From patchwork Mon May 24 11:09:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 448121 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 339F9C47086 for ; Mon, 24 May 2021 11:09:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1C94661002 for ; Mon, 24 May 2021 11:09:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232701AbhEXLLP (ORCPT ); Mon, 24 May 2021 07:11:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:36646 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232730AbhEXLLK (ORCPT ); Mon, 24 May 2021 07:11:10 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 89C45611CD; Mon, 24 May 2021 11:09:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1621854581; bh=1QEq8RH7DvUtvkEg63hz04yhGqG8J5VEkIdq8eVbWuc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A+WYg/59ib2G8P3tUR+dUt1WyijqSP1MBlOgplWaeqfXdd1vAZXX6b94V4esRgNyN ZbE4F9JIaD0NKYdIyBBWErteOSeCMjnG/xl+YmCUkDuoy6QyvIRIG5NORw7IyCISaa rYvzr08fsQ96c3ooYPSZSYAjy0QtLMhSzr9A67sKQQbGSmRtXYIbuBx/f9wb7Hqm15 SnO1t0q2WlgoCIwuf1J23H3lMuIm4ejhKAOXcfqp1xGOVgmTGEHxMHqPNgWURRFNqI +PqfpNm3pGqVXp11LgrvXkcvoIKOoRQCZWlWh2Krzt8ZMRAtkBPuENhfEoWcRV9cir bi/mfj6kKahmQ== Received: from johan by xi.lan with local (Exim 4.94.2) (envelope-from ) id 1ll8Sp-0006Pr-EZ; Mon, 24 May 2021 13:09:39 +0200 From: Johan Hovold To: Mauro Carvalho Chehab Cc: Hans Verkuil , linux-media@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable@vger.kernel.org Subject: [PATCH 2/3] media: gspca/sunplus: fix zero-length control requests Date: Mon, 24 May 2021 13:09:19 +0200 Message-Id: <20210524110920.24599-3-johan@kernel.org> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210524110920.24599-1-johan@kernel.org> References: <20210524110920.24599-1-johan@kernel.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. Fix the single zero-length control request which was using the read-register helper, and update the helper so that zero-length reads fail with an error message instead. Fixes: 6a7eba24e4f0 ("V4L/DVB (8157): gspca: all subdrivers") Cc: stable@vger.kernel.org # 2.6.27 Signed-off-by: Johan Hovold --- drivers/media/usb/gspca/sunplus.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/gspca/sunplus.c b/drivers/media/usb/gspca/sunplus.c index ace3da40006e..971dee0a56da 100644 --- a/drivers/media/usb/gspca/sunplus.c +++ b/drivers/media/usb/gspca/sunplus.c @@ -242,6 +242,10 @@ static void reg_r(struct gspca_dev *gspca_dev, gspca_err(gspca_dev, "reg_r: buffer overflow\n"); return; } + if (len == 0) { + gspca_err(gspca_dev, "reg_r: zero-length read\n"); + return; + } if (gspca_dev->usb_err < 0) return; ret = usb_control_msg(gspca_dev->dev, @@ -250,7 +254,7 @@ static void reg_r(struct gspca_dev *gspca_dev, USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, 0, /* value */ index, - len ? gspca_dev->usb_buf : NULL, len, + gspca_dev->usb_buf, len, 500); if (ret < 0) { pr_err("reg_r err %d\n", ret); @@ -727,7 +731,7 @@ static int sd_start(struct gspca_dev *gspca_dev) case MegaImageVI: reg_w_riv(gspca_dev, 0xf0, 0, 0); spca504B_WaitCmdStatus(gspca_dev); - reg_r(gspca_dev, 0xf0, 4, 0); + reg_w_riv(gspca_dev, 0xf0, 4, 0); spca504B_WaitCmdStatus(gspca_dev); break; default: From patchwork Mon May 24 11:09:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 447065 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32315C04FF3 for ; Mon, 24 May 2021 11:09:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1608461151 for ; Mon, 24 May 2021 11:09:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232753AbhEXLLO (ORCPT ); Mon, 24 May 2021 07:11:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:36702 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232734AbhEXLLK (ORCPT ); Mon, 24 May 2021 07:11:10 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8775361153; Mon, 24 May 2021 11:09:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1621854582; bh=GVsPUYUbH6Fhhs9/c1HYG789KkLiGQmAFPvGxAEzfZw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hcwVbcNJ0Akpo4wTKnWBaTfvzngnBY9pvoRnrM6kiZoEiZBS+zyPHwbmI6J7k3Vfu +kmyyh5jCP5lGK4RelfJJgRC0u09ocQLXuL271GdSQQe5HOQ3UB+oyPyiL7tYWdrzF Efe217s5NENfYhE7A7VEFcDvj9lT/WNUulhVDllPe81oFARpMfKxSsxqHqCxCLDQSW TAHoOFJMTP0KrPiYaxuelbp3HiYJkeVXI65AHxn0dEbwWzzYhDAqkfpm1hWlc0bEyi EDgPW+nqgGTzB+tkXrfDEX+q/zR+EiUdz8JC6ZL05m/CDLo/kS9jE2eAfMtUwRR2J5 cwod2wQaCBeNA== Received: from johan by xi.lan with local (Exim 4.94.2) (envelope-from ) id 1ll8Sp-0006Pt-Hr; Mon, 24 May 2021 13:09:39 +0200 From: Johan Hovold To: Mauro Carvalho Chehab Cc: Hans Verkuil , linux-media@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com, stable@vger.kernel.org, Antti Palosaari Subject: [PATCH 3/3] media: rtl28xxu: fix zero-length control request Date: Mon, 24 May 2021 13:09:20 +0200 Message-Id: <20210524110920.24599-4-johan@kernel.org> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210524110920.24599-1-johan@kernel.org> References: <20210524110920.24599-1-johan@kernel.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. Fix the zero-length i2c-read request used for type detection by attempting to read a single byte instead. Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") Cc: stable@vger.kernel.org # 4.0 Cc: Antti Palosaari Signed-off-by: Johan Hovold --- drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c index 97ed17a141bb..2c04ed8af0e4 100644 --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c @@ -612,8 +612,9 @@ static int rtl28xxu_read_config(struct dvb_usb_device *d) static int rtl28xxu_identify_state(struct dvb_usb_device *d, const char **name) { struct rtl28xxu_dev *dev = d_to_priv(d); + u8 buf[1]; int ret; - struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 0, NULL}; + struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 1, buf}; dev_dbg(&d->intf->dev, "\n");