summaryrefslogtreecommitdiffstats
path: root/drivers/hid
diff options
context:
space:
mode:
authorAlan Stern <stern@rowland.harvard.edu>2021-09-01 18:36:00 +0200
committerJiri Kosina <jkosina@suse.cz>2021-09-01 20:52:31 +0200
commit0a824efdb724e07574bafcd2c2486b2a3de35ff6 (patch)
tree1b0db6fa8d983cb67b797336139cf8125e9f10b2 /drivers/hid
parentHID: usbhid: Fix flood of "control queue full" messages (diff)
downloadlinux-0a824efdb724e07574bafcd2c2486b2a3de35ff6.tar.xz
linux-0a824efdb724e07574bafcd2c2486b2a3de35ff6.zip
HID: usbhid: Fix warning caused by 0-length input reports
Syzbot found a warning caused by hid_submit_ctrl() submitting a control request to transfer a 0-length input report: usb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType a1 (The warning message is a little difficult to understand. It means that the control request claims to be for an IN transfer but this contradicts the USB spec, which requires 0-length control transfers always to be in the OUT direction.) Now, a zero-length report isn't good for anything and there's no reason for a device to have one, but the fuzzer likes to pick out these weird edge cases. In the future, perhaps we will decide to reject 0-length reports at probe time. For now, the simplest approach for avoiding these warnings is to pretend that the report actually has length 1. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: syzbot+9b57a46bf1801ce2a2ca@syzkaller.appspotmail.com Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name> Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'drivers/hid')
-rw-r--r--drivers/hid/usbhid/hid-core.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index 6b8690878435..c56cb03c1551 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -389,6 +389,7 @@ static int hid_submit_ctrl(struct hid_device *hid)
maxpacket = usb_maxpacket(hid_to_usb_dev(hid),
usbhid->urbctrl->pipe, 0);
if (maxpacket > 0) {
+ len += (len == 0); /* Don't allow 0-length reports */
len = DIV_ROUND_UP(len, maxpacket);
len *= maxpacket;
if (len > usbhid->bufsize)