github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 14:04:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
9c28189bb6
linux/drivers/media
History
Alan Stern 587f793c64 media: mceusb: Use new usb_control_msg_*() routines 
commit 608e58a0f4 upstream.

Automatic kernel fuzzing led to a WARN about invalid pipe direction in
the mceusb driver:

------------[ cut here ]------------
usb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40
WARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410
usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410
Modules linked in:
CPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-00208-g69cb6c6556ad #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410
Code: 7c 24 40 e8 ac 23 91 fd 48 8b 7c 24 40 e8 b2 70 1b ff 45 89 e8
44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 a0 30 a9 86 e8 48 07 11 02 <0f> 0b
e9 1c f0 ff ff e8 7e 23 91 fd 0f b6 1d 63 22 83 05 31 ff 41
RSP: 0018:ffffc900032becf0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8881100f3058 RCX: 0000000000000000
RDX: ffffc90004961000 RSI: ffff888114c6d580 RDI: fffff52000657d90
RBP: ffff888105ad90f0 R08: ffffffff812c3638 R09: 0000000000000000
R10: 0000000000000005 R11: ffffed1023504ef1 R12: ffff888105ad9000
R13: 0000000000000040 R14: 0000000080000380 R15: ffff88810ba96500
FS: 0000000000000000(0000) GS:ffff88811a800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe810bda58 CR3: 000000010b720000 CR4: 0000000000350ef0
Call Trace:
<TASK>
usb_start_wait_urb+0x101/0x4c0 drivers/usb/core/message.c:58
usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153
mceusb_gen1_init drivers/media/rc/mceusb.c:1431 [inline]
mceusb_dev_probe+0x258e/0x33f0 drivers/media/rc/mceusb.c:1807

The reason for the warning is clear enough; the driver sends an
unusual read request on endpoint 0 but does not set the USB_DIR_IN bit
in the bRequestType field.

More importantly, the whole situation can be avoided and the driver
simplified by converting it over to the relatively new
usb_control_msg_recv() and usb_control_msg_send() routines.  That's
what this fix does.

Link: https://lore.kernel.org/all/CAB7eexLLApHJwZfMQ=X-PtRhw0BgO+5KcSMS05FNUYejJXqtSA@mail.gmail.com/
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: stable@vger.kernel.org
Reported-and-tested-by: Rondreis <linhaoguo86@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/YwkfnBFCSEVC6XZu@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-09-08 11:11:39 +02:00
..
cec media: cec-adap.c: fix is_configuring state 2022-06-09 10:20:55 +02:00
common media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() 2022-01-27 10:54:16 +01:00
dvb-core media: dmxdev: fix UAF when dvb_register_device() fails 2022-01-27 10:53:49 +01:00
dvb-frontends media: dib8000: Fix a memleak in dib8000_init() 2022-01-27 10:53:54 +01:00
firewire media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() 2021-11-06 14:10:09 +01:00
i2c media: ov7670: remove ov7670_power_off from ov7670_remove 2022-06-09 10:21:10 +02:00
mc media: Fix Media Controller API config checks 2021-07-14 16:55:56 +02:00
mmc
pci media: tw686x: Fix memory leak in tw686x_video_init 2022-08-21 15:15:42 +02:00
platform media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment 2022-08-21 15:15:46 +02:00
radio media: si470x-i2c: fix possible memory leak in si470x_i2c_probe() 2022-01-27 10:53:51 +01:00
rc media: mceusb: Use new usb_control_msg_*() routines 2022-09-08 11:11:39 +02:00
spi media: cxd2880-spi: Fix a null pointer dereference on error handling path 2021-11-18 14:04:04 +01:00
test-drivers media: vim2m: initialize the media device earlier 2022-05-30 09:33:23 +02:00
tuners media: msi001: fix possible null-ptr-deref in msi001_probe() 2022-01-27 10:53:56 +01:00
usb media: pvrusb2: fix memory leak in pvr_probe 2022-09-05 10:28:56 +02:00
v4l2-core media: v4l2-mem2mem: prevent pollerr when last_buffer_dequeued is set 2022-08-21 15:15:41 +02:00
Kconfig media: correct MEDIA_TEST_SUPPORT help text 2022-01-27 10:54:29 +01:00
Makefile