From: Greg Kroah-Hartman Date: Mon, 13 Feb 2023 11:24:07 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v6.1.12~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=14dd7019936e34d9c3ee54ddf4f5e9ff21cbdb9f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: net-usb-fix-wrong-direction-warning-in-plusb.c.patch --- diff --git a/queue-4.19/net-usb-fix-wrong-direction-warning-in-plusb.c.patch b/queue-4.19/net-usb-fix-wrong-direction-warning-in-plusb.c.patch new file mode 100644 index 00000000000..bdb0bde7d32 --- /dev/null +++ b/queue-4.19/net-usb-fix-wrong-direction-warning-in-plusb.c.patch @@ -0,0 +1,76 @@ +From 811d581194f7412eda97acc03d17fc77824b561f Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 3 Feb 2023 14:32:09 -0500 +Subject: net: USB: Fix wrong-direction WARNING in plusb.c + +From: Alan Stern + +commit 811d581194f7412eda97acc03d17fc77824b561f upstream. + +The syzbot fuzzer detected a bug in the plusb network driver: A +zero-length control-OUT transfer was treated as a read instead of a +write. In modern kernels this error provokes a WARNING: + +usb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0 +WARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411 +usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 +Modules linked in: +CPU: 1 PID: 4645 Comm: dhcpcd Not tainted +6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google +01/12/2023 +RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 +... +Call Trace: + + usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 + usb_internal_control_msg drivers/usb/core/message.c:102 [inline] + usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153 + __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010 + usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068 + pl_vendor_req drivers/net/usb/plusb.c:60 [inline] + pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline] + pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85 + usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889 + __dev_open+0x297/0x4d0 net/core/dev.c:1417 + __dev_change_flags+0x587/0x750 net/core/dev.c:8530 + dev_change_flags+0x97/0x170 net/core/dev.c:8602 + devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147 + inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979 + sock_do_ioctl+0xcc/0x230 net/socket.c:1169 + sock_ioctl+0x1f8/0x680 net/socket.c:1286 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and +remove the USB_DIR_IN flag. + +Reported-and-tested-by: syzbot+2a0e7abd24f1eb90ce25@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Fixes: 090ffa9d0e90 ("[PATCH] USB: usbnet (9/9) module for pl2301/2302 cables") +CC: stable@vger.kernel.org +Link: https://lore.kernel.org/r/00000000000052099f05f3b3e298@google.com/ +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/plusb.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/usb/plusb.c ++++ b/drivers/net/usb/plusb.c +@@ -69,9 +69,7 @@ + static inline int + pl_vendor_req(struct usbnet *dev, u8 req, u8 val, u8 index) + { +- return usbnet_read_cmd(dev, req, +- USB_DIR_IN | USB_TYPE_VENDOR | +- USB_RECIP_DEVICE, ++ return usbnet_write_cmd(dev, req, USB_TYPE_VENDOR | USB_RECIP_DEVICE, + val, index, NULL, 0); + } + diff --git a/queue-4.19/series b/queue-4.19/series index 5c3ed3a32e5..10f77b49212 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -53,3 +53,4 @@ pinctrl-aspeed-fix-confusing-types-in-return-value.patch pinctrl-single-fix-potential-null-dereference.patch pinctrl-intel-convert-unsigned-to-unsigned-int.patch pinctrl-intel-restore-the-pins-that-used-to-be-in-di.patch +net-usb-fix-wrong-direction-warning-in-plusb.c.patch