i2c: robotfuzz-osif: fix control-request directions

Message ID 20210524090912.3989-1-johan@kernel.org
State Accepted
Commit 4ca070ef0dd885616ef294d269a9bf8e3b258e1a
Headers show
Series
  • i2c: robotfuzz-osif: fix control-request directions
Related show

Commit Message

Johan Hovold May 24, 2021, 9:09 a.m.
The direction of the pipe argument must match the request-type direction
bit or control requests may fail depending on the host-controller-driver
implementation.

Control transfers without a data stage are treated as OUT requests by
the USB stack and should be using usb_sndctrlpipe(). Failing to do so
will now trigger a warning.

Fix the OSIFI2C_SET_BIT_RATE and OSIFI2C_STOP requests which erroneously
used the osif_usb_read() helper and set the IN direction bit.

Reported-by: syzbot+9d7dadd15b8819d73f41@syzkaller.appspotmail.com
Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.")
Cc: stable@vger.kernel.org      # 3.14
Cc: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/i2c/busses/i2c-robotfuzz-osif.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Johan Hovold June 23, 2021, 8:52 a.m. | #1
On Mon, May 24, 2021 at 11:09:12AM +0200, Johan Hovold wrote:
> The direction of the pipe argument must match the request-type direction

> bit or control requests may fail depending on the host-controller-driver

> implementation.

> 

> Control transfers without a data stage are treated as OUT requests by

> the USB stack and should be using usb_sndctrlpipe(). Failing to do so

> will now trigger a warning.

> 

> Fix the OSIFI2C_SET_BIT_RATE and OSIFI2C_STOP requests which erroneously

> used the osif_usb_read() helper and set the IN direction bit.

> 

> Reported-by: syzbot+9d7dadd15b8819d73f41@syzkaller.appspotmail.com

> Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.")

> Cc: stable@vger.kernel.org      # 3.14

> Cc: Andrew Lunn <andrew@lunn.ch>

> Signed-off-by: Johan Hovold <johan@kernel.org>

> ---


Wolfram, can you pick this one up for 5.14?

Johan

>  drivers/i2c/busses/i2c-robotfuzz-osif.c | 4 ++--

>  1 file changed, 2 insertions(+), 2 deletions(-)

> 

> diff --git a/drivers/i2c/busses/i2c-robotfuzz-osif.c b/drivers/i2c/busses/i2c-robotfuzz-osif.c

> index a39f7d092797..66dfa211e736 100644

> --- a/drivers/i2c/busses/i2c-robotfuzz-osif.c

> +++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c

> @@ -83,7 +83,7 @@ static int osif_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs,

>  			}

>  		}

>  

> -		ret = osif_usb_read(adapter, OSIFI2C_STOP, 0, 0, NULL, 0);

> +		ret = osif_usb_write(adapter, OSIFI2C_STOP, 0, 0, NULL, 0);

>  		if (ret) {

>  			dev_err(&adapter->dev, "failure sending STOP\n");

>  			return -EREMOTEIO;

> @@ -153,7 +153,7 @@ static int osif_probe(struct usb_interface *interface,

>  	 * Set bus frequency. The frequency is:

>  	 * 120,000,000 / ( 16 + 2 * div * 4^prescale).

>  	 * Using dev = 52, prescale = 0 give 100KHz */

> -	ret = osif_usb_read(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0,

> +	ret = osif_usb_write(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0,

>  			    NULL, 0);

>  	if (ret) {

>  		dev_err(&interface->dev, "failure sending bit rate");
Wolfram Sang June 24, 2021, 8:10 p.m. | #2
On Wed, Jun 23, 2021 at 10:52:04AM +0200, Johan Hovold wrote:
> On Mon, May 24, 2021 at 11:09:12AM +0200, Johan Hovold wrote:
> > The direction of the pipe argument must match the request-type direction
> > bit or control requests may fail depending on the host-controller-driver
> > implementation.
> > 
> > Control transfers without a data stage are treated as OUT requests by
> > the USB stack and should be using usb_sndctrlpipe(). Failing to do so
> > will now trigger a warning.
> > 
> > Fix the OSIFI2C_SET_BIT_RATE and OSIFI2C_STOP requests which erroneously
> > used the osif_usb_read() helper and set the IN direction bit.
> > 
> > Reported-by: syzbot+9d7dadd15b8819d73f41@syzkaller.appspotmail.com
> > Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.")
> > Cc: stable@vger.kernel.org      # 3.14
> > Cc: Andrew Lunn <andrew@lunn.ch>
> > Signed-off-by: Johan Hovold <johan@kernel.org>
> > ---
> 
> Wolfram, can you pick this one up for 5.14?

Sorry, I thought Andrew was the maintainer of this driver and was
waiting for his ack. But he is not, this driver is unmaintained. So, I
trust you and picked it up now.

Applied to for-current, thanks!
Andrew Lunn June 24, 2021, 8:32 p.m. | #3
On Thu, Jun 24, 2021 at 10:10:17PM +0200, Wolfram Sang wrote:
> On Wed, Jun 23, 2021 at 10:52:04AM +0200, Johan Hovold wrote:

> > On Mon, May 24, 2021 at 11:09:12AM +0200, Johan Hovold wrote:

> > > The direction of the pipe argument must match the request-type direction

> > > bit or control requests may fail depending on the host-controller-driver

> > > implementation.

> > > 

> > > Control transfers without a data stage are treated as OUT requests by

> > > the USB stack and should be using usb_sndctrlpipe(). Failing to do so

> > > will now trigger a warning.

> > > 

> > > Fix the OSIFI2C_SET_BIT_RATE and OSIFI2C_STOP requests which erroneously

> > > used the osif_usb_read() helper and set the IN direction bit.

> > > 

> > > Reported-by: syzbot+9d7dadd15b8819d73f41@syzkaller.appspotmail.com

> > > Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.")

> > > Cc: stable@vger.kernel.org      # 3.14

> > > Cc: Andrew Lunn <andrew@lunn.ch>

> > > Signed-off-by: Johan Hovold <johan@kernel.org>

> > > ---

> > 

> > Wolfram, can you pick this one up for 5.14?

> 

> Sorry, I thought Andrew was the maintainer of this driver and was

> waiting for his ack.


Ah, sorry. I did take a quick look at the change, it seemed
sensible. But i've not used this hardware in years, i have no way to
test it, etc.

     Andrew
Johan Hovold June 25, 2021, 12:47 p.m. | #4
On Thu, Jun 24, 2021 at 10:10:17PM +0200, Wolfram Sang wrote:

> Sorry, I thought Andrew was the maintainer of this driver and was
> waiting for his ack. But he is not, this driver is unmaintained. So, I
> trust you and picked it up now.
> 
> Applied to for-current, thanks!

Perfect, thanks!

Johan

Patch

diff --git a/drivers/i2c/busses/i2c-robotfuzz-osif.c b/drivers/i2c/busses/i2c-robotfuzz-osif.c
index a39f7d092797..66dfa211e736 100644
--- a/drivers/i2c/busses/i2c-robotfuzz-osif.c
+++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c
@@ -83,7 +83,7 @@  static int osif_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs,
 			}
 		}
 
-		ret = osif_usb_read(adapter, OSIFI2C_STOP, 0, 0, NULL, 0);
+		ret = osif_usb_write(adapter, OSIFI2C_STOP, 0, 0, NULL, 0);
 		if (ret) {
 			dev_err(&adapter->dev, "failure sending STOP\n");
 			return -EREMOTEIO;
@@ -153,7 +153,7 @@  static int osif_probe(struct usb_interface *interface,
 	 * Set bus frequency. The frequency is:
 	 * 120,000,000 / ( 16 + 2 * div * 4^prescale).
 	 * Using dev = 52, prescale = 0 give 100KHz */
-	ret = osif_usb_read(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0,
+	ret = osif_usb_write(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0,
 			    NULL, 0);
 	if (ret) {
 		dev_err(&interface->dev, "failure sending bit rate");