Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Message-ID: <ff97f9dc25d726e06d792e5d011f19747637e2a0.camel@gmail.com>
Subject: Re: [PATCH v2] media: sq905.c: fix uninitialized variable
From:   Pavel Skripkin <paskripkin@gmail.com>
To:     Alaa Emad <alaaemadhossney.ae@gmail.com>, hverkuil@xs4all.nl
Cc:     gregkh@linuxfoundation.org, mchehab@kernel.org,
        linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
        syzkaller@googlegroups.com,
        syzbot+a4e309017a5f3a24c7b3@syzkaller.appspotmail.com,
        Dmitry Vyukov <dvyukov@google.com>
Date:   Sat, 27 Mar 2021 00:35:48 +0300
In-Reply-To: <20210326210252.129595-1-alaaemadhossney.ae@gmail.com>
References: <20210326210252.129595-1-alaaemadhossney.ae@gmail.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.38.4 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Hi!

On Fri, 2021-03-26 at 23:02 +0200, Alaa Emad wrote:
> Reported-by: syzbot+a4e309017a5f3a24c7b3@syzkaller.appspotmail.com
> Signed-off-by: Alaa Emad <alaaemadhossney.ae@gmail.com>
> 
> ---
> Changes in v2:
>   - Fix the error occured because of pervious fix.
> ---
>  drivers/media/usb/gspca/sq905.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/media/usb/gspca/sq905.c
> b/drivers/media/usb/gspca/sq905.c
> index 97799cfb832e..57206dd2e1a0 100644
> --- a/drivers/media/usb/gspca/sq905.c
> +++ b/drivers/media/usb/gspca/sq905.c
> @@ -157,8 +157,8 @@ static int sq905_ack_frame(struct gspca_dev
> *gspca_dev)
>  static int
>  sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int
> need_lock)
>  {
> -       int ret;
> -       int act_len;
> +       int ret;
> +       int act_len;
>  
>         gspca_dev->usb_buf[0] = '\0';
>         if (need_lock)
> @@ -180,8 +180,8 @@ sq905_read_data(struct gspca_dev *gspca_dev, u8
> *data, int size, int need_lock)
>                            data, size, &act_len, SQ905_DATA_TIMEOUT);
>  
>         /* successful, it returns 0, otherwise  negative */
> -       if (ret < 0 || act_len != size) {
> -               pr_err("bulk read fail (%d) len %d/%d\n", ret, act_len,
> size);
> +       if (ret < 0 || act_len != size) {
> +              pr_err("bulk read fail (%d) len %d/%d\n", ret, ret < 0 ?
> -1 : act_len, size);
>                 return -EIO;
>         }
>         return 0;
> -- 
> 2.25.1
> 

I skimmed through code, and I'm not sure about Dmitry's approach,
because I think usb_submit_urb() can return some valid urb-
>actual_length and error code:

	if (!wait_for_completion_timeout(&ctx.done, expire)) {
		usb_kill_urb(urb);
		retval = (ctx.status == -ENOENT ? -ETIMEDOUT :
ctx.status);

		dev_dbg(&urb->dev->dev,
			"%s timed out on ep%d%s len=%u/%u\n",
			current->comm,
			usb_endpoint_num(&urb->ep->desc),
			usb_urb_dir_in(urb) ? "in" : "out",
			urb->actual_length,
			urb->transfer_buffer_length);
	} else
		retval = ctx.status;
...
	if (actual_length)
		*actual_length = urb->actual_length;

I believe, that this info might be useful.  

Im not sure about it, i didn't found any examples of this log and have
no idea how to reproduce it, it's just my thoughts. Maybe, one of the
maintainers will correct me 

-- 
With regards,
Pavel Skripkin