From 9260f15e0ad0a8140b2b43b2c02d0cc1296a05d9 Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Wed, 1 Sep 2021 12:36:00 -0400 Subject: [PATCH] HID: usbhid: Fix warning caused by 0-length input reports commit 0a824efdb724e07574bafcd2c2486b2a3de35ff6 upstream. Syzbot found a warning caused by hid_submit_ctrl() submitting a control request to transfer a 0-length input report: usb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType a1 (The warning message is a little difficult to understand. It means that the control request claims to be for an IN transfer but this contradicts the USB spec, which requires 0-length control transfers always to be in the OUT direction.) Now, a zero-length report isn't good for anything and there's no reason for a device to have one, but the fuzzer likes to pick out these weird edge cases. In the future, perhaps we will decide to reject 0-length reports at probe time. For now, the simplest approach for avoiding these warnings is to pretend that the report actually has length 1. Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+9b57a46bf1801ce2a2ca@syzkaller.appspotmail.com Tested-by: Oleksandr Natalenko Tested-by: Benjamin Tissoires Acked-by: Benjamin Tissoires Cc: stable@vger.kernel.org Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/usbhid/hid-core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c index ef240ef63a664..b234958f883a4 100644 --- a/drivers/hid/usbhid/hid-core.c +++ b/drivers/hid/usbhid/hid-core.c @@ -389,6 +389,7 @@ static int hid_submit_ctrl(struct hid_device *hid) maxpacket = usb_maxpacket(hid_to_usb_dev(hid), usbhid->urbctrl->pipe, 0); if (maxpacket > 0) { + len += (len == 0); /* Don't allow 0-length reports */ len = DIV_ROUND_UP(len, maxpacket); len *= maxpacket; if (len > usbhid->bufsize)