| Message ID | 20210524110920.24599-4-johan@kernel.org |
|---|---|
| State | New |
| Headers | show |
| Series | media: fix zero-length USB control requests | expand |
On Mon, May 31, 2021 at 09:55:39AM +0200, Johan Hovold wrote: > On Mon, May 24, 2021 at 01:09:20PM +0200, Johan Hovold wrote: > > The direction of the pipe argument must match the request-type direction > > bit or control requests may fail depending on the host-controller-driver > > implementation. > > > > Control transfers without a data stage are treated as OUT requests by > > the USB stack and should be using usb_sndctrlpipe(). Failing to do so > > will now trigger a warning. > > > > Fix the zero-length i2c-read request used for type detection by > > attempting to read a single byte instead. > > > > Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com > > Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") > > Cc: stable@vger.kernel.org # 4.0 > > Cc: Antti Palosaari <crope@iki.fi> > > Signed-off-by: Johan Hovold <johan@kernel.org> > > --- > > drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c > > index 97ed17a141bb..2c04ed8af0e4 100644 > > --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c > > +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c > > @@ -612,8 +612,9 @@ static int rtl28xxu_read_config(struct dvb_usb_device *d) > > static int rtl28xxu_identify_state(struct dvb_usb_device *d, const char **name) > > { > > struct rtl28xxu_dev *dev = d_to_priv(d); > > + u8 buf[1]; > > int ret; > > - struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 0, NULL}; > > + struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 1, buf}; > > > > dev_dbg(&d->intf->dev, "\n"); > > As reported here > > https://lore.kernel.org/r/YLSVsrhMZ2oOL1vM@hovoldconsulting.com > > this patch is causing the chip type to no longer be detected correctly, > so please drop this one for now until this has been resolved. Looks like this one was applied to the media tree a couple of days after I sent this nonetheless. Can you drop this one in favour of the v2 posted here: https://lore.kernel.org/r/20210531094434.12651-4-johan@kernel.org or do you want me to send an incremental fix instead? Johan
diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c index 97ed17a141bb..2c04ed8af0e4 100644 --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c @@ -612,8 +612,9 @@ static int rtl28xxu_read_config(struct dvb_usb_device *d) static int rtl28xxu_identify_state(struct dvb_usb_device *d, const char **name) { struct rtl28xxu_dev *dev = d_to_priv(d); + u8 buf[1]; int ret; - struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 0, NULL}; + struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 1, buf}; dev_dbg(&d->intf->dev, "\n");
The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. Fix the zero-length i2c-read request used for type detection by attempting to read a single byte instead. Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") Cc: stable@vger.kernel.org # 4.0 Cc: Antti Palosaari <crope@iki.fi> Signed-off-by: Johan Hovold <johan@kernel.org> --- drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)