github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 14:04:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
9eeaa2d7d5
linux/drivers/usb
History
Alan Stern 10a805334a usb: usbtmc: Fix bug in pipe direction for control transfers 
commit e9b667a82c upstream.

The syzbot fuzzer reported a minor bug in the usbtmc driver:

usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0
WARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412
usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410
Modules linked in:
CPU: 0 PID: 3813 Comm: syz-executor122 Not tainted
5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0
...
Call Trace:
 <TASK>
 usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58
 usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
 usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153
 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline]

The problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for
all of its transfers, whether they are in or out.  It's easy to fix.

CC: <stable@vger.kernel.org>
Reported-and-tested-by: syzbot+a48e3d1a875240cab5de@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/YiEsYTPEE6lOCOA5@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-03-23 09:13:29 +01:00
..
atm usb: atm: don't use snprintf() for sysfs attrs 2020-08-25 19:11:18 +02:00
c67x00 Linux 5.9-rc3 2020-08-31 07:11:45 +02:00
cdns3 usb: cdns3: fix race condition before setting doorbell 2021-10-06 15:55:46 +02:00
chipidea usb: chipidea: ci_hdrc_imx: fix potential error pointer dereference in probe 2021-12-01 09:18:59 +01:00
class usb: usbtmc: Fix bug in pipe direction for control transfers 2022-03-23 09:13:29 +01:00
common usb: ulpi: Call of_node_put correctly 2022-02-16 12:54:28 +01:00
core USB: core: Fix hang in usb_kill_urb by adding memory barriers 2022-02-01 17:25:41 +01:00
dwc2 usb: dwc2: drd: fix soft connect when gadget is unconfigured 2022-03-02 11:42:55 +01:00
dwc3 usb: dwc3: gadget: Let the interrupt handler disable bottom halves. 2022-03-02 11:42:55 +01:00
early Revert "usb: early: convert to readl_poll_timeout_atomic()" 2021-12-22 09:30:56 +01:00
gadget usb: gadget: Fix use-after-free bug by not setting udc->dev.driver 2022-03-23 09:13:29 +01:00
host xhci: Prevent futile URB re-submissions due to incorrect return value. 2022-03-02 11:42:55 +01:00
image USB: microtek: use set_host_byte() 2020-09-16 12:42:10 +02:00
isp1760 usb: isp1760-hcd: convert to readl_poll_timeout_atomic() 2020-09-25 16:30:05 +02:00
misc usb: ftdi-elan: fix memory leak on device disconnect 2022-01-27 10:53:58 +01:00
mon USB: mon: Use scnprintf() for avoiding potential buffer overflow 2020-03-12 09:49:28 +01:00
mtu3 usb: mtu3: fix interval value for intr and isoc 2022-01-11 15:25:02 +01:00
musb usb: musb: tusb6010: check return value after calling platform_get_resource() 2021-11-26 10:39:08 +01:00
phy usb: phy: tahvo: add IRQ check 2021-09-15 09:50:40 +02:00
renesas_usbhs usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop() 2021-07-28 14:35:44 +02:00
roles usb: roles: Call try_module_get() from usb_role_switch_find_by_fwnode() 2021-05-14 09:49:55 +02:00
serial USB: serial: option: add Telit LE910R1 compositions 2022-03-02 11:42:55 +01:00
storage usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge 2022-02-01 17:25:41 +01:00
typec ucsi_ccg: Check DEV_INT bit only when starting CCG4 2022-02-01 17:25:41 +01:00
usbip usbip:vhci_hcd USB port can get stuck in the disabled state 2021-09-18 13:40:33 +02:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile
usb-skeleton.c