i2c: robotfuzz-osif: fix control-request directions

The direction of the pipe argument must match the request-type direction
bit or control requests may fail depending on the host-controller-driver
implementation.

Control transfers without a data stage are treated as OUT requests by
the USB stack and should be using usb_sndctrlpipe(). Failing to do so
will now trigger a warning.

Fix the OSIFI2C_SET_BIT_RATE and OSIFI2C_STOP requests which erroneously
used the osif_usb_read() helper and set the IN direction bit.

Reported-by: syzbot+9d7dadd15b8819d73f41@syzkaller.appspotmail.com
Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.")
Cc: stable@vger.kernel.org      # 3.14
Cc: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/i2c/busses/i2c-robotfuzz-osif.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

On Mon, May 24, 2021 at 11:09:12AM +0200, Johan Hovold wrote:
> The direction of the pipe argument must match the request-type direction
> bit or control requests may fail depending on the host-controller-driver
> implementation.
> 
> Control transfers without a data stage are treated as OUT requests by
> the USB stack and should be using usb_sndctrlpipe(). Failing to do so
> will now trigger a warning.
> 
> Fix the OSIFI2C_SET_BIT_RATE and OSIFI2C_STOP requests which erroneously
> used the osif_usb_read() helper and set the IN direction bit.
> 
> Reported-by: syzbot+9d7dadd15b8819d73f41@syzkaller.appspotmail.com
> Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.")
> Cc: stable@vger.kernel.org      # 3.14
> Cc: Andrew Lunn <andrew@lunn.ch>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---

Wolfram, can you pick this one up for 5.14?

Johan

>  drivers/i2c/busses/i2c-robotfuzz-osif.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/i2c/busses/i2c-robotfuzz-osif.c b/drivers/i2c/busses/i2c-robotfuzz-osif.c
> index a39f7d092797..66dfa211e736 100644
> --- a/drivers/i2c/busses/i2c-robotfuzz-osif.c
> +++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c
> @@ -83,7 +83,7 @@ static int osif_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs,
>  			}
>  		}
>  
> -		ret = osif_usb_read(adapter, OSIFI2C_STOP, 0, 0, NULL, 0);
> +		ret = osif_usb_write(adapter, OSIFI2C_STOP, 0, 0, NULL, 0);
>  		if (ret) {
>  			dev_err(&adapter->dev, "failure sending STOP\n");
>  			return -EREMOTEIO;
> @@ -153,7 +153,7 @@ static int osif_probe(struct usb_interface *interface,
>  	 * Set bus frequency. The frequency is:
>  	 * 120,000,000 / ( 16 + 2 * div * 4^prescale).
>  	 * Using dev = 52, prescale = 0 give 100KHz */
> -	ret = osif_usb_read(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0,
> +	ret = osif_usb_write(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0,
>  			    NULL, 0);
>  	if (ret) {
>  		dev_err(&interface->dev, "failure sending bit rate");

On Wed, Jun 23, 2021 at 10:52:04AM +0200, Johan Hovold wrote:
> On Mon, May 24, 2021 at 11:09:12AM +0200, Johan Hovold wrote:

> > The direction of the pipe argument must match the request-type direction

> > bit or control requests may fail depending on the host-controller-driver

> > implementation.

> > 

> > Control transfers without a data stage are treated as OUT requests by

> > the USB stack and should be using usb_sndctrlpipe(). Failing to do so

> > will now trigger a warning.

> > 

> > Fix the OSIFI2C_SET_BIT_RATE and OSIFI2C_STOP requests which erroneously

> > used the osif_usb_read() helper and set the IN direction bit.

> > 

> > Reported-by: syzbot+9d7dadd15b8819d73f41@syzkaller.appspotmail.com

> > Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.")

> > Cc: stable@vger.kernel.org      # 3.14

> > Cc: Andrew Lunn <andrew@lunn.ch>

> > Signed-off-by: Johan Hovold <johan@kernel.org>

> > ---

> 

> Wolfram, can you pick this one up for 5.14?


Sorry, I thought Andrew was the maintainer of this driver and was
waiting for his ack. But he is not, this driver is unmaintained. So, I
trust you and picked it up now.

Applied to for-current, thanks!

On Thu, Jun 24, 2021 at 10:10:17PM +0200, Wolfram Sang wrote:
> On Wed, Jun 23, 2021 at 10:52:04AM +0200, Johan Hovold wrote:
> > On Mon, May 24, 2021 at 11:09:12AM +0200, Johan Hovold wrote:
> > > The direction of the pipe argument must match the request-type direction
> > > bit or control requests may fail depending on the host-controller-driver
> > > implementation.
> > > 
> > > Control transfers without a data stage are treated as OUT requests by
> > > the USB stack and should be using usb_sndctrlpipe(). Failing to do so
> > > will now trigger a warning.
> > > 
> > > Fix the OSIFI2C_SET_BIT_RATE and OSIFI2C_STOP requests which erroneously
> > > used the osif_usb_read() helper and set the IN direction bit.
> > > 
> > > Reported-by: syzbot+9d7dadd15b8819d73f41@syzkaller.appspotmail.com
> > > Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.")
> > > Cc: stable@vger.kernel.org      # 3.14
> > > Cc: Andrew Lunn <andrew@lunn.ch>
> > > Signed-off-by: Johan Hovold <johan@kernel.org>
> > > ---
> > 
> > Wolfram, can you pick this one up for 5.14?
> 
> Sorry, I thought Andrew was the maintainer of this driver and was
> waiting for his ack.

Ah, sorry. I did take a quick look at the change, it seemed
sensible. But i've not used this hardware in years, i have no way to
test it, etc.

     Andrew

On Thu, Jun 24, 2021 at 10:10:17PM +0200, Wolfram Sang wrote:

> Sorry, I thought Andrew was the maintainer of this driver and was

> waiting for his ack. But he is not, this driver is unmaintained. So, I

> trust you and picked it up now.

> 

> Applied to for-current, thanks!


Perfect, thanks!

Johan