From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com,
Eero Lehtinen <debiangamer2@gmail.com>,
Antti Palosaari <crope@iki.fi>, Johan Hovold <johan@kernel.org>,
Sean Young <sean@mess.org>,
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Subject: [PATCH 4.4 14/25] media: rtl28xxu: fix zero-length control request
Date: Fri, 13 Aug 2021 17:06:38 +0200 [thread overview]
Message-ID: <20210813150521.179685350@linuxfoundation.org> (raw)
In-Reply-To: <20210813150520.718161915@linuxfoundation.org>
From: Johan Hovold <johan@kernel.org>
commit 76f22c93b209c811bd489950f17f8839adb31901 upstream.
The direction of the pipe argument must match the request-type direction
bit or control requests may fail depending on the host-controller-driver
implementation.
Control transfers without a data stage are treated as OUT requests by
the USB stack and should be using usb_sndctrlpipe(). Failing to do so
will now trigger a warning.
The driver uses a zero-length i2c-read request for type detection so
update the control-request code to use usb_sndctrlpipe() in this case.
Note that actually trying to read the i2c register in question does not
work as the register might not exist (e.g. depending on the demodulator)
as reported by Eero Lehtinen <debiangamer2@gmail.com>.
Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com
Reported-by: Eero Lehtinen <debiangamer2@gmail.com>
Tested-by: Eero Lehtinen <debiangamer2@gmail.com>
Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type")
Cc: stable@vger.kernel.org # 4.0
Cc: Antti Palosaari <crope@iki.fi>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
@@ -50,7 +50,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_
} else {
/* read */
requesttype = (USB_TYPE_VENDOR | USB_DIR_IN);
- pipe = usb_rcvctrlpipe(d->udev, 0);
+
+ /*
+ * Zero-length transfers must use usb_sndctrlpipe() and
+ * rtl28xxu_identify_state() uses a zero-length i2c read
+ * command to determine the chip type.
+ */
+ if (req->size)
+ pipe = usb_rcvctrlpipe(d->udev, 0);
+ else
+ pipe = usb_sndctrlpipe(d->udev, 0);
}
ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value,
next prev parent reply other threads:[~2021-08-13 15:08 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-13 15:06 [PATCH 4.4 00/25] 4.4.281-rc1 review Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 01/25] ALSA: seq: Fix racy deletion of subscriber Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 02/25] scsi: sr: Return correct event when media event code is 3 Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 03/25] media: videobuf2-core: dequeue if start_streaming fails Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 04/25] net: natsemi: Fix missing pci_disable_device() in probe and remove Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 05/25] mips: Fix non-POSIX regexp Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 06/25] bnx2x: fix an error code in bnx2x_nic_load() Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 07/25] net: pegasus: fix uninit-value in get_interrupt_interval Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 08/25] net: vxge: fix use-after-free in vxge_device_unregister Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 09/25] Bluetooth: defer cleanup of resources in hci_unregister_dev() Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 10/25] USB: serial: option: add Telit FD980 composition 0x1056 Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 11/25] USB: serial: ch341: fix character loss at high transfer rates Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 12/25] USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 13/25] scripts/tracing: fix the bug that cant parse raw_trace_func Greg Kroah-Hartman
2021-08-13 15:06 ` Greg Kroah-Hartman [this message]
2021-08-13 15:06 ` [PATCH 4.4 15/25] serial: 8250: Mask out floating 16/32-bit bus bits Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 16/25] MIPS: Malta: Do not byte-swap accesses to the CBUS UART Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 17/25] pcmcia: i82092: fix a null pointer dereference bug Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 18/25] reiserfs: add check for root_inode in reiserfs_fill_super Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 19/25] reiserfs: check directory items on read from disk Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 20/25] alpha: Send stop IPI to send to online CPUs Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 21/25] net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 22/25] pipe: increase minimum default pipe size to 2 pages Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 23/25] USB:ehci:fix Kunpeng920 ehci hardware problem Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 24/25] net: xilinx_emaclite: Do not print real IOMEM pointer Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.4 25/25] ovl: prevent private clone if bind mount is not allowed Greg Kroah-Hartman
2021-08-13 23:26 ` [PATCH 4.4 00/25] 4.4.281-rc1 review Shuah Khan
2021-08-14 14:20 ` Naresh Kamboju
2021-08-14 18:14 ` Guenter Roeck
2021-08-15 19:51 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210813150521.179685350@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=crope@iki.fi \
--cc=debiangamer2@gmail.com \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=sean@mess.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).