On 19-07-31 22:10:39, Petko Manolov wrote:

On 19-07-30 15:13:57, Denis Kirjanov wrote:

quoted

get_registers() may fail with -ENOMEM and in this
case we can read a garbage from the status variable tmp.

Reported-by: syzbot+3499a83b2d062ae409d4@syzkaller.appspotmail.com
Signed-off-by: Denis Kirjanov <redacted>
---
 drivers/net/usb/pegasus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
index 6d25dea5ad4b..f7d117d80cfb 100644
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c

@@ -282,7 +282,7 @@ static void mdio_write(struct net_device *dev, int phy_id, int loc, int val)
 static int read_eprom_word(pegasus_t *pegasus, __u8 index, __u16 *retdata)
 {
 	int i;
-	__u8 tmp;
+	__u8 tmp = 0;
 	__le16 retdatai;
 	int ret;

Unfortunately this patch does not fix anything.  Even if get_registers() fail 
with -ENOMEM the "for" loop will cover for it and will exit only if the 
operation was successful or the device got disconnected.  Please read the code 
carefully.

So while the patch is harmless it isn't solving a problem.

Actually i am wrong - if "tmp" contains a random value it may accidentally have 
the EPROM_DONE bit set.

Dave, please apply the patch.


thanks,
Petko