CVE-2022-49937

In the Linux kernel, the following vulnerability has been resolved:

media: mceusb: Use new usbcontrolmsg_*() routines

Automatic kernel fuzzing led to a WARN about invalid pipe direction in the mceusb driver:

------------[ cut here ]------------ usb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40 WARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410 usbsubmiturb+0x1326/0x1820 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-00208-g69cb6c6556ad #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: usbhubwq hubevent RIP: 0010:usbsubmiturb+0x1326/0x1820 drivers/usb/core/urb.c:410 Code: 7c 24 40 e8 ac 23 91 fd 48 8b 7c 24 40 e8 b2 70 1b ff 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 a0 30 a9 86 e8 48 07 11 02 <0f> 0b e9 1c f0 ff ff e8 7e 23 91 fd 0f b6 1d 63 22 83 05 31 ff 41 RSP: 0018:ffffc900032becf0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881100f3058 RCX: 0000000000000000 RDX: ffffc90004961000 RSI: ffff888114c6d580 RDI: fffff52000657d90 RBP: ffff888105ad90f0 R08: ffffffff812c3638 R09: 0000000000000000 R10: 0000000000000005 R11: ffffed1023504ef1 R12: ffff888105ad9000 R13: 0000000000000040 R14: 0000000080000380 R15: ffff88810ba96500 FS: 0000000000000000(0000) GS:ffff88811a800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe810bda58 CR3: 000000010b720000 CR4: 0000000000350ef0 Call Trace: <TASK> usbstartwaiturb+0x101/0x4c0 drivers/usb/core/message.c:58 usbinternalcontrolmsg drivers/usb/core/message.c:102 [inline] usbcontrolmsg+0x31c/0x4a0 drivers/usb/core/message.c:153 mceusbgen1init drivers/media/rc/mceusb.c:1431 [inline] mceusbdev_probe+0x258e/0x33f0 drivers/media/rc/mceusb.c:1807

The reason for the warning is clear enough; the driver sends an unusual read request on endpoint 0 but does not set the USBDIRIN bit in the bRequestType field.

More importantly, the whole situation can be avoided and the driver simplified by converting it over to the relatively new usbcontrolmsgrecv() and usbcontrolmsgsend() routines. That's what this fix does.