qKbQKAM4X0YmB/PWIWQD7LomzajkYm+UOtacPq41lTOQhaSLi2hS7BLvz7i4Ag3bnBV2kuK8Drlh/ty9L7VnY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782050184; c=relaxed/simple; bh=3V+drrGj9o4L57oRbgZVH5OcNhaIt8dHPC4nC+OpgUQ=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=XV3IxM4CcTx210CzaWoeIvuKm5TLu47hOAU7fEBbQJtJDeXSWnWlg7ASAydfqAct85FYJ6J1XzQoi2WKF8McDfjcBFjoSldDBWAlRfTZH8S5JXCTWYSitUzRJYXyyHlG01JAPWJmaf2Al9RsQbWCRBi7c/gOEg0Hb6utNPWtyXk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.167.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oi1-f197.google.com with SMTP id 5614622812f47-48687e7f161so7498787b6e.2 for ; Sun, 21 Jun 2026 06:56:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782050182; x=1782654982; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=NGW1YZ6q/saJGqrBYJKmKDFMvbQgkmm4UONQIdFhvZQ=; b=BS7fFDpIvSvW49+Nn7nV4j8Yu5lAuFjL5YjByumNoKX+zp0VI9QCkrbWNL2/uJhYVX YvuaEcnMVtAXkNi9zU3z5ZSsSFu3jDp5OqFuHsqX8j3osisJlQsbz3nEoCqru/RoJvp3 S2MC46fLlHoVRpX5E+WOVWUlg76Qf88MYqtEi94M7eLIwnJ5iT2051bMZf3ElrF0XPWj 5uPf6sy1ty7FADgbB8LNKfw7uRynZ9/FHP0ay8D52nw2qDg4nN7PyeGRrfDSwd4Tr0oj ZDL+6xrkiKq5mOvLWfTmHMa7u2pxOeYRKXMqwKBnxygVwogv5U2m3xq7bbCDbTOcviSp BaiQ== X-Gm-Message-State: AOJu0YySqi/c7i+6A2JLwILnRLN5HDw1pox3Py1B1N+XRKmHIDhjsGTL YrUdVc+J1EDLuzMZfMk0GsOgFpQx/ncQVy9q97Ea0KZw5eqwvx+3dZqeJBiWXNwixNYBQYkkPOa tbic8z6X6HGnT+oDQm0nN6CQR/6KjfhrqWZezWF/ejenfop+tFLq7lV9Aamg= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6808:50aa:b0:48a:b0cb:1b78 with SMTP id 5614622812f47-48ab0cb2f81mr7048086b6e.26.1782050182503; Sun, 21 Jun 2026 06:56:22 -0700 (PDT) Date: Sun, 21 Jun 2026 06:56:22 -0700 In-Reply-To: <6854cfb9.a00a0220.137b3.0028.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6a37ed86.713c5d62.148f7.0004.GAE@google.com> Subject: Forwarded: Re: [syzbot] [usb?] WARNING in dib0700_ctrl_rd/usb_submit_urb From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [syzbot] [usb?] WARNING in dib0700_ctrl_rd/usb_submit_urb Author: contact@henrialfonso.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 9afe652958c3 diff --git a/drivers/media/usb/dvb-usb/dib0700_core.c b/drivers/media/usb/dvb-usb/dib0700_core.c index 986e552f0a97..000000000000 100644 --- a/drivers/media/usb/dvb-usb/dib0700_core.c +++ b/drivers/media/usb/dvb-usb/dib0700_core.c @@ -311,6 +311,11 @@ static int dib0700_i2c_xfer_legacy(struct i2c_adapter *adap, st->buf[0] = REQUEST_I2C_READ; st->buf[1] |= 1; + if (msg[i + 1].len == 0) { + result = -EINVAL; + goto unlock; + } + /* special thing in the current firmware: when length is zero the read-failed */ len = dib0700_ctrl_rd(d, st->buf, msg[i].len + 2, st->buf, msg[i + 1].len);