On Fri, May 21, 2021 at 03:17:46PM +0200, Johan Hovold wrote:

On Fri, May 21, 2021 at 10:03:26AM +0200, Johan Hovold wrote:

quoted

So first, this should probably be rate limited.

This could actually be done using WARN_ON_ONCE() as we don't have to
worry about syzbot fuzzing descriptors here (all control endpoints are
bidirectional).

quoted

Second, did you try to estimate how many call sites that get this wrong?
I always felt a bit pedantic when pointing out that the pipe direction
should match the request type to driver author's during review when (in
almost all cases?) this hasn't really mattered. I fear we may have
accumulated a fairly large number of these mismatches over the years but
I haven't verified that.

I did a quick review of all ctrlpipe-macro uses in usb/misc and
usb/serial and found two instances.

A simple grep pattern looking for explicit USB_DIR/ctrlpipe mismatches
caught another five tree wide (not including the
sound/usb/mixer_scarlett_gen2.c which Geoffrey reported), but there are
likely more of those out there as the request type is often not that
explicit.

I've prepared patches for the above, excluding the sound driver Geoffrey
said he was fixing.

Many thanks for making the effort to do this.

Alan Stern