| Message ID | 20210326210252.129595-1-alaaemadhossney.ae@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] media: sq905.c: fix uninitialized variable | expand |
Hi! On Fri, 2021-03-26 at 23:02 +0200, Alaa Emad wrote: > Reported-by: syzbot+a4e309017a5f3a24c7b3@syzkaller.appspotmail.com > Signed-off-by: Alaa Emad <alaaemadhossney.ae@gmail.com> > > --- > Changes in v2: > - Fix the error occured because of pervious fix. > --- > drivers/media/usb/gspca/sq905.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/media/usb/gspca/sq905.c > b/drivers/media/usb/gspca/sq905.c > index 97799cfb832e..57206dd2e1a0 100644 > --- a/drivers/media/usb/gspca/sq905.c > +++ b/drivers/media/usb/gspca/sq905.c > @@ -157,8 +157,8 @@ static int sq905_ack_frame(struct gspca_dev > *gspca_dev) > static int > sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int > need_lock) > { > - int ret; > - int act_len; > + int ret; > + int act_len; > > gspca_dev->usb_buf[0] = '\0'; > if (need_lock) > @@ -180,8 +180,8 @@ sq905_read_data(struct gspca_dev *gspca_dev, u8 > *data, int size, int need_lock) > data, size, &act_len, SQ905_DATA_TIMEOUT); > > /* successful, it returns 0, otherwise negative */ > - if (ret < 0 || act_len != size) { > - pr_err("bulk read fail (%d) len %d/%d\n", ret, act_len, > size); > + if (ret < 0 || act_len != size) { > + pr_err("bulk read fail (%d) len %d/%d\n", ret, ret < 0 ? > -1 : act_len, size); > return -EIO; > } > return 0; > -- > 2.25.1 > I skimmed through code, and I'm not sure about Dmitry's approach, because I think usb_submit_urb() can return some valid urb- >actual_length and error code: if (!wait_for_completion_timeout(&ctx.done, expire)) { usb_kill_urb(urb); retval = (ctx.status == -ENOENT ? -ETIMEDOUT : ctx.status); dev_dbg(&urb->dev->dev, "%s timed out on ep%d%s len=%u/%u\n", current->comm, usb_endpoint_num(&urb->ep->desc), usb_urb_dir_in(urb) ? "in" : "out", urb->actual_length, urb->transfer_buffer_length); } else retval = ctx.status; ... if (actual_length) *actual_length = urb->actual_length; I believe, that this info might be useful. Im not sure about it, i didn't found any examples of this log and have no idea how to reproduce it, it's just my thoughts. Maybe, one of the maintainers will correct me
Hi Alaa, FYI: this patch has already been applied to the media_tree master git repo: https://patchwork.linuxtv.org/project/linux-media/patch/2c46832a-99a8-73bf-ec85-085052f8b4db@xs4all.nl/ That's good enough for this issue so I am marking this patch as Obsolete in our patchwork. On 26/03/2021 22:02, Alaa Emad wrote: > Reported-by: syzbot+a4e309017a5f3a24c7b3@syzkaller.appspotmail.com > Signed-off-by: Alaa Emad <alaaemadhossney.ae@gmail.com> > > --- > Changes in v2: > - Fix the error occured because of pervious fix. > --- > drivers/media/usb/gspca/sq905.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/media/usb/gspca/sq905.c b/drivers/media/usb/gspca/sq905.c > index 97799cfb832e..57206dd2e1a0 100644 > --- a/drivers/media/usb/gspca/sq905.c > +++ b/drivers/media/usb/gspca/sq905.c > @@ -157,8 +157,8 @@ static int sq905_ack_frame(struct gspca_dev *gspca_dev) > static int > sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int need_lock) > { > - int ret; > - int act_len; > + int ret; > + int act_len; > > gspca_dev->usb_buf[0] = '\0'; > if (need_lock) > @@ -180,8 +180,8 @@ sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int need_lock) > data, size, &act_len, SQ905_DATA_TIMEOUT); > > /* successful, it returns 0, otherwise negative */ > - if (ret < 0 || act_len != size) { > - pr_err("bulk read fail (%d) len %d/%d\n", ret, act_len, size); > + if (ret < 0 || act_len != size) { > + pr_err("bulk read fail (%d) len %d/%d\n", ret, ret < 0 ? -1 : act_len, size); General note: it looks like you are replacing tab characters with spaces. Make sure you configure your editor not to do that. Regards, Hans > return -EIO; > } > return 0; >
diff --git a/drivers/media/usb/gspca/sq905.c b/drivers/media/usb/gspca/sq905.c index 97799cfb832e..57206dd2e1a0 100644 --- a/drivers/media/usb/gspca/sq905.c +++ b/drivers/media/usb/gspca/sq905.c @@ -157,8 +157,8 @@ static int sq905_ack_frame(struct gspca_dev *gspca_dev) static int sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int need_lock) { - int ret; - int act_len; + int ret; + int act_len; gspca_dev->usb_buf[0] = '\0'; if (need_lock) @@ -180,8 +180,8 @@ sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int need_lock) data, size, &act_len, SQ905_DATA_TIMEOUT); /* successful, it returns 0, otherwise negative */ - if (ret < 0 || act_len != size) { - pr_err("bulk read fail (%d) len %d/%d\n", ret, act_len, size); + if (ret < 0 || act_len != size) { + pr_err("bulk read fail (%d) len %d/%d\n", ret, ret < 0 ? -1 : act_len, size); return -EIO; } return 0;
Reported-by: syzbot+a4e309017a5f3a24c7b3@syzkaller.appspotmail.com Signed-off-by: Alaa Emad <alaaemadhossney.ae@gmail.com> --- Changes in v2: - Fix the error occured because of pervious fix. --- drivers/media/usb/gspca/sq905.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)