lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250421142219.158593-1-contact@arnaud-lcm.com>
Date: Mon, 21 Apr 2025 16:22:19 +0200
From: Arnaud Lecomte <contact@...aud-lcm.com>
To: syzbot+0192952caa411a3be209@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
	linux-media@...r.kernel.org,
	mchehab@...nel.org,
	syzkaller-bugs@...glegroups.com
Subject: syz test

#syz test

--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -752,11 +752,18 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
        int length;
        u8 req, addr;
 
+       if(!usb_trylock_device(d->udev))
+               return -EBUSY;
+
        if (mutex_lock_interruptible(&st->mutex) < 0)
                return -EAGAIN;
 
        for (i = 0; i < num; i++) {
                addr = msgs[i].addr << 1;
+               if (msgs[i].len < 1 || msgs[i].len >= sizeof(st->data) - 6) {
+                       ret = -EIO;
+                       goto err;
+               }
                if (((i + 1) < num)
                    && (msgs[i].len == 1)
                    && ((msgs[i].flags & I2C_M_RD) != I2C_M_RD)
@@ -788,10 +795,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
                        if (az6007_xfer_debug)
                                printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
                                       addr, msgs[i].len);
-                       if (msgs[i].len < 1) {
-                               ret = -EIO;
-                               goto err;
-                       }
                        req = AZ6007_I2C_WR;
                        index = msgs[i].buf[0];
                        value = addr | (1 << 8);
@@ -806,10 +809,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
                        if (az6007_xfer_debug)
                                printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
                                       addr, msgs[i].len);
-                       if (msgs[i].len < 1) {
-                               ret = -EIO;
-                               goto err;
-                       }
                        req = AZ6007_I2C_RD;
                        index = msgs[i].buf[0];
                        value = addr;
@@ -825,7 +824,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
        }
 err:
        mutex_unlock(&st->mutex);
-
+       usb_unlock_device(d->udev);
        if (ret < 0) {
                pr_info("%s ERROR: %i\n", __func__, ret);
                return ret;
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ