This is a note to let you know that I've just added the patch titled media: gspca/sunplus: fix zero-length control requests to the 4.19-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: media-gspca-sunplus-fix-zero-length-control-requests.patch and it can be found in the queue-4.19 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From b4bb4d425b7b02424afea2dfdcd77b3b4794175e Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan@xxxxxxxxxx> Date: Mon, 24 May 2021 13:09:19 +0200 Subject: media: gspca/sunplus: fix zero-length control requests From: Johan Hovold <johan@xxxxxxxxxx> commit b4bb4d425b7b02424afea2dfdcd77b3b4794175e upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. Fix the single zero-length control request which was using the read-register helper, and update the helper so that zero-length reads fail with an error message instead. Fixes: 6a7eba24e4f0 ("V4L/DVB (8157): gspca: all subdrivers") Cc: stable@xxxxxxxxxxxxxxx # 2.6.27 Signed-off-by: Johan Hovold <johan@xxxxxxxxxx> Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/media/usb/gspca/sunplus.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/drivers/media/usb/gspca/sunplus.c +++ b/drivers/media/usb/gspca/sunplus.c @@ -251,6 +251,10 @@ static void reg_r(struct gspca_dev *gspc gspca_err(gspca_dev, "reg_r: buffer overflow\n"); return; } + if (len == 0) { + gspca_err(gspca_dev, "reg_r: zero-length read\n"); + return; + } if (gspca_dev->usb_err < 0) return; ret = usb_control_msg(gspca_dev->dev, @@ -259,7 +263,7 @@ static void reg_r(struct gspca_dev *gspc USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, 0, /* value */ index, - len ? gspca_dev->usb_buf : NULL, len, + gspca_dev->usb_buf, len, 500); if (ret < 0) { pr_err("reg_r err %d\n", ret); @@ -736,7 +740,7 @@ static int sd_start(struct gspca_dev *gs case MegaImageVI: reg_w_riv(gspca_dev, 0xf0, 0, 0); spca504B_WaitCmdStatus(gspca_dev); - reg_r(gspca_dev, 0xf0, 4, 0); + reg_w_riv(gspca_dev, 0xf0, 4, 0); spca504B_WaitCmdStatus(gspca_dev); break; default: Patches currently in stable-queue which might be from johan@xxxxxxxxxx are queue-4.19/media-gspca-sq905-fix-control-request-direction.patch queue-4.19/media-gspca-sunplus-fix-zero-length-control-requests.patch queue-4.19/media-gspca-gl860-fix-zero-length-control-requests.patch queue-4.19/input-usbtouchscreen-fix-control-request-directions.patch queue-4.19/media-rtl28xxu-fix-zero-length-control-request.patch queue-4.19/mmc-vub3000-fix-control-request-direction.patch queue-4.19/media-dtv5100-fix-control-request-directions.patch