On 22/04/14 11:12PM, Pavel Skripkin wrote: > Hi Wang, > > On 4/14/22 17:12, Wang Cheng wrote: > > Due to the case that "requesttype == 0x01 && status <= 0" > > isn't handled in r8712_usbctrl_vendorreq(), > > "data" (drivers/staging/rtl8712/usb_ops.c:32) > > will be returned without initialization. > > > > When "tmpU1b" (drivers/staging/rtl8712/usb_intf.c:395) > > is 0, mac[6] (usb_intf.c:394) won't be initialized, > > which leads to accessing uninit-value on usb_intf.c:541. > > > > Reported-and-tested-by: syzbot+6f5ecd144854c0d8580b@xxxxxxxxxxxxxxxxxxxxxxxxx > > Signed-off-by: Wang Cheng <wanngchenng@xxxxxxxxx> > > This patch will just hide the problematic API in that driver. Correct fix is > changing usb_control_msg to usb_control_msg_{recv,send}. > > IIRC this driver does not want read various length requests, so it should be > fine Hi Pavel, thx for your review. Sorry, this patch is just confined to fixing uninit-values with modifying the original code as less as possible. It sounds good to refactor r8712_usbctrl_vendorreq() with better API. thanks, -- w > > > > > With regards, > Pavel Skripkin