[PATCH 5.14 08/14] HID: usbhid: Fix warning caused by 0-length input reports

From: Greg Kroah-Hartman
Date: Mon Sep 06 2021 - 09:00:11 EST


From: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>

commit 0a824efdb724e07574bafcd2c2486b2a3de35ff6 upstream.

Syzbot found a warning caused by hid_submit_ctrl() submitting a
control request to transfer a 0-length input report:

usb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType a1

(The warning message is a little difficult to understand. It means
that the control request claims to be for an IN transfer but this
contradicts the USB spec, which requires 0-length control transfers
always to be in the OUT direction.)

Now, a zero-length report isn't good for anything and there's no
reason for a device to have one, but the fuzzer likes to pick out
these weird edge cases. In the future, perhaps we will decide to
reject 0-length reports at probe time. For now, the simplest approach
for avoiding these warnings is to pretend that the report actually has
length 1.

Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
Reported-and-tested-by: syzbot+9b57a46bf1801ce2a2ca@xxxxxxxxxxxxxxxxxxxxxxxxx
Tested-by: Oleksandr Natalenko <oleksandr@xxxxxxxxxxxxxx>
Tested-by: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxxx>
Acked-by: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Jiri Kosina <jkosina@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/hid/usbhid/hid-core.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -389,6 +389,7 @@ static int hid_submit_ctrl(struct hid_de
maxpacket = usb_maxpacket(hid_to_usb_dev(hid),
usbhid->urbctrl->pipe, 0);
if (maxpacket > 0) {
+ len += (len == 0); /* Don't allow 0-length reports */
len = DIV_ROUND_UP(len, maxpacket);
len *= maxpacket;
if (len > usbhid->bufsize)