* [PATCH 0/1] media: dvb-usb-v2: ce6230: fix syzkaller bug
@ 2026-04-22 19:26 Jakov Novak
2026-04-22 19:26 ` [PATCH 1/1] media: dvb-usb-v2: ce6230: fix bug when sending usb_control_msg of size 0 Jakov Novak
0 siblings, 1 reply; 2+ messages in thread
From: Jakov Novak @ 2026-04-22 19:26 UTC (permalink / raw)
To: linux-media, linux-kernel
Cc: Mauro Carvalho Chehab, Antti Palosaari, Shuah Khan, Jakov Novak
This patch fixes a syzkaller bug which was reported in the usb core
after sending a urb_control_msg. The main problem that caused this was
the ce6230_ctrl_msg function trying to send a read control message of
size 0, which then caused the system to panic after. The solution was to
add a check in this function to check if the message has a greater than
zero size before sending it, otherwise we log the error and return.
Jakov Novak (1):
media: dvb-usb-v2: ce6230: fix bug when sending usb_control_msg of
size 0
drivers/media/usb/dvb-usb-v2/ce6230.c | 7 +++++++
1 file changed, 7 insertions(+)
--
2.53.0
^ permalink raw reply [flat|nested] 2+ messages in thread* [PATCH 1/1] media: dvb-usb-v2: ce6230: fix bug when sending usb_control_msg of size 0
2026-04-22 19:26 [PATCH 0/1] media: dvb-usb-v2: ce6230: fix syzkaller bug Jakov Novak
@ 2026-04-22 19:26 ` Jakov Novak
0 siblings, 0 replies; 2+ messages in thread
From: Jakov Novak @ 2026-04-22 19:26 UTC (permalink / raw)
To: linux-media, linux-kernel
Cc: Mauro Carvalho Chehab, Antti Palosaari, Shuah Khan, Jakov Novak,
syzbot+427909a2e3b2f83d78cb
The function ce6230_ctrl_msg, didn't check the size of the message that
was supposed to be read/written, which in turn caused the error at the
usb core function usb_submit_urb after calling usb_control_msg in the
driver code. This patch fixes the issue by returning an error code if
the req->data_len == 0.
Fixes: eebb876b0b8f ("V4L/DVB (11216): Add driver for Intel CE6230 DVB-T USB2.0")
Reported-and-tested-by: syzbot+427909a2e3b2f83d78cb@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=427909a2e3b2f83d78cb
Signed-off-by: Jakov Novak <jakovnovak30@gmail.com>
---
drivers/media/usb/dvb-usb-v2/ce6230.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/media/usb/dvb-usb-v2/ce6230.c b/drivers/media/usb/dvb-usb-v2/ce6230.c
index 7ebaf3ee4491..dd3aa45b56a3 100644
--- a/drivers/media/usb/dvb-usb-v2/ce6230.c
+++ b/drivers/media/usb/dvb-usb-v2/ce6230.c
@@ -23,6 +23,13 @@ static int ce6230_ctrl_msg(struct dvb_usb_device *d, struct usb_req *req)
value = req->value;
index = req->index;
+ if (!req->data_len) {
+ dev_err(&d->udev->dev,
+ "%s: cannot send crtl_msg of size 0",
+ KBUILD_MODNAME);
+ return -ENOBUFS;
+ }
+
switch (req->cmd) {
case I2C_READ:
case DEMOD_READ:
--
2.53.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-22 19:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-22 19:26 [PATCH 0/1] media: dvb-usb-v2: ce6230: fix syzkaller bug Jakov Novak
2026-04-22 19:26 ` [PATCH 1/1] media: dvb-usb-v2: ce6230: fix bug when sending usb_control_msg of size 0 Jakov Novak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox