* [PATCH 2/3] media: gspca/sunplus: fix zero-length control requests [not found] <20210524110920.24599-1-johan@kernel.org> @ 2021-05-24 11:09 ` Johan Hovold 2021-05-24 11:09 ` [PATCH 3/3] media: rtl28xxu: fix zero-length control request Johan Hovold 1 sibling, 0 replies; 4+ messages in thread From: Johan Hovold @ 2021-05-24 11:09 UTC (permalink / raw) To: Mauro Carvalho Chehab Cc: Hans Verkuil, linux-media, linux-usb, linux-kernel, Johan Hovold, stable The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. Fix the single zero-length control request which was using the read-register helper, and update the helper so that zero-length reads fail with an error message instead. Fixes: 6a7eba24e4f0 ("V4L/DVB (8157): gspca: all subdrivers") Cc: stable@vger.kernel.org # 2.6.27 Signed-off-by: Johan Hovold <johan@kernel.org> --- drivers/media/usb/gspca/sunplus.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/gspca/sunplus.c b/drivers/media/usb/gspca/sunplus.c index ace3da40006e..971dee0a56da 100644 --- a/drivers/media/usb/gspca/sunplus.c +++ b/drivers/media/usb/gspca/sunplus.c @@ -242,6 +242,10 @@ static void reg_r(struct gspca_dev *gspca_dev, gspca_err(gspca_dev, "reg_r: buffer overflow\n"); return; } + if (len == 0) { + gspca_err(gspca_dev, "reg_r: zero-length read\n"); + return; + } if (gspca_dev->usb_err < 0) return; ret = usb_control_msg(gspca_dev->dev, @@ -250,7 +254,7 @@ static void reg_r(struct gspca_dev *gspca_dev, USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, 0, /* value */ index, - len ? gspca_dev->usb_buf : NULL, len, + gspca_dev->usb_buf, len, 500); if (ret < 0) { pr_err("reg_r err %d\n", ret); @@ -727,7 +731,7 @@ static int sd_start(struct gspca_dev *gspca_dev) case MegaImageVI: reg_w_riv(gspca_dev, 0xf0, 0, 0); spca504B_WaitCmdStatus(gspca_dev); - reg_r(gspca_dev, 0xf0, 4, 0); + reg_w_riv(gspca_dev, 0xf0, 4, 0); spca504B_WaitCmdStatus(gspca_dev); break; default: -- 2.26.3 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 3/3] media: rtl28xxu: fix zero-length control request [not found] <20210524110920.24599-1-johan@kernel.org> 2021-05-24 11:09 ` [PATCH 2/3] media: gspca/sunplus: fix zero-length control requests Johan Hovold @ 2021-05-24 11:09 ` Johan Hovold 2021-05-31 7:55 ` Johan Hovold 1 sibling, 1 reply; 4+ messages in thread From: Johan Hovold @ 2021-05-24 11:09 UTC (permalink / raw) To: Mauro Carvalho Chehab Cc: Hans Verkuil, linux-media, linux-usb, linux-kernel, Johan Hovold, syzbot+faf11bbadc5a372564da, stable, Antti Palosaari The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. Fix the zero-length i2c-read request used for type detection by attempting to read a single byte instead. Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") Cc: stable@vger.kernel.org # 4.0 Cc: Antti Palosaari <crope@iki.fi> Signed-off-by: Johan Hovold <johan@kernel.org> --- drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c index 97ed17a141bb..2c04ed8af0e4 100644 --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c @@ -612,8 +612,9 @@ static int rtl28xxu_read_config(struct dvb_usb_device *d) static int rtl28xxu_identify_state(struct dvb_usb_device *d, const char **name) { struct rtl28xxu_dev *dev = d_to_priv(d); + u8 buf[1]; int ret; - struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 0, NULL}; + struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 1, buf}; dev_dbg(&d->intf->dev, "\n"); -- 2.26.3 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 3/3] media: rtl28xxu: fix zero-length control request 2021-05-24 11:09 ` [PATCH 3/3] media: rtl28xxu: fix zero-length control request Johan Hovold @ 2021-05-31 7:55 ` Johan Hovold 2021-06-07 7:34 ` Johan Hovold 0 siblings, 1 reply; 4+ messages in thread From: Johan Hovold @ 2021-05-31 7:55 UTC (permalink / raw) To: Mauro Carvalho Chehab Cc: Hans Verkuil, linux-media, linux-usb, linux-kernel, syzbot+faf11bbadc5a372564da, stable, Antti Palosaari On Mon, May 24, 2021 at 01:09:20PM +0200, Johan Hovold wrote: > The direction of the pipe argument must match the request-type direction > bit or control requests may fail depending on the host-controller-driver > implementation. > > Control transfers without a data stage are treated as OUT requests by > the USB stack and should be using usb_sndctrlpipe(). Failing to do so > will now trigger a warning. > > Fix the zero-length i2c-read request used for type detection by > attempting to read a single byte instead. > > Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com > Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") > Cc: stable@vger.kernel.org # 4.0 > Cc: Antti Palosaari <crope@iki.fi> > Signed-off-by: Johan Hovold <johan@kernel.org> > --- > drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c > index 97ed17a141bb..2c04ed8af0e4 100644 > --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c > +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c > @@ -612,8 +612,9 @@ static int rtl28xxu_read_config(struct dvb_usb_device *d) > static int rtl28xxu_identify_state(struct dvb_usb_device *d, const char **name) > { > struct rtl28xxu_dev *dev = d_to_priv(d); > + u8 buf[1]; > int ret; > - struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 0, NULL}; > + struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 1, buf}; > > dev_dbg(&d->intf->dev, "\n"); As reported here https://lore.kernel.org/r/YLSVsrhMZ2oOL1vM@hovoldconsulting.com this patch is causing the chip type to no longer be detected correctly, so please drop this one for now until this has been resolved. Johan ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 3/3] media: rtl28xxu: fix zero-length control request 2021-05-31 7:55 ` Johan Hovold @ 2021-06-07 7:34 ` Johan Hovold 0 siblings, 0 replies; 4+ messages in thread From: Johan Hovold @ 2021-06-07 7:34 UTC (permalink / raw) To: Mauro Carvalho Chehab Cc: Hans Verkuil, linux-media, linux-usb, linux-kernel, syzbot+faf11bbadc5a372564da, stable, Antti Palosaari On Mon, May 31, 2021 at 09:55:39AM +0200, Johan Hovold wrote: > On Mon, May 24, 2021 at 01:09:20PM +0200, Johan Hovold wrote: > > The direction of the pipe argument must match the request-type direction > > bit or control requests may fail depending on the host-controller-driver > > implementation. > > > > Control transfers without a data stage are treated as OUT requests by > > the USB stack and should be using usb_sndctrlpipe(). Failing to do so > > will now trigger a warning. > > > > Fix the zero-length i2c-read request used for type detection by > > attempting to read a single byte instead. > > > > Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com > > Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") > > Cc: stable@vger.kernel.org # 4.0 > > Cc: Antti Palosaari <crope@iki.fi> > > Signed-off-by: Johan Hovold <johan@kernel.org> > > --- > > drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c > > index 97ed17a141bb..2c04ed8af0e4 100644 > > --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c > > +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c > > @@ -612,8 +612,9 @@ static int rtl28xxu_read_config(struct dvb_usb_device *d) > > static int rtl28xxu_identify_state(struct dvb_usb_device *d, const char **name) > > { > > struct rtl28xxu_dev *dev = d_to_priv(d); > > + u8 buf[1]; > > int ret; > > - struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 0, NULL}; > > + struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 1, buf}; > > > > dev_dbg(&d->intf->dev, "\n"); > > As reported here > > https://lore.kernel.org/r/YLSVsrhMZ2oOL1vM@hovoldconsulting.com > > this patch is causing the chip type to no longer be detected correctly, > so please drop this one for now until this has been resolved. Looks like this one was applied to the media tree a couple of days after I sent this nonetheless. Can you drop this one in favour of the v2 posted here: https://lore.kernel.org/r/20210531094434.12651-4-johan@kernel.org or do you want me to send an incremental fix instead? Johan ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-06-07 7:34 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20210524110920.24599-1-johan@kernel.org>
2021-05-24 11:09 ` [PATCH 2/3] media: gspca/sunplus: fix zero-length control requests Johan Hovold
2021-05-24 11:09 ` [PATCH 3/3] media: rtl28xxu: fix zero-length control request Johan Hovold
2021-05-31 7:55 ` Johan Hovold
2021-06-07 7:34 ` Johan Hovold
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).