From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ot1-f70.google.com (mail-ot1-f70.google.com [209.85.210.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B742224F3 for ; Sun, 21 Jun 2026 15:32:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.70 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782055940; cv=none; b=rvQjZFmMdrQDCsh4zq8/O79A3m9yApLn7xQwG4koMPoFd5e8yO4u5Kswa8cbD3Vi+MSElWlUsf+RoEhDbXCgdzpAd/ixSX2lExC5riDkpsbvEdUfLhdMkE4pF0cJIlrn7CVIR9cNP/wR4mZAWoC5ChmPuooEGQ0Cu08ooDpXF1k= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782055940; c=relaxed/simple; bh=Sjssg6xby1D24yyF479yt2tZSCFfHUdSLq3/cI0o9u4=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=S6TIX5vytJWXP7V2P29GVicPJJGMO5lPhB+A78paMfnfhP8mTG5w2MSB92zdnFo4RpT+4a9ypyd3K/teISIxWbgiZCbOLwLowHq4nnXRG/BY+q6Q6oPW8xLFoZUElQSQ2aLYfrKNqikT7+klSw4L4qJGTmB6AI2JsnmN6sIF4bM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.210.70 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-ot1-f70.google.com with SMTP id 46e09a7af769-7e6f45ce9ceso4736022a34.2 for ; Sun, 21 Jun 2026 08:32:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782055938; x=1782660738; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aVc3oNv+Rb45plpRjnvnX+le8tllzGvbPR9JusY7Tvs=; b=Zy8vCdZDCZy3VU8kgGYzI8FRqnGpn9/alYEZF6HHVewZ5IWLF4AyFexaX5G5N6hgE/ zN1E4hraiiN7NtOjykF31gxqQ2qiGVuRRONO+ARa+O6LZm5eIIH/NWy1WfeQTFFmgajO xozZXUne9uooqAzTDP61SWxFAL7FcFm+1r2OqOfFkWR6O/zROmDydQ4VyjrZUkf0yb4/ yVkiApRWpgPHJPgSPXao2QuLP35hVPAlAwo1tBhYCihs3KPrpCPViNHDKxfQHhkKEcy6 DYs8bzX2QwlZ69FS7Ws0pDXRweW9FFZ0tVQYZ9d3nJR2OPU2XR3nYe8wMDuWD4s3Bd1N Y+Dw== X-Gm-Message-State: AOJu0Yy/J24zkwnDPqcJxj4FuSgGhzU1xjR2C36Cxh+rAAihYWQ11ESY hwLDyQNjVJ/X6SYwZXLP6HkAKoX3xo+sk6LT0hzfaxbWQw+MchEFVLRu/ojrtVuos0FxP3FPHcT xpSprTUr83v0Ns7ZX/Cg0gQ8rPdICgNrwp4XuptgtKPYjMsFkWprO5O92NuE= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6808:1a0f:b0:48c:6ab8:b22f with SMTP id 5614622812f47-48c6ab8b757mr2220414b6e.33.1782055938447; Sun, 21 Jun 2026 08:32:18 -0700 (PDT) Date: Sun, 21 Jun 2026 08:32:18 -0700 In-Reply-To: <6854cfb9.a00a0220.137b3.0028.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6a380402.871e809a.2d6dda.0003.GAE@google.com> Subject: Forwarded: Re: [syzbot] [usb?] WARNING in dib0700_ctrl_rd/usb_submit_urb From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [syzbot] [usb?] WARNING in dib0700_ctrl_rd/usb_submit_urb Author: contact@henrialfonso.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 57b8e2d666a31fa201432d58f5fe3469a0dd83ba diff --git a/drivers/media/usb/dvb-usb/dib0700_core.c b/drivers/media/usb/dvb-usb/dib0700_core.c index 986e552f0a97..000000000000 100644 --- a/drivers/media/usb/dvb-usb/dib0700_core.c +++ b/drivers/media/usb/dvb-usb/dib0700_core.c @@ -311,6 +311,11 @@ static int dib0700_i2c_xfer_legacy(struct i2c_adapter *adap, st->buf[0] = REQUEST_I2C_READ; st->buf[1] |= 1; + if (msg[i + 1].len == 0) { + result = -EINVAL; + goto unlock; + } + /* special thing in the current firmware: when length is zero the read-failed */ len = dib0700_ctrl_rd(d, st->buf, msg[i].len + 2, st->buf, msg[i + 1].len);