The syzbot fuzzer reports that the smsusb driver doesn't check whether the endpoints it uses are actually Bulk: smsusb:smsusb_probe: board id=15, interface number 6 smsusb:siano_media_device_register: media controller created ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 42 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> smsusb_submit_urb+0x288/0x410 drivers/media/usb/siano/smsusb.c:173 smsusb_start_streaming drivers/media/usb/siano/smsusb.c:197 [inline] smsusb_init_device+0x856/0xe10 drivers/media/usb/siano/smsusb.c:477 smsusb_probe+0x5e2/0x10b0 drivers/media/usb/siano/smsusb.c:575 The problem can be fixed by checking the endpoints' types along with their directions. Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> Reported-by: syzbot+85e3ddbf0ddbfbc85f1e@xxxxxxxxxxxxxxxxxxxxxxxxx Tested-by: syzbot+85e3ddbf0ddbfbc85f1e@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://lore.kernel.org/linux-usb/000000000000e45551061e558c37@xxxxxxxxxx/ Fixes: 31e0456de5be ("media: usb: siano: Fix general protection fault in smsusb") Cc: <stable@xxxxxxxxxxxxxxx> --- drivers/media/usb/siano/smsusb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: usb-devel/drivers/media/usb/siano/smsusb.c =================================================================== --- usb-devel.orig/drivers/media/usb/siano/smsusb.c +++ usb-devel/drivers/media/usb/siano/smsusb.c @@ -410,10 +410,10 @@ static int smsusb_init_device(struct usb struct usb_endpoint_descriptor *desc = &intf->cur_altsetting->endpoint[i].desc; - if (desc->bEndpointAddress & USB_DIR_IN) { + if (usb_endpoint_is_bulk_in(desc)) { dev->in_ep = desc->bEndpointAddress; align = usb_endpoint_maxp(desc) - sizeof(struct sms_msg_hdr); - } else { + } else if (usb_endpoint_is_bulk_out(desc)) { dev->out_ep = desc->bEndpointAddress; } }
