Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp3777644pxt; Tue, 10 Aug 2021 11:05:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJybZrvjVY+/SzmWThO8llaJe/4qPBaRZ3gRIkksklw9eNxeDtulPHvunX3Uo9+rU/3dygbQ X-Received: by 2002:a05:6e02:1aa2:: with SMTP id l2mr199634ilv.224.1628618739509; Tue, 10 Aug 2021 11:05:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628618739; cv=none; d=google.com; s=arc-20160816; b=JRh7sOtwjVL9u4anxqq/JaWju7hZh8VAVERa/naNT7uGw4PDiWIyU04sUjm/JWMYTx D0eT6H95LGlhIcGJAPpf36r1pOR3vGBSU0juf1FJJ5icXAyhic3TCk9cjr/3Xoe0pyLd DdiF4tBtc7rXQmdqpWtU3A9Pw34axrtjWYolekG8grx3smATwgJ118lfP/u9DBUgpm/C d503CSvEkuI7yqaXfaBkjV7C1usqQldWS21jk1M9AkO/DNA9uylbYDOB7352w6LpUvF7 AALpsSgJ/FkVVitDTGbqOXGLHJtf89cG4Sy0s3Frdwk/u8szJvbqCTDolaK5IOrY/24r pY5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VyRZpD66qRhM7HKpWhc3GHuWYeEXcJwSld5MsRnqBJM=; b=M6Gt64eQ3BUJeV4eAt7GdowwADyKzF0tWSH2CNDPUTO0ZnFNyM+kRcy5rIgSRDdghm FW9YvD3K+ssEw9zIBZfoTmkfvyfzZTwvEiKea0zpV4D4uVA9qdXNJxXYGccTtwPMMeOj 8HsS6GfDsnWq8SpkemnOSHnQvWbGrengjalwW3PZmaGN5hNe9C4k1VjJc/K3Srl5wKKe 8uz0YaZAIN5Utyu8w+gmp5wnqacSfFGQtVxV5GVh2MDxLOzzjyREYMKz4nWNLE4FU1Li CSfp7IOQHY2nZKfEBxVGtnnO+ILNoXcgIbb/EDLSZ68wuKWJlEnVA5W2Y0ZeU2fjd0U8 pwJQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uLs03AOj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r17si25523831iov.104.2021.08.10.11.05.28; Tue, 10 Aug 2021 11:05:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uLs03AOj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238326AbhHJSEC (ORCPT + 99 others); Tue, 10 Aug 2021 14:04:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:60680 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238329AbhHJR7b (ORCPT ); Tue, 10 Aug 2021 13:59:31 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D9D906113E; Tue, 10 Aug 2021 17:46:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1628617578; bh=HxAVSRoZV1qO5M8NvmA+iCnA5aa632UKR/8qoV0km0g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uLs03AOjqvHDDde9R7wzB2I4u10yGa02jNmoZl0KpJGYKiDJiaic4IMEsvZikpRxH zFo8TRQMGUbtfaPIjbv4AZTqdOQm5Xmjt1+HVSWXjA9C9Qsi7akEXpCDek84IJu6AO RESoNFWccSK2pD4becz4guljj7poDUdko7HsKVVY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com, Eero Lehtinen , Antti Palosaari , Johan Hovold , Sean Young , Mauro Carvalho Chehab Subject: [PATCH 5.13 120/175] media: rtl28xxu: fix zero-length control request Date: Tue, 10 Aug 2021 19:30:28 +0200 Message-Id: <20210810173004.896255930@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210810173000.928681411@linuxfoundation.org> References: <20210810173000.928681411@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit 76f22c93b209c811bd489950f17f8839adb31901 upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. The driver uses a zero-length i2c-read request for type detection so update the control-request code to use usb_sndctrlpipe() in this case. Note that actually trying to read the i2c register in question does not work as the register might not exist (e.g. depending on the demodulator) as reported by Eero Lehtinen . Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com Reported-by: Eero Lehtinen Tested-by: Eero Lehtinen Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") Cc: stable@vger.kernel.org # 4.0 Cc: Antti Palosaari Signed-off-by: Johan Hovold Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c @@ -37,7 +37,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_ } else { /* read */ requesttype = (USB_TYPE_VENDOR | USB_DIR_IN); - pipe = usb_rcvctrlpipe(d->udev, 0); + + /* + * Zero-length transfers must use usb_sndctrlpipe() and + * rtl28xxu_identify_state() uses a zero-length i2c read + * command to determine the chip type. + */ + if (req->size) + pipe = usb_rcvctrlpipe(d->udev, 0); + else + pipe = usb_sndctrlpipe(d->udev, 0); } ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value,