Hi Wang, On 4/14/22 17:12, Wang Cheng wrote:
Due to the case that "requesttype == 0x01 && status <= 0" isn't handled in r8712_usbctrl_vendorreq(), "data" (drivers/staging/rtl8712/usb_ops.c:32) will be returned without initialization. When "tmpU1b" (drivers/staging/rtl8712/usb_intf.c:395) is 0, mac[6] (usb_intf.c:394) won't be initialized, which leads to accessing uninit-value on usb_intf.c:541. Reported-and-tested-by: syzbot+6f5ecd144854c0d8580b@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Wang Cheng <wanngchenng@xxxxxxxxx>
This patch will just hide the problematic API in that driver. Correct fix is changing usb_control_msg to usb_control_msg_{recv,send}.
IIRC this driver does not want read various length requests, so it should be fine
With regards, Pavel Skripkin
