From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2F88A3246F4; Sun, 7 Jun 2026 10:26:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780827964; cv=none; b=pW9tG6HX7ZcXqMVgpramXZmfQgarr6L9SUvCw9Qwt6dB0xGsevsxjiwAcdoBv6xX6nLtuTe+Np7YmTbQUDwhJZeKSdXJ3J6Jrzm86wsZy6q2BqA8dsSZTWmEbx5gphzJ2CsnA2/x8s+3YP+/1/4O6hWqMrmJHb5Tgxqbu5G8JKA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780827964; c=relaxed/simple; bh=UVtp+AnuE7MXNopfHv/v5J/OugOo6S2noJui+1Z3dHk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hN8E1USw8N8OZD1DwWApdlJm9IVGxPRknG1J9mjfB52EyrmVqD+F2hgsBxU5+0169pmbMRtNSO5keQd24feNx8haiKj83eLEAFZ6cKgjDtWHSavGY2YeoSPtDd2K7FzTEeAykGIDlxafFA+XiPtQbcrByALcbCcQ41FSQ0VJ5rA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=1CE4nv6A; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="1CE4nv6A" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5D4FB1F00893; Sun, 7 Jun 2026 10:26:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1780827963; bh=jnhJrtpZMyjNVjxEjA9fvVrWE2cAIJ2q3P6zEq5UCYk=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=1CE4nv6AiB+z8B2jKXgiyzsJEtDc9x5k9ro/LVq9Un8Z9VWwto0Cp1f/kKjaJI65P EP3rCBwrqTWqbCWmmBkmpc5LPN4ctEXEnNn1iLhcOm/RkxK+MzqepIwWL4i+xkJDRA j75Drifpw5TJNaEB4qirUQ6KVjo2XJFONw4hvMwA= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com, Henri A , Sean Young , Hans Verkuil Subject: [PATCH 6.18 116/315] media: rc: igorplugusb: fix control request setup packet Date: Sun, 7 Jun 2026 11:58:23 +0200 Message-ID: <20260607095731.895666527@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260607095727.528828913@linuxfoundation.org> References: <20260607095727.528828913@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Henri A commit 171022c7d594c133a45f92357a2a91475edabe20 upstream. Commit eac69475b01f ("media: rc: igorplugusb: heed coherency rules") changed the control request storage from an embedded struct to an allocated pointer so it can obey DMA coherency rules. However, the driver still passes &ir->request to usb_fill_control_urb(). That points the URB setup packet at the pointer field itself rather than at the allocated struct usb_ctrlrequest. USB core then interprets pointer bytes as the setup packet. This can produce an invalid bRequestType and trigger the control direction warning reported by syzbot: usb 2-1: BOGUS control dir, pipe 80003580 doesn't match bRequestType 0 Pass ir->request itself as the setup packet. Fixes: eac69475b01f ("media: rc: igorplugusb: heed coherency rules") Reported-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=11f0e4f957c7c3bf3d51 Tested-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Assisted-by: Codex:GPT-5.5 Signed-off-by: Henri A Signed-off-by: Sean Young Signed-off-by: Hans Verkuil Signed-off-by: Greg Kroah-Hartman --- drivers/media/rc/igorplugusb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/media/rc/igorplugusb.c +++ b/drivers/media/rc/igorplugusb.c @@ -184,7 +184,7 @@ static int igorplugusb_probe(struct usb_ if (!ir->buf_in) goto fail; usb_fill_control_urb(ir->urb, udev, - usb_rcvctrlpipe(udev, 0), (uint8_t *)&ir->request, + usb_rcvctrlpipe(udev, 0), (uint8_t *)ir->request, ir->buf_in, MAX_PACKET, igorplugusb_callback, ir); usb_make_path(udev, ir->phys, sizeof(ir->phys));