The memcpy in gl861_i2c_read_ex() in gl861.c swapped the src and dst arguments,
leaving the rbuf uninitialized.

This issue caused this syzbot error:

https://syzkaller.appspot.com/bug?extid=9e6bf7282557bd1fc80d

Signed-off-by: Hans Verkuil <hverkuil-ci...@xs4all.nl>
Reported-and-tested-by: syzbot+9e6bf7282557bd1fc...@syzkaller.appspotmail.com
Fixes: commit b30cc07de8a9 ("media: dvb-usb/friio, dvb-usb-v2/gl861: decompose 
friio and merge with gl861")
---
Does anyone have this hardware? This device must have been dead for about
a year, ever since commit b30cc07de8a9 was merged.
---
diff --git a/drivers/media/usb/dvb-usb-v2/gl861.c 
b/drivers/media/usb/dvb-usb-v2/gl861.c
index b784d9da1a82..65d7c51ef56f 100644
--- a/drivers/media/usb/dvb-usb-v2/gl861.c
+++ b/drivers/media/usb/dvb-usb-v2/gl861.c
@@ -222,7 +222,7 @@ gl861_i2c_read_ex(struct dvb_usb_device *d, u8 addr, u8 
*rbuf, u16 rlen)
                                 GL861_REQ_I2C_READ, GL861_READ,
                                 addr << (8 + 1), 0x0100, buf, rlen, 2000);
        if (ret > 0 && rlen > 0)
-               memcpy(buf, rbuf, rlen);
+               memcpy(rbuf, buf, rlen);
        kfree(buf);
        return ret;
 }

Reply via email to