This is a note to let you know that I've just added the patch titled media: rtl28xxu: fix zero-length control request to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: media-rtl28xxu-fix-zero-length-control-request.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 76f22c93b209c811bd489950f17f8839adb31901 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan@xxxxxxxxxx> Date: Wed, 23 Jun 2021 10:45:21 +0200 Subject: media: rtl28xxu: fix zero-length control request From: Johan Hovold <johan@xxxxxxxxxx> commit 76f22c93b209c811bd489950f17f8839adb31901 upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. The driver uses a zero-length i2c-read request for type detection so update the control-request code to use usb_sndctrlpipe() in this case. Note that actually trying to read the i2c register in question does not work as the register might not exist (e.g. depending on the demodulator) as reported by Eero Lehtinen <debiangamer2@xxxxxxxxx>. Reported-by: syzbot+faf11bbadc5a372564da@xxxxxxxxxxxxxxxxxxxxxxxxx Reported-by: Eero Lehtinen <debiangamer2@xxxxxxxxx> Tested-by: Eero Lehtinen <debiangamer2@xxxxxxxxx> Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") Cc: stable@xxxxxxxxxxxxxxx # 4.0 Cc: Antti Palosaari <crope@xxxxxx> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx> Signed-off-by: Sean Young <sean@xxxxxxxx> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c @@ -50,7 +50,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_ } else { /* read */ requesttype = (USB_TYPE_VENDOR | USB_DIR_IN); - pipe = usb_rcvctrlpipe(d->udev, 0); + + /* + * Zero-length transfers must use usb_sndctrlpipe() and + * rtl28xxu_identify_state() uses a zero-length i2c read + * command to determine the chip type. + */ + if (req->size) + pipe = usb_rcvctrlpipe(d->udev, 0); + else + pipe = usb_sndctrlpipe(d->udev, 0); } ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value, Patches currently in stable-queue which might be from johan@xxxxxxxxxx are queue-4.14/usb-serial-option-add-telit-fd980-composition-0x1056.patch queue-4.14/media-rtl28xxu-fix-zero-length-control-request.patch queue-4.14/usb-serial-ch341-fix-character-loss-at-high-transfer-rates.patch queue-4.14/usb-serial-ftdi_sio-add-device-id-for-auto-m3-op-com-v2.patch