From patchwork Fri Jul 30 10:59:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauro Carvalho Chehab X-Patchwork-Id: 490117 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51D9CC4338F for ; Fri, 30 Jul 2021 11:02:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 354826101C for ; Fri, 30 Jul 2021 11:02:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238552AbhG3LCk (ORCPT ); Fri, 30 Jul 2021 07:02:40 -0400 Received: from www.linuxtv.org ([130.149.80.248]:37054 "EHLO www.linuxtv.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238403AbhG3LCk (ORCPT ); Fri, 30 Jul 2021 07:02:40 -0400 Received: from mchehab by www.linuxtv.org with local (Exim 4.92) (envelope-from ) id 1m9QHg-00BOOk-KQ; Fri, 30 Jul 2021 11:02:32 +0000 From: Mauro Carvalho Chehab Date: Fri, 30 Jul 2021 10:59:18 +0000 Subject: [git:media_tree/fixes] media: rtl28xxu: fix zero-length control request To: linuxtv-commits@linuxtv.org Cc: Johan Hovold , Sean Young , Antti Palosaari , Eero Lehtinen , stable@vger.kernel.org Mail-followup-to: linux-media@vger.kernel.org Forward-to: linux-media@vger.kernel.org Reply-to: linux-media@vger.kernel.org Message-Id: Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org This is an automatic generated email to let you know that the following patch were queued: Subject: media: rtl28xxu: fix zero-length control request Author: Johan Hovold Date: Wed Jun 23 10:45:21 2021 +0200 The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. The driver uses a zero-length i2c-read request for type detection so update the control-request code to use usb_sndctrlpipe() in this case. Note that actually trying to read the i2c register in question does not work as the register might not exist (e.g. depending on the demodulator) as reported by Eero Lehtinen . Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com Reported-by: Eero Lehtinen Tested-by: Eero Lehtinen Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") Cc: stable@vger.kernel.org # 4.0 Cc: Antti Palosaari Signed-off-by: Johan Hovold Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c index 0cbdb95f8d35..795a012d4020 100644 --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c @@ -37,7 +37,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_usb_device *d, struct rtl28xxu_req *req) } else { /* read */ requesttype = (USB_TYPE_VENDOR | USB_DIR_IN); - pipe = usb_rcvctrlpipe(d->udev, 0); + + /* + * Zero-length transfers must use usb_sndctrlpipe() and + * rtl28xxu_identify_state() uses a zero-length i2c read + * command to determine the chip type. + */ + if (req->size) + pipe = usb_rcvctrlpipe(d->udev, 0); + else + pipe = usb_sndctrlpipe(d->udev, 0); } ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value,