This is a note to let you know that I've just added the patch titled media: rtl28xxu: fix zero-length control request to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: media-rtl28xxu-fix-zero-length-control-request.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 25d5ce3a606a1eb23a9265d615a92a876ff9cb5f Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan@xxxxxxxxxx> Date: Mon, 24 May 2021 13:09:20 +0200 Subject: media: rtl28xxu: fix zero-length control request From: Johan Hovold <johan@xxxxxxxxxx> commit 25d5ce3a606a1eb23a9265d615a92a876ff9cb5f upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. Fix the zero-length i2c-read request used for type detection by attempting to read a single byte instead. Reported-by: syzbot+faf11bbadc5a372564da@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") Cc: stable@xxxxxxxxxxxxxxx # 4.0 Cc: Antti Palosaari <crope@xxxxxx> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx> Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c @@ -603,8 +603,9 @@ static int rtl28xxu_read_config(struct d static int rtl28xxu_identify_state(struct dvb_usb_device *d, const char **name) { struct rtl28xxu_dev *dev = d_to_priv(d); + u8 buf[1]; int ret; - struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 0, NULL}; + struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 1, buf}; dev_dbg(&d->intf->dev, "\n"); Patches currently in stable-queue which might be from johan@xxxxxxxxxx are queue-4.14/media-gspca-sq905-fix-control-request-direction.patch queue-4.14/media-gspca-sunplus-fix-zero-length-control-requests.patch queue-4.14/input-usbtouchscreen-fix-control-request-directions.patch queue-4.14/media-rtl28xxu-fix-zero-length-control-request.patch queue-4.14/mmc-vub3000-fix-control-request-direction.patch queue-4.14/media-dtv5100-fix-control-request-directions.patch