Received: by 2002:a05:6a10:8a4d:0:0:0:0 with SMTP id dn13csp959130pxb; Fri, 13 Aug 2021 10:04:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzDOtn44Rej1o3WVRl3JcJf2YYhpl8Q1WbIdaZvap5N99HRzklq+NK9Y1SjT3Ut8DN2h6qz X-Received: by 2002:a5d:9eda:: with SMTP id a26mr2814302ioe.166.1628874269821; Fri, 13 Aug 2021 10:04:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628874269; cv=none; d=google.com; s=arc-20160816; b=DQ1v+43PHe5h5a5ZwOUSMIDsD9OaV9WAPNAVa9AeFNQGiMzWJJqGCVsO4q/Cf89jhV OfAF5yZIaoI3ztxjZ8A0jmBMqQ8NTOIBck47Toy+2geL5TTNT1D366MD0BFurnB3Ar1c JSnVVr8eJ4NE7mOsvKahWZBYqD/jJPSeKNtb57InwlVymrWY93JtkLuTUq25BHsvFt5U r+3bd1zcXNdKmIjahAOLbSXwaHxdd9WXsbFh0buWm2Mbo04c3Q1k4Pag4sYdagF78LCG UnrstgdrqpC5qi0HbHlPUNV0PudINlzFl59M7LX5YtChdMXqeCXbq7M5CBw+5e9lg282 jrDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cfMGyuPZOCV4fX60K3lvid4wwCd/NLub1G+S/DzwUS0=; b=rkVpISYZTeIdfzgEqpAtfwaQnUiF0zpqWED5VZH94KvN+1CEF5816OiRacS/J6FF/f 6A86M+z5zgZ4U+TbjjSU53uaRrkA7yuE8/nWtNaYnitj82nksN+fcZtnpKrP3FAhHOnR /uYVDlnHVr58fQLLnus8BSgbeg5n4qUDS+DHRUJREt87LFcREhcOZ8K7XyAQusfNMQg0 2V2c4u3bBtoee0nFeCuIIV3PPUmr9OGuqtCagdDRRB5w2pDYcnImnRbpGM/mYFx1vcMS 9oKhTsFkkq8fLrWBkqz7Un1zR0eqWinV513NnIubnvZ5wBrbecXr8mSOK/t3E7FD+eRF Me8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=RW4HBmKZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n5si2219371jat.34.2021.08.13.10.04.18; Fri, 13 Aug 2021 10:04:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=RW4HBmKZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242319AbhHMPOB (ORCPT + 99 others); Fri, 13 Aug 2021 11:14:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:55440 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242080AbhHMPMe (ORCPT ); Fri, 13 Aug 2021 11:12:34 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9148F6112F; Fri, 13 Aug 2021 15:12:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1628867527; bh=ZxBTzNRCYWOy37PUIjrXP8rUkmJzh/1RLYGp7oVvQGg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RW4HBmKZJsisWzaOVUjg9rDmNOeAuQ6TVviwiG1FGHqyYof649/OcddkI0MHqWZNL xnBQC2cWdyK6XWOGK3HDYxxgILrY4EQo9zp7kB+kcgvt+evj10Gf+phJPJgrb4eySv YgbY3Icjg+kCZXBKisC28k7PcjtyQa/+j9vIM4qQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com, Eero Lehtinen , Antti Palosaari , Johan Hovold , Sean Young , Mauro Carvalho Chehab Subject: [PATCH 4.14 25/42] media: rtl28xxu: fix zero-length control request Date: Fri, 13 Aug 2021 17:06:51 +0200 Message-Id: <20210813150525.951338888@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210813150525.098817398@linuxfoundation.org> References: <20210813150525.098817398@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit 76f22c93b209c811bd489950f17f8839adb31901 upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. The driver uses a zero-length i2c-read request for type detection so update the control-request code to use usb_sndctrlpipe() in this case. Note that actually trying to read the i2c register in question does not work as the register might not exist (e.g. depending on the demodulator) as reported by Eero Lehtinen . Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com Reported-by: Eero Lehtinen Tested-by: Eero Lehtinen Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") Cc: stable@vger.kernel.org # 4.0 Cc: Antti Palosaari Signed-off-by: Johan Hovold Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c @@ -50,7 +50,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_ } else { /* read */ requesttype = (USB_TYPE_VENDOR | USB_DIR_IN); - pipe = usb_rcvctrlpipe(d->udev, 0); + + /* + * Zero-length transfers must use usb_sndctrlpipe() and + * rtl28xxu_identify_state() uses a zero-length i2c read + * command to determine the chip type. + */ + if (req->size) + pipe = usb_rcvctrlpipe(d->udev, 0); + else + pipe = usb_sndctrlpipe(d->udev, 0); } ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value,