From patchwork Thu Apr 13 09:21:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kernel-Development X-Patchwork-Id: 13210001 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D0D45C77B6C for ; Thu, 13 Apr 2023 09:21:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229992AbjDMJVR (ORCPT ); Thu, 13 Apr 2023 05:21:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47414 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229526AbjDMJVP (ORCPT ); Thu, 13 Apr 2023 05:21:15 -0400 Received: from a11-129.smtp-out.amazonses.com (a11-129.smtp-out.amazonses.com [54.240.11.129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 90F7D19AF; Thu, 13 Apr 2023 02:21:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=gwkuid74newif2lbp44dedrl2t4vmmbs; d=benbenng.net; t=1681377673; h=Subject:From:To:Cc:Date:Mime-Version:Content-Type:Content-Transfer-Encoding:References:Message-Id; bh=iCGZGKi5slX3+1EbZTs0K5lMxThH+s23lVBYdgse0I4=; b=dlXM0RiS+bkfvggjXjPyBfra2Ys+k+cPbgT4qIBDtC9qV7H8zF0wgVzGG0/nJfRA LxR8YxEr2hW86KQYAzg+NDcj2ZJi/dSwj5OEjtIcHVr9imYmF/QZVAEpBB7BHhF1Jrc yRzzUaNovUpPZ4qeQfpcgSfNq0v6g3iWyckCfifIBu7vwuEVFAS3KoxK+aJkTqacubu 2Y3xtkdqp6Z6MLlcIsuZx4Iij9oPVmxmSlbiypjCn8HP3vUxdamXbnZwXMnDnLxgxpd tKhGWmm2rbjM1kdaMYFNILIV1D7q0hLTsDbu5W/4e5lS+o0vdTHExkzku7K8yPJrHr7 8pEdPHNA4A== DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1681377673; h=Subject:From:To:Cc:Date:Mime-Version:Content-Type:Content-Transfer-Encoding:References:Message-Id:Feedback-ID; bh=iCGZGKi5slX3+1EbZTs0K5lMxThH+s23lVBYdgse0I4=; b=O5xpWDesy/hJag71jGjX6AgswpCtnGJulyPR0BS0RRk+bCsgMW/CnnteBDlOoNHh 0kAjpSf6xKrUhzfCsQYCuy4FYY2Z3YGJ2iLQ1+dJ2hyfCHtMxwikL6SmQFV8TMdKzKy jm5wIM89DS99ICEu30a1OGlfYn20ugayypjSMF88= Subject: [PATCH] Initialization of read buffer for dib3000_read_reg From: =?utf-8?q?Kernel-Development?= To: =?utf-8?q?mchehab=40kernel=2Eorg?= Cc: =?utf-8?q?linux-media=40vger=2Ekernel=2Eorg?= , =?utf-8?q?linux-kernel=40vger=2Ekernel=2Eor?= =?utf-8?q?g?= , =?utf-8?q?skhan=40linuxfound?= =?utf-8?q?ation=2Eorg?= , =?utf-8?q?linux-kerne?= =?utf-8?q?l-mentees=40lists=2Elinuxfoundation=2Eorg?= , =?utf-8?q?syzbot+c88fc0e?= =?utf-8?q?be0d5935c70da=40syzkaller=2Eappspotmail=2Ecom?= , =?utf-8?q?Kernel-?= =?utf-8?q?Development?= Date: Thu, 13 Apr 2023 09:21:13 +0000 Mime-Version: 1.0 References: <20230413091841.22000-1-kdev@benbenng.net> X-Mailer: Amazon WorkMail Thread-Index: AQHZbelJ3+E1CTjNR3uk6Rz3nyFiTw== Thread-Topic: [PATCH] Initialization of read buffer for dib3000_read_reg X-Original-Mailer: git-send-email 2.39.2 X-Wm-Sent-Timestamp: 1681377672 Message-ID: <0100018779eb40dc-cee9e39d-5d87-4733-83db-eca5218fcc8f-000000@email.amazonses.com> Feedback-ID: 1.us-east-1.LF00NED762KFuBsfzrtoqw+Brn/qlF9OYdxWukAhsl8=:AmazonSES X-SES-Outgoing: 2023.04.13-54.240.11.129 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org This is a patch that fixes a bug: KMSAN: uninit-value in dib3000mb_attach (2) Local variable u8 rb[2] is not initialized as it is used as read buffer for i2c_transfer(). It is expected that i2c_transfer() should fill in the buffer before the target function returns rb's content. However error handling of i2c_transfer is not done, and on occasions where the read fails, uninitialized rb value will be returned. The usage of this function, defined as macro rd() in drivers/media/dvb-frontends/dib3000mb_priv,h, does not expect any error to occur. Adding error handling here might involve significant code changes. Thus 0-initialization is done on rb. This might affect some logic on error case as the use of the return value is used as boolean and flags. Reported-by: syzbot+c88fc0ebe0d5935c70da@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=2f4d19de8c9e9f0b9794e53ca54d68e0ffe9f068 Signed-off-by: (Ben) HokChun Ng --- drivers/media/dvb-frontends/dib3000mb.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/media/dvb-frontends/dib3000mb.c b/drivers/media/dvb-frontends/dib3000mb.c index a6c2fc4586eb..0dd96656aaf4 100644 --- a/drivers/media/dvb-frontends/dib3000mb.c +++ b/drivers/media/dvb-frontends/dib3000mb.c @@ -50,15 +50,19 @@ MODULE_PARM_DESC(debug, "set debugging level (1=info,2=xfer,4=setfe,8=getfe (|-a static int dib3000_read_reg(struct dib3000_state *state, u16 reg) { + int errno; u8 wb[] = { ((reg >> 8) | 0x80) & 0xff, reg & 0xff }; - u8 rb[2]; + u8 rb[2] = { 0, 0 }; struct i2c_msg msg[] = { { .addr = state->config.demod_address, .flags = 0, .buf = wb, .len = 2 }, { .addr = state->config.demod_address, .flags = I2C_M_RD, .buf = rb, .len = 2 }, }; - if (i2c_transfer(state->i2c, msg, 2) != 2) - deb_i2c("i2c read error\n"); + errno = i2c_transfer(state->i2c, msg, 2); + if (errno != 2) { + deb_i2c("i2c read error (errno: %d)\n", -errno); + return 0; + } deb_i2c("reading i2c bus (reg: %5d 0x%04x, val: %5d 0x%04x)\n",reg,reg, (rb[0] << 8) | rb[1],(rb[0] << 8) | rb[1]);