From 5bbaa4232d8e1c0bd069926c0241a7c6574c272d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 9 Aug 2021 11:57:25 +0200 Subject: [PATCH] 4.4-stable patches added patches: media-rtl28xxu-fix-zero-length-control-request.patch --- ...8xxu-fix-zero-length-control-request.patch | 58 +++++++++++++++++++ queue-4.4/series | 1 + 2 files changed, 59 insertions(+) create mode 100644 queue-4.4/media-rtl28xxu-fix-zero-length-control-request.patch diff --git a/queue-4.4/media-rtl28xxu-fix-zero-length-control-request.patch b/queue-4.4/media-rtl28xxu-fix-zero-length-control-request.patch new file mode 100644 index 00000000000..698b8241fcd --- /dev/null +++ b/queue-4.4/media-rtl28xxu-fix-zero-length-control-request.patch @@ -0,0 +1,58 @@ +From 76f22c93b209c811bd489950f17f8839adb31901 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 23 Jun 2021 10:45:21 +0200 +Subject: media: rtl28xxu: fix zero-length control request + +From: Johan Hovold + +commit 76f22c93b209c811bd489950f17f8839adb31901 upstream. + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Control transfers without a data stage are treated as OUT requests by +the USB stack and should be using usb_sndctrlpipe(). Failing to do so +will now trigger a warning. + +The driver uses a zero-length i2c-read request for type detection so +update the control-request code to use usb_sndctrlpipe() in this case. + +Note that actually trying to read the i2c register in question does not +work as the register might not exist (e.g. depending on the demodulator) +as reported by Eero Lehtinen . + +Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com +Reported-by: Eero Lehtinen +Tested-by: Eero Lehtinen +Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") +Cc: stable@vger.kernel.org # 4.0 +Cc: Antti Palosaari +Signed-off-by: Johan Hovold +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c ++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +@@ -50,7 +50,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_ + } else { + /* read */ + requesttype = (USB_TYPE_VENDOR | USB_DIR_IN); +- pipe = usb_rcvctrlpipe(d->udev, 0); ++ ++ /* ++ * Zero-length transfers must use usb_sndctrlpipe() and ++ * rtl28xxu_identify_state() uses a zero-length i2c read ++ * command to determine the chip type. ++ */ ++ if (req->size) ++ pipe = usb_rcvctrlpipe(d->udev, 0); ++ else ++ pipe = usb_sndctrlpipe(d->udev, 0); + } + + ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value, diff --git a/queue-4.4/series b/queue-4.4/series index 3034a4c1b3d..eb435046a55 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -11,3 +11,4 @@ usb-serial-option-add-telit-fd980-composition-0x1056.patch usb-serial-ch341-fix-character-loss-at-high-transfer-rates.patch usb-serial-ftdi_sio-add-device-id-for-auto-m3-op-com-v2.patch scripts-tracing-fix-the-bug-that-can-t-parse-raw_trace_func.patch +media-rtl28xxu-fix-zero-length-control-request.patch -- 2.47.3