]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.4-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 9 Aug 2021 09:57:25 +0000 (11:57 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 9 Aug 2021 09:57:25 +0000 (11:57 +0200)
added patches:
media-rtl28xxu-fix-zero-length-control-request.patch

queue-4.4/media-rtl28xxu-fix-zero-length-control-request.patch [new file with mode: 0644]
queue-4.4/series

diff --git a/queue-4.4/media-rtl28xxu-fix-zero-length-control-request.patch b/queue-4.4/media-rtl28xxu-fix-zero-length-control-request.patch
new file mode 100644 (file)
index 0000000..698b824
--- /dev/null
@@ -0,0 +1,58 @@
+From 76f22c93b209c811bd489950f17f8839adb31901 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 23 Jun 2021 10:45:21 +0200
+Subject: media: rtl28xxu: fix zero-length control request
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 76f22c93b209c811bd489950f17f8839adb31901 upstream.
+
+The direction of the pipe argument must match the request-type direction
+bit or control requests may fail depending on the host-controller-driver
+implementation.
+
+Control transfers without a data stage are treated as OUT requests by
+the USB stack and should be using usb_sndctrlpipe(). Failing to do so
+will now trigger a warning.
+
+The driver uses a zero-length i2c-read request for type detection so
+update the control-request code to use usb_sndctrlpipe() in this case.
+
+Note that actually trying to read the i2c register in question does not
+work as the register might not exist (e.g. depending on the demodulator)
+as reported by Eero Lehtinen <debiangamer2@gmail.com>.
+
+Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com
+Reported-by: Eero Lehtinen <debiangamer2@gmail.com>
+Tested-by: Eero Lehtinen <debiangamer2@gmail.com>
+Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type")
+Cc: stable@vger.kernel.org      # 4.0
+Cc: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/dvb-usb-v2/rtl28xxu.c |   11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+@@ -50,7 +50,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_
+       } else {
+               /* read */
+               requesttype = (USB_TYPE_VENDOR | USB_DIR_IN);
+-              pipe = usb_rcvctrlpipe(d->udev, 0);
++
++              /*
++               * Zero-length transfers must use usb_sndctrlpipe() and
++               * rtl28xxu_identify_state() uses a zero-length i2c read
++               * command to determine the chip type.
++               */
++              if (req->size)
++                      pipe = usb_rcvctrlpipe(d->udev, 0);
++              else
++                      pipe = usb_sndctrlpipe(d->udev, 0);
+       }
+       ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value,
index 3034a4c1b3d0f8371d283b32eee52138f0034c31..eb435046a55775b71ce651f8c2360ba473bd4644 100644 (file)
@@ -11,3 +11,4 @@ usb-serial-option-add-telit-fd980-composition-0x1056.patch
 usb-serial-ch341-fix-character-loss-at-high-transfer-rates.patch
 usb-serial-ftdi_sio-add-device-id-for-auto-m3-op-com-v2.patch
 scripts-tracing-fix-the-bug-that-can-t-parse-raw_trace_func.patch
+media-rtl28xxu-fix-zero-length-control-request.patch