lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251221171542.47748-1-swilczek.lx@gmail.com>
Date: Sun, 21 Dec 2025 18:15:42 +0100
From: Szymon Wilczek <swilczek.lx@...il.com>
To: mchehab@...nel.org
Cc: hverkuil+cisco@...nel.org,
	linux-media@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com,
	Szymon Wilczek <swilczek.lx@...il.com>,
	syzbot+e6a50a2e7cbb4f775d04@...kaller.appspotmail.com
Subject: [PATCH] media: dtv5100: fix BOGUS control dir warning on 0-length reads

The kernel's usb_submit_urb() validates that 0-length control transfers
use an OUT pipe, since there is no data stage direction to enforce.

The dtv5100 driver uses usb_rcvctrlpipe() (IN pipe) for all reads,
including 0-length ones (when rlen is 0). This triggers the 'BOGUS
control dir' warning in usb_submit_urb().

Fix this by using usb_sndctrlpipe() (OUT pipe) when rlen is 0,
satisfying the kernel's validation while maintaining correct protocol
behavior for Setup packets.

Reported-by: syzbot+e6a50a2e7cbb4f775d04@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e6a50a2e7cbb4f775d04
Signed-off-by: Szymon Wilczek <swilczek.lx@...il.com>
---
 drivers/media/usb/dvb-usb/dtv5100.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/dvb-usb/dtv5100.c b/drivers/media/usb/dvb-usb/dtv5100.c
index c448e2ebda1a..a16406cc8db7 100644
--- a/drivers/media/usb/dvb-usb/dtv5100.c
+++ b/drivers/media/usb/dvb-usb/dtv5100.c
@@ -62,8 +62,8 @@ static int dtv5100_i2c_msg(struct dvb_usb_device *d, u8 addr,
 
 	memcpy(st->data, rbuf, rlen);
 	msleep(1); /* avoid I2C errors */
-	return usb_control_msg(d->udev, pipe, request,
-			       type, value, index, st->data, rlen,
+	return usb_control_msg(d->udev, rlen ? pipe : usb_sndctrlpipe(d->udev, 0),
+			       request, type, value, index, st->data, rlen,
 			       DTV5100_USB_TIMEOUT);
 }
 
-- 
2.52.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ