[PATCH] media: dvb: usb: Fix WARNING in dib0700_i2c_xfer/usb_submit_urb

From: Alan Stern
Date: Tue Mar 25 2025 - 15:32:46 EST

Next message: Enrique Isidoro Vazquez Ramos: "[PATCH] thermal: amlogic: Rename Uptat to uptat to follow kernel coding style"
Previous message: Florian Fainelli: "[PATCH stable 5.4 v2 2/2] openvswitch: fix lockup on tx to unregistering netdev with carrier"
In reply to: syzbot: "Re: [syzbot] [usb?] WARNING in dib0700_i2c_xfer/usb_submit_urb"
Next in thread: Wolfram Sang: "Re: [PATCH] media: dvb: usb: Fix WARNING in dib0700_i2c_xfer/usb_submit_urb"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The syzbot fuzzer reported a WARNING related to the dib0700 dvb-usb
driver:

usb 1-1: BOGUS control dir, pipe 80000f80 doesn't match bRequestType c0
WARNING: CPU: 1 PID: 5901 at drivers/usb/core/urb.c:413 usb_submit_urb+0x11d9/0x18c0 drivers/usb/core/urb.c:411
...
Call Trace:
<TASK>
usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59
usb_internal_control_msg drivers/usb/core/message.c:103 [inline]
usb_control_msg+0x2b1/0x4c0 drivers/usb/core/message.c:154
dib0700_ctrl_rd drivers/media/usb/dvb-usb/dib0700_core.c:95 [inline]
dib0700_i2c_xfer_legacy drivers/media/usb/dvb-usb/dib0700_core.c:315 [inline]
dib0700_i2c_xfer+0xc53/0x1060 drivers/media/usb/dvb-usb/dib0700_core.c:361
__i2c_transfer+0x866/0x2220
i2c_transfer+0x271/0x3b0 drivers/i2c/i2c-core-base.c:2315
i2cdev_ioctl_rdwr+0x452/0x710 drivers/i2c/i2c-dev.c:306
i2cdev_ioctl+0x759/0x9f0 drivers/i2c/i2c-dev.c:467
vfs_ioctl fs/ioctl.c:51 [inline]

Evidently the fuzzer submitted an I2C transfer containing a length-0
read message. The dib0700 driver translated this more or less
literally into a length-0 USB read request. But the USB protocol does
not allow reads to have length 0; all length-0 transfers are
considered to be writes. Hence the WARNING above.

Fix the problem by adding the I2C_AQ_NO_ZERO_LEN_READ adapter quirk
flag to all the USB I2C adapter devices managed by dvb-usb-i2c.c,
following Wolfram Sang's suggestion. This tells the I2C core not to
allow length-0 read messages.

Reported-by: syzbot+c38e5e60d0041a99dbf5@xxxxxxxxxxxxxxxxxxxxxxxxx
Tested-by: syzbot+c38e5e60d0041a99dbf5@xxxxxxxxxxxxxxxxxxxxxxxxx
Suggested-by: Wolfram Sang <wsa+renesas@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
Link: https://lore.kernel.org/linux-usb/67e1a1f5.050a0220.a7ebc.0029.GAE@xxxxxxxxxx/

---

Index: usb-devel/drivers/media/usb/dvb-usb/dvb-usb-i2c.c
===================================================================
--- usb-devel.orig/drivers/media/usb/dvb-usb/dvb-usb-i2c.c
+++ usb-devel/drivers/media/usb/dvb-usb/dvb-usb-i2c.c
@@ -10,6 +10,9 @@

int dvb_usb_i2c_init(struct dvb_usb_device *d)
{
+ static const struct i2c_adapter_quirks i2c_usb_quirks = {
+ .flags = I2C_AQ_NO_ZERO_LEN_READ,
+ };
int ret = 0;

if (!(d->props.caps & DVB_USB_IS_AN_I2C_ADAPTER))
@@ -24,6 +27,7 @@ int dvb_usb_i2c_init(struct dvb_usb_devi
strscpy(d->i2c_adap.name, d->desc->name, sizeof(d->i2c_adap.name));
d->i2c_adap.algo = d->props.i2c_algo;
d->i2c_adap.algo_data = NULL;
+ d->i2c_adap.quirks = &i2c_usb_quirks;
d->i2c_adap.dev.parent = &d->udev->dev;

i2c_set_adapdata(&d->i2c_adap, d);

Next message: Enrique Isidoro Vazquez Ramos: "[PATCH] thermal: amlogic: Rename Uptat to uptat to follow kernel coding style"
Previous message: Florian Fainelli: "[PATCH stable 5.4 v2 2/2] openvswitch: fix lockup on tx to unregistering netdev with carrier"
In reply to: syzbot: "Re: [syzbot] [usb?] WARNING in dib0700_i2c_xfer/usb_submit_urb"
Next in thread: Wolfram Sang: "Re: [PATCH] media: dvb: usb: Fix WARNING in dib0700_i2c_xfer/usb_submit_urb"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]