Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp3758433pxt; Tue, 10 Aug 2021 10:37:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzxmHMd3j2OLFNwHRUpJcLmKAI5zXPJxtiTgZudqx7Ca/pefyuZB/ylwj5LzILzzqlqtQ1k X-Received: by 2002:a17:906:1950:: with SMTP id b16mr11699608eje.153.1628617079448; Tue, 10 Aug 2021 10:37:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628617079; cv=none; d=google.com; s=arc-20160816; b=rjdQBXPJNL3OYdgaCHzv3PQs8WDngGvC+B2PRYd/V+FDhMYEHnyBtjFvh9kCj50kaL yR82vm+CtirV9IxO6D27sKHSV2EfaVQUm/pUODJoPql8vllf4TiY+Yh6o2L8JkKjdE4i ZU+zDHKI2l+I2fq4T5UokN60qPZBYKBJMI8j7o+2skeDxiZMhJ7c3CPh5ZBnKwhcjSGg 7RBtJLQj94XhqhsYMT/+ZiiK5EnqdnrfzXHS/7GmNavq8v6TMLyi+KIowxGBQ2HOCT1A 0RzAej5g0pKSN4G0EnC3qXrgGtptqbePIJAWIM4aB/iEuAcQwib1XZeM3rn2AKswiWq7 AqTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cfMGyuPZOCV4fX60K3lvid4wwCd/NLub1G+S/DzwUS0=; b=bzSkyPuPSiH7d5qSDdN3d4vmRS07tFOD6fgGXZMDtyFKAJ923mCpDzlTgViJL2kUfe 6BJtOJgVK5oZ2yWAagiL3JsAZUMp84JxvD/0Tg3wFBn499WnGTWMxENr9tLCalDGLtVf wkDiR3vB64pqUHbr2987XLtXksxSuvVlmrGeQvjXEN+DXMr3rPlohr9RVFXwGPvxZBjM 6/KaGedTAxWEvWitAWF7futIr/9Yk54fMPyfA++GACa4y1IVPUJ+dIHSFcbTnydQCRNe mYkttg56hArN7qG3FnDzyXxiFE6lZWeqK7DV03w4SvFtfH+Uaq4EVW+64+8qRey9M3Rv HuaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ISUOYHW7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cf27si7488965edb.374.2021.08.10.10.37.34; Tue, 10 Aug 2021 10:37:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ISUOYHW7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232728AbhHJRdm (ORCPT + 99 others); Tue, 10 Aug 2021 13:33:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:34712 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229649AbhHJRdN (ORCPT ); Tue, 10 Aug 2021 13:33:13 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id A6F0E60F35; Tue, 10 Aug 2021 17:32:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1628616771; bh=ZxBTzNRCYWOy37PUIjrXP8rUkmJzh/1RLYGp7oVvQGg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ISUOYHW7lbhp7HQ8Vxd/meKkOj+cU9yhxJ3Vqt4jRVJSP78nI8a0X7FGlxPnYG/08 LW6TLPNUjL+qhGhEy5YnNfN/qNl5a18aV6SG3wa2DkOEhQoSxSpg+A25rvLBuDuycb 8YaCPEReT80vcmyD6A1EJu1vGnDNvUk5WzkDk8XU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com, Eero Lehtinen , Antti Palosaari , Johan Hovold , Sean Young , Mauro Carvalho Chehab Subject: [PATCH 4.19 38/54] media: rtl28xxu: fix zero-length control request Date: Tue, 10 Aug 2021 19:30:32 +0200 Message-Id: <20210810172945.440686848@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210810172944.179901509@linuxfoundation.org> References: <20210810172944.179901509@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit 76f22c93b209c811bd489950f17f8839adb31901 upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. The driver uses a zero-length i2c-read request for type detection so update the control-request code to use usb_sndctrlpipe() in this case. Note that actually trying to read the i2c register in question does not work as the register might not exist (e.g. depending on the demodulator) as reported by Eero Lehtinen . Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com Reported-by: Eero Lehtinen Tested-by: Eero Lehtinen Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") Cc: stable@vger.kernel.org # 4.0 Cc: Antti Palosaari Signed-off-by: Johan Hovold Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c @@ -50,7 +50,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_ } else { /* read */ requesttype = (USB_TYPE_VENDOR | USB_DIR_IN); - pipe = usb_rcvctrlpipe(d->udev, 0); + + /* + * Zero-length transfers must use usb_sndctrlpipe() and + * rtl28xxu_identify_state() uses a zero-length i2c read + * command to determine the chip type. + */ + if (req->size) + pipe = usb_rcvctrlpipe(d->udev, 0); + else + pipe = usb_sndctrlpipe(d->udev, 0); } ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value,