From: kernel test robot <lkp@intel.com>
To: pip-izony <eeodqql09@gmail.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: llvm@lists.linux.dev, oe-kbuild-all@lists.linux.dev,
linux-media@vger.kernel.org, Seungjin Bae <eeodqql09@gmail.com>,
Kyungtae Kim <Kyungtae.Kim@dartmouth.edu>,
Sanghoon Choi <csh0052@gmail.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] media: ttusb-dec: fix heap-buffer-overflow in ttusb_dec_process_urb_frame()
Date: Tue, 23 Dec 2025 09:17:43 +0800 [thread overview]
Message-ID: <202512230947.zdHvFcAE-lkp@intel.com> (raw)
In-Reply-To: <20251222054644.938208-2-eeodqql09@gmail.com>
Hi pip-izony,
kernel test robot noticed the following build errors:
[auto build test ERROR on linuxtv-media-pending/master]
[also build test ERROR on media-tree/master sailus-media-tree/master linus/master v6.19-rc2 next-20251219]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/pip-izony/media-ttusb-dec-fix-heap-buffer-overflow-in-ttusb_dec_process_urb_frame/20251222-134809
base: https://git.linuxtv.org/media-ci/media-pending.git master
patch link: https://lore.kernel.org/r/20251222054644.938208-2-eeodqql09%40gmail.com
patch subject: [PATCH v2] media: ttusb-dec: fix heap-buffer-overflow in ttusb_dec_process_urb_frame()
config: sparc64-allmodconfig (https://download.01.org/0day-ci/archive/20251223/202512230947.zdHvFcAE-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 185f5fd5ce4c65116ca8cf6df467a682ef090499)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251223/202512230947.zdHvFcAE-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202512230947.zdHvFcAE-lkp@intel.com/
All errors (new ones prefixed by >>):
>> drivers/media/usb/ttusb-dec/ttusb_dec.c:713:7: error: expected ')'
713 | __func__);
| ^
drivers/media/usb/ttusb-dec/ttusb_dec.c:711:6: note: to match this '('
711 | dev_warn(&dec->udev->dev,
| ^
include/linux/dev_printk.h:156:2: note: expanded from macro 'dev_warn'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ^
include/linux/dev_printk.h:109:3: note: expanded from macro 'dev_printk_index_wrap'
109 | dev_printk_index_emit(level, fmt); \
| ^
include/linux/dev_printk.h:105:2: note: expanded from macro 'dev_printk_index_emit'
105 | printk_index_subsys_emit("%s %s: ", level, fmt)
| ^
include/linux/printk.h:479:2: note: expanded from macro 'printk_index_subsys_emit'
479 | __printk_index_emit(fmt, level, subsys_fmt_prefix)
| ^
include/linux/printk.h:436:27: note: expanded from macro '__printk_index_emit'
436 | if (__builtin_constant_p(_fmt) && __builtin_constant_p(_level)) { \
| ^
>> drivers/media/usb/ttusb-dec/ttusb_dec.c:713:7: error: expected ')'
713 | __func__);
| ^
drivers/media/usb/ttusb-dec/ttusb_dec.c:711:6: note: to match this '('
711 | dev_warn(&dec->udev->dev,
| ^
include/linux/dev_printk.h:156:2: note: expanded from macro 'dev_warn'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ^
include/linux/dev_printk.h:109:3: note: expanded from macro 'dev_printk_index_wrap'
109 | dev_printk_index_emit(level, fmt); \
| ^
include/linux/dev_printk.h:105:2: note: expanded from macro 'dev_printk_index_emit'
105 | printk_index_subsys_emit("%s %s: ", level, fmt)
| ^
include/linux/printk.h:479:2: note: expanded from macro 'printk_index_subsys_emit'
479 | __printk_index_emit(fmt, level, subsys_fmt_prefix)
| ^
include/linux/printk.h:445:32: note: expanded from macro '__printk_index_emit'
445 | .fmt = __builtin_constant_p(_fmt) ? (_fmt) : NULL, \
| ^
>> drivers/media/usb/ttusb-dec/ttusb_dec.c:713:7: error: expected ')'
713 | __func__);
| ^
drivers/media/usb/ttusb-dec/ttusb_dec.c:711:6: note: to match this '('
711 | dev_warn(&dec->udev->dev,
| ^
include/linux/dev_printk.h:156:2: note: expanded from macro 'dev_warn'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ^
include/linux/dev_printk.h:109:3: note: expanded from macro 'dev_printk_index_wrap'
109 | dev_printk_index_emit(level, fmt); \
| ^
include/linux/dev_printk.h:105:2: note: expanded from macro 'dev_printk_index_emit'
105 | printk_index_subsys_emit("%s %s: ", level, fmt)
| ^
include/linux/printk.h:479:2: note: expanded from macro 'printk_index_subsys_emit'
479 | __printk_index_emit(fmt, level, subsys_fmt_prefix)
| ^
include/linux/printk.h:445:41: note: expanded from macro '__printk_index_emit'
445 | .fmt = __builtin_constant_p(_fmt) ? (_fmt) : NULL, \
| ^
>> drivers/media/usb/ttusb-dec/ttusb_dec.c:713:7: error: expected ')'
713 | __func__);
| ^
drivers/media/usb/ttusb-dec/ttusb_dec.c:711:6: note: to match this '('
711 | dev_warn(&dec->udev->dev,
| ^
include/linux/dev_printk.h:156:2: note: expanded from macro 'dev_warn'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ^
include/linux/dev_printk.h:110:10: note: expanded from macro 'dev_printk_index_wrap'
110 | _p_func(dev, fmt, ##__VA_ARGS__); \
| ^
4 errors generated.
vim +713 drivers/media/usb/ttusb-dec/ttusb_dec.c
640
641 static void ttusb_dec_process_urb_frame(struct ttusb_dec *dec, u8 *b,
642 int length)
643 {
644 swap_bytes(b, length);
645
646 while (length) {
647 switch (dec->packet_state) {
648
649 case 0:
650 case 1:
651 case 2:
652 if (*b++ == 0xaa)
653 dec->packet_state++;
654 else
655 dec->packet_state = 0;
656
657 length--;
658 break;
659
660 case 3:
661 if (*b == 0x00) {
662 dec->packet_state++;
663 dec->packet_length = 0;
664 } else if (*b != 0xaa) {
665 dec->packet_state = 0;
666 }
667
668 b++;
669 length--;
670 break;
671
672 case 4:
673 dec->packet[dec->packet_length++] = *b++;
674
675 if (dec->packet_length == 2) {
676 if (dec->packet[0] == 'A' &&
677 dec->packet[1] == 'V') {
678 dec->packet_type =
679 TTUSB_DEC_PACKET_PVA;
680 dec->packet_state++;
681 } else if (dec->packet[0] == 'S') {
682 dec->packet_type =
683 TTUSB_DEC_PACKET_SECTION;
684 dec->packet_state++;
685 } else if (dec->packet[0] == 0x00) {
686 dec->packet_type =
687 TTUSB_DEC_PACKET_EMPTY;
688 dec->packet_payload_length = 2;
689 dec->packet_state = 7;
690 } else {
691 printk("%s: unknown packet type: %02x%02x\n",
692 __func__,
693 dec->packet[0], dec->packet[1]);
694 dec->packet_state = 0;
695 }
696 }
697
698 length--;
699 break;
700
701 case 5:
702 dec->packet[dec->packet_length++] = *b++;
703
704 if (dec->packet_type == TTUSB_DEC_PACKET_PVA &&
705 dec->packet_length == 8) {
706 int len = 8 +
707 (dec->packet[6] << 8) +
708 dec->packet[7];
709
710 if (len > MAX_PVA_LENGTH + 4) {
711 dev_warn(&dec->udev->dev,
712 "%s: packet too long - discarding\n"
> 713 __func__);
714 dec->packet_state = 0;
715 } else {
716 dec->packet_state++;
717 dec->packet_payload_length = len;
718 }
719 } else if (dec->packet_type ==
720 TTUSB_DEC_PACKET_SECTION &&
721 dec->packet_length == 5) {
722 dec->packet_state++;
723 dec->packet_payload_length = 5 +
724 ((dec->packet[3] & 0x0f) << 8) +
725 dec->packet[4];
726 }
727
728 length--;
729 break;
730
731 case 6: {
732 int remainder = dec->packet_payload_length -
733 dec->packet_length;
734
735 if (length >= remainder) {
736 memcpy(dec->packet + dec->packet_length,
737 b, remainder);
738 dec->packet_length += remainder;
739 b += remainder;
740 length -= remainder;
741 dec->packet_state++;
742 } else {
743 memcpy(&dec->packet[dec->packet_length],
744 b, length);
745 dec->packet_length += length;
746 length = 0;
747 }
748
749 break;
750 }
751
752 case 7: {
753 int tail = 4;
754
755 dec->packet[dec->packet_length++] = *b++;
756
757 if (dec->packet_type == TTUSB_DEC_PACKET_SECTION &&
758 dec->packet_payload_length % 2)
759 tail++;
760
761 if (dec->packet_length ==
762 dec->packet_payload_length + tail) {
763 ttusb_dec_process_packet(dec);
764 dec->packet_state = 0;
765 }
766
767 length--;
768 break;
769 }
770
771 default:
772 printk("%s: illegal packet state encountered.\n",
773 __func__);
774 dec->packet_state = 0;
775 }
776 }
777 }
778
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
prev parent reply other threads:[~2025-12-23 1:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-22 0:20 [PATCH] media: ttusb-dec: fix heap-buffer-overflow in ttusb_dec_process_urb_frame() pip-izony
2025-12-22 5:46 ` [PATCH v2] " pip-izony
2025-12-23 0:31 ` kernel test robot
2025-12-23 1:01 ` [PATCH v3] " pip-izony
2025-12-30 19:50 ` [PATCH v4] " pip-izony
2025-12-23 1:17 ` kernel test robot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202512230947.zdHvFcAE-lkp@intel.com \
--to=lkp@intel.com \
--cc=Kyungtae.Kim@dartmouth.edu \
--cc=csh0052@gmail.com \
--cc=eeodqql09@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=mchehab@kernel.org \
--cc=oe-kbuild-all@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox