Re: [PATCH AUTOSEL 5.13 06/21] USB: core: Fix incorrect pipe calculation in do_proc_control()

Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> · Tue, 27 Jul 2021 15:28:20 +0200

On Tue, Jul 27, 2021 at 09:18:53AM -0400, Sasha Levin wrote:
> From: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
> 
> [ Upstream commit b0863f1927323110e3d0d69f6adb6a91018a9a3c ]
> 
> When the user submits a control URB via usbfs, the user supplies the
> bRequestType value and the kernel uses it to compute the pipe value.
> However, do_proc_control() performs this computation incorrectly in
> the case where the bRequestType direction bit is set to USB_DIR_IN and
> the URB's transfer length is 0: The pipe's direction is also set to IN
> but it should be OUT, which is the direction the actual transfer will
> use regardless of bRequestType.
> 
> Commit 5cc59c418fde ("USB: core: WARN if pipe direction != setup
> packet direction") added a check to compare the direction bit in the
> pipe value to a control URB's actual direction and to WARN if they are
> different.  This can be triggered by the incorrect computation
> mentioned above, as found by syzbot.
> 
> This patch fixes the computation, thus avoiding the WARNing.
> 
> Reported-and-tested-by: syzbot+72af3105289dcb4c055b@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
> Link: https://lore.kernel.org/r/20210712185436.GB326369@xxxxxxxxxxxxxxxxxxx
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> ---
>  drivers/usb/core/devio.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
> index 2218941d35a3..73b60f013b20 100644
> --- a/drivers/usb/core/devio.c
> +++ b/drivers/usb/core/devio.c
> @@ -1133,7 +1133,7 @@ static int do_proc_control(struct usb_dev_state *ps,
>  		"wIndex=%04x wLength=%04x\n",
>  		ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
>  		ctrl->wIndex, ctrl->wLength);
> -	if (ctrl->bRequestType & 0x80) {
> +	if ((ctrl->bRequestType & USB_DIR_IN) && ctrl->wLength) {
>  		pipe = usb_rcvctrlpipe(dev, 0);
>  		snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
>  
> -- 
> 2.30.2
> 

This is not needed in any kernel that does not also have 5cc59c418fde
("USB: core: WARN if pipe direction != setup packet direction"), which
showed up in 5.14-rc1, so please drop this from all of the AUTOSEL
trees.

thanks,

greg k-h