From: Johan Hovold <johan@kernel.org>
To: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Hans Verkuil <hverkuil@xs4all.nl>,
linux-media@vger.kernel.org, linux-usb@vger.kernel.org,
linux-kernel@vger.kernel.org, Johan Hovold <johan@kernel.org>,
syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com,
stable@vger.kernel.org, Antti Palosaari <crope@iki.fi>
Subject: [PATCH 3/3] media: rtl28xxu: fix zero-length control request
Date: Mon, 24 May 2021 13:09:20 +0200 [thread overview]
Message-ID: <20210524110920.24599-4-johan@kernel.org> (raw)
In-Reply-To: <20210524110920.24599-1-johan@kernel.org>
The direction of the pipe argument must match the request-type direction
bit or control requests may fail depending on the host-controller-driver
implementation.
Control transfers without a data stage are treated as OUT requests by
the USB stack and should be using usb_sndctrlpipe(). Failing to do so
will now trigger a warning.
Fix the zero-length i2c-read request used for type detection by
attempting to read a single byte instead.
Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com
Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type")
Cc: stable@vger.kernel.org # 4.0
Cc: Antti Palosaari <crope@iki.fi>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
index 97ed17a141bb..2c04ed8af0e4 100644
--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
@@ -612,8 +612,9 @@ static int rtl28xxu_read_config(struct dvb_usb_device *d)
static int rtl28xxu_identify_state(struct dvb_usb_device *d, const char **name)
{
struct rtl28xxu_dev *dev = d_to_priv(d);
+ u8 buf[1];
int ret;
- struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 0, NULL};
+ struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 1, buf};
dev_dbg(&d->intf->dev, "\n");
--
2.26.3
next prev parent reply other threads:[~2021-05-24 11:10 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-24 11:09 [PATCH 0/3] media: fix zero-length USB control requests Johan Hovold
2021-05-24 11:09 ` [PATCH 1/3] media: gspca/gl860: fix zero-length " Johan Hovold
2021-05-24 11:09 ` [PATCH 2/3] media: gspca/sunplus: " Johan Hovold
2021-05-24 11:09 ` Johan Hovold [this message]
2021-05-31 7:55 ` [PATCH 3/3] media: rtl28xxu: fix zero-length control request Johan Hovold
2021-06-07 7:34 ` Johan Hovold
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210524110920.24599-4-johan@kernel.org \
--to=johan@kernel.org \
--cc=crope@iki.fi \
--cc=hverkuil@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.