* [PATCH] media: rc: igorplugusb: Fix wrong pointer passed to usb_fill_control_urb()
@ 2026-06-16 21:43 Moksh Panicker
2026-06-17 9:03 ` Sean Young
0 siblings, 1 reply; 2+ messages in thread
From: Moksh Panicker @ 2026-06-16 21:43 UTC (permalink / raw)
To: sean
Cc: mchehab, linux-media, linux-kernel, skhan, Moksh Panicker,
syzbot+2599e08a22e4565ea9f9
ir->request is already a pointer to struct usb_ctrlrequest, so passing
&ir->request passes the address of the pointer rather than the pointer
itself. This causes usb_submit_urb() to read garbage as the URB setup
packet, resulting in a direction mismatch warning:
usb 1-1: BOGUS control dir, pipe doesn't match bRequestType
Fix this by passing ir->request directly instead of &ir->request.
Reported-by: syzbot+2599e08a22e4565ea9f9@syzkaller.appspot.com
Closes: https://syzkaller.appspot.com/bug?extid=2599e08a22e4565ea9f9
Signed-off-by: Moksh Panicker <mokshpanicker.7@gmail.com>
---
drivers/media/rc/igorplugusb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
index 3e10f6fe8..b5117ee9f 100644
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -184,7 +184,7 @@ static int igorplugusb_probe(struct usb_interface *intf,
if (!ir->buf_in)
goto fail;
usb_fill_control_urb(ir->urb, udev,
- usb_rcvctrlpipe(udev, 0), (uint8_t *)&ir->request,
+ usb_rcvctrlpipe(udev, 0), (uint8_t *)ir->request,
ir->buf_in, MAX_PACKET, igorplugusb_callback, ir);
usb_make_path(udev, ir->phys, sizeof(ir->phys));
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] media: rc: igorplugusb: Fix wrong pointer passed to usb_fill_control_urb()
2026-06-16 21:43 [PATCH] media: rc: igorplugusb: Fix wrong pointer passed to usb_fill_control_urb() Moksh Panicker
@ 2026-06-17 9:03 ` Sean Young
0 siblings, 0 replies; 2+ messages in thread
From: Sean Young @ 2026-06-17 9:03 UTC (permalink / raw)
To: Moksh Panicker
Cc: mchehab, linux-media, linux-kernel, skhan,
syzbot+2599e08a22e4565ea9f9
On Tue, Jun 16, 2026 at 09:43:34PM +0000, Moksh Panicker wrote:
> ir->request is already a pointer to struct usb_ctrlrequest, so passing
> &ir->request passes the address of the pointer rather than the pointer
> itself. This causes usb_submit_urb() to read garbage as the URB setup
> packet, resulting in a direction mismatch warning:
>
> usb 1-1: BOGUS control dir, pipe doesn't match bRequestType
>
> Fix this by passing ir->request directly instead of &ir->request.
Already fixed and merged upstream, see commit
171022c7d594c133a45f92357a2a91475edabe20.
Thanks,
Sean
>
> Reported-by: syzbot+2599e08a22e4565ea9f9@syzkaller.appspot.com
> Closes: https://syzkaller.appspot.com/bug?extid=2599e08a22e4565ea9f9
> Signed-off-by: Moksh Panicker <mokshpanicker.7@gmail.com>
> ---
> drivers/media/rc/igorplugusb.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
> index 3e10f6fe8..b5117ee9f 100644
> --- a/drivers/media/rc/igorplugusb.c
> +++ b/drivers/media/rc/igorplugusb.c
> @@ -184,7 +184,7 @@ static int igorplugusb_probe(struct usb_interface *intf,
> if (!ir->buf_in)
> goto fail;
> usb_fill_control_urb(ir->urb, udev,
> - usb_rcvctrlpipe(udev, 0), (uint8_t *)&ir->request,
> + usb_rcvctrlpipe(udev, 0), (uint8_t *)ir->request,
> ir->buf_in, MAX_PACKET, igorplugusb_callback, ir);
>
> usb_make_path(udev, ir->phys, sizeof(ir->phys));
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-17 9:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-16 21:43 [PATCH] media: rc: igorplugusb: Fix wrong pointer passed to usb_fill_control_urb() Moksh Panicker
2026-06-17 9:03 ` Sean Young
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox