On Fri, Nov 21, 2025 at 04:23:31PM +0300, Nalivayko Sergey wrote:
syzbot reports a WARNING issue as below:
usb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0 WARNING: CPU: 0 PID: 5833 at drivers/usb/core/urb.c:413 usb_submit_urb+0x1112/0x1870 drivers/usb/core/urb.c:411
...
The issue occurs due to insufficient validation of data passed to the USB API. In the current implementation, the dtv5100 driver expects two I2C non-zero length messages for a combined write/read request. However, when only a single message is provided, the driver incorrectly processes message of size 1, passing a read data size of zero to the dtv5100_i2c_msg function.
Then why not fix the validation instead of trying to cope with invalid data in dtv5100_i2c_msg()?
When usb_control_msg() is called with a PIPEOUT type and a read length of zero, a mismatch error occurs between the operation type and the expected transfer direction in function usb_submit_urb. This is the trigger for warning.
Replace usb_control_msg() with usb_control_msg_recv() and usb_control_msg_send() to rely on the USB API for proper validation and prevent inconsistencies in the future.
The reason those two functions were created was to simplify the calling sequence by removing the need for callers to allocate temporary buffers -- not to do any extra validation. That reason don't seem to apply in this case.
It seems like there would be no need to change dtv5100_i2c_msg() at all if its inputs were properly vetted. Am I missing something?
Alan Stern