#syz test
--- a/drivers/usb/mon/mon_bin.c
+++ b/drivers/usb/mon/mon_bin.c
@@ -249,7 +249,11 @@ static unsigned int mon_copy_to_buff(const struct mon_reader_bin *this,
* Copy data and advance pointers.
*/
buf = this->b_vec[off / CHUNK_SIZE].ptr + off % CHUNK_SIZE;
- memcpy(buf, from, step_len);
+
+ if (copy_from_kernel_nofault(buf, from, step_len)) {
+ pr_warn("Failed to copy URB transfer buffer content into mon bin.");
+ return -EFAULT;
+ }
if ((off += step_len) >= this->b_size) off = 0;
from += step_len;
length -= step_len;
@@ -413,11 +417,13 @@ static unsigned int mon_bin_get_data(const struct mon_reader_bin *rp,
*flag = 0;
if (urb->num_sgs == 0) {
- if (urb->transfer_buffer == NULL) {
+ if (
+ urb->transfer_buffer == NULL ||
+ mon_copy_to_buff(rp, offset, urb->transfer_buffer, length) < 0
+ ) {
*flag = 'Z';
return length;
}
- mon_copy_to_buff(rp, offset, urb->transfer_buffer, length);
length = 0;
} else {
@@ -434,6 +440,10 @@ static unsigned int mon_bin_get_data(const struct mon_reader_bin *rp,
this_len = min_t(unsigned int, sg->length, length);
offset = mon_copy_to_buff(rp, offset, sg_virt(sg),
this_len);
+ if (offset < 0) {
+ *flag = 'Z';
+ return length;
+ }
length -= this_len;
}
if (i == 0)Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+86b6d7c8bcc66747c505@syzkaller.appspotmail.com Tested-by: syzbot+86b6d7c8bcc66747c505@syzkaller.appspotmail.com Tested on: commit: d086c886 Add linux-next specific files for 20250718 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=118af7d4580000 kernel config: https://syzkaller.appspot.com/x/.config?x=8a6aa2cafcc62853 dashboard link: https://syzkaller.appspot.com/bug?extid=86b6d7c8bcc66747c505 compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 patch: https://syzkaller.appspot.com/x/patch.diff?x=15fa638c580000 Note: testing is done by a robot and is best-effort only.
© 2016 - 2025 Red Hat, Inc.