Received: by 2002:a05:6a10:8a4d:0:0:0:0 with SMTP id dn13csp958555pxb; Fri, 13 Aug 2021 10:03:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxftwPUh24VnyKoM/Qvedy7TjYIpmzFviFhqGMYbOxazXQ8/7yNsY1hW++HuIjsmXkaymjA X-Received: by 2002:a92:8742:: with SMTP id d2mr2485572ilm.58.1628874226058; Fri, 13 Aug 2021 10:03:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628874226; cv=none; d=google.com; s=arc-20160816; b=ph46Hd2zmNzVNUXIcoDCofXQmokc9JnMe8RevJVo91SGfD8cNZ5lf2qrYoQ7lDXqGQ M48aRm5xj6Z1QC0f2vCMuvqyNO+18swyVA4xlll6ZLAeS/c9tvqIcvtifxAKAGJs1Yyx JGmp0YTnwpnfmC7SFOnKeQheb1QF3h/r1eUMM8LNqfiSIcvQG44DR5HrYHuMVIhCZjNv 95t98/xLSF6Dl25PYcOPjm2URX0HewLOpBlvxygNpu5F4tWqzAsiz0VOg1E2p8vaMPOU x26Xsyk7Uu76zrGy9aAJfQqL38NJYvE70y3KPz4EXsqvkV3KH2YojMUDna2N7RH8FAmB jKPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cfMGyuPZOCV4fX60K3lvid4wwCd/NLub1G+S/DzwUS0=; b=Mgk3iwWsir5Hhov5CBHvFXXjJBLYpbTWuel0F/6FtTn3senjxOk6d39g1J3Ij05L0i QI/b4t/c/EiWESQ0kDqBR3AY7kYhC5rWabwha2PwwQUkaw/19bKhhBGsx0G1WP2RFdND A0fdAdmAKSR1CMjdyRDuONBLfqe24T4bhR/nK/ujQ8aq8llRCQBLrRpF3da4l4bYqqBg kYIttqvnR0hqXkbI07pzmvLiMMUn7TLSVbexZJCbW13nkTV5J3fGJpZk8VxVKDSuOdZl 1Rh757Dj901B+53+A6afNx1GKTo1WcWijQZChxRnfnu08VZ4cOAGH5+ePUinUCVjkaDa FSEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MJV6y+m2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b25si1314817jap.107.2021.08.13.10.03.33; Fri, 13 Aug 2021 10:03:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MJV6y+m2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241172AbhHMPIm (ORCPT + 99 others); Fri, 13 Aug 2021 11:08:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:50892 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241159AbhHMPIi (ORCPT ); Fri, 13 Aug 2021 11:08:38 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8925561103; Fri, 13 Aug 2021 15:08:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1628867291; bh=ZxBTzNRCYWOy37PUIjrXP8rUkmJzh/1RLYGp7oVvQGg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MJV6y+m2AiNKn2eeuVNgo6/YIec9HjWCMQwU8sn0CGZSsitKM/E0kC9grEi2ofsM4 Y8Vpq+xH4qWTFHjlxjuXhOsiUYV/RnSjOiZDuE4tHmbyomo+QELkVzrsIZQYLcbcxp H8KRnMSFIcWR0+vLJcVu8Q089AqLbzbi0Ip9C5T4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com, Eero Lehtinen , Antti Palosaari , Johan Hovold , Sean Young , Mauro Carvalho Chehab Subject: [PATCH 4.4 14/25] media: rtl28xxu: fix zero-length control request Date: Fri, 13 Aug 2021 17:06:38 +0200 Message-Id: <20210813150521.179685350@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210813150520.718161915@linuxfoundation.org> References: <20210813150520.718161915@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit 76f22c93b209c811bd489950f17f8839adb31901 upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. The driver uses a zero-length i2c-read request for type detection so update the control-request code to use usb_sndctrlpipe() in this case. Note that actually trying to read the i2c register in question does not work as the register might not exist (e.g. depending on the demodulator) as reported by Eero Lehtinen . Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com Reported-by: Eero Lehtinen Tested-by: Eero Lehtinen Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") Cc: stable@vger.kernel.org # 4.0 Cc: Antti Palosaari Signed-off-by: Johan Hovold Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c @@ -50,7 +50,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_ } else { /* read */ requesttype = (USB_TYPE_VENDOR | USB_DIR_IN); - pipe = usb_rcvctrlpipe(d->udev, 0); + + /* + * Zero-length transfers must use usb_sndctrlpipe() and + * rtl28xxu_identify_state() uses a zero-length i2c read + * command to determine the chip type. + */ + if (req->size) + pipe = usb_rcvctrlpipe(d->udev, 0); + else + pipe = usb_sndctrlpipe(d->udev, 0); } ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value,