[lvc-project] [PATCH v2] dvb-usb: dtv5100: rewrite i2c message usb_control send/recv

[Alan Stern]

On Fri, Nov 21, 2025 at 04:23:31PM +0300, Nalivayko Sergey wrote:
> syzbot reports a WARNING issue as below:
> 
> usb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0
> WARNING: CPU: 0 PID: 5833 at drivers/usb/core/urb.c:413 usb_submit_urb+0x1112/0x1870 drivers/usb/core/urb.c:411

...

> The issue occurs due to insufficient validation of data passed to the USB API.
> In the current implementation, the dtv5100 driver expects two I2C non-zero 
> length messages for a combined write/read request. However, when 
> only a single message is provided, the driver incorrectly processes message
> of size 1, passing a read data size of zero to the dtv5100_i2c_msg function.

Then why not fix the validation instead of trying to cope with invalid 
data in dtv5100_i2c_msg()?

> When usb_control_msg() is called with a PIPEOUT type and a read length of
> zero, a mismatch error occurs between the operation type and the expected
> transfer direction in function usb_submit_urb. This is the trigger
> for warning.
> 
> Replace usb_control_msg() with usb_control_msg_recv() and
> usb_control_msg_send() to rely on the USB API for proper validation and
> prevent inconsistencies in the future.

The reason those two functions were created was to simplify the calling 
sequence by removing the need for callers to allocate temporary buffers 
-- not to do any extra validation.  That reason don't seem to apply in 
this case.

It seems like there would be no need to change dtv5100_i2c_msg() at all 
if its inputs were properly vetted.  Am I missing something?

Alan Stern