The kernel's usb_submit_urb() validates that 0-length control transfers
use an OUT pipe, since there is no data stage direction to enforce.

The dtv5100 driver uses usb_rcvctrlpipe() (IN pipe) for all reads,
including 0-length ones (when rlen is 0). This triggers the 'BOGUS
control dir' warning in usb_submit_urb().

Fix this by using usb_sndctrlpipe() (OUT pipe) when rlen is 0,
satisfying the kernel's validation while maintaining correct protocol
behavior for Setup packets.

Reported-by: syzbot+e6a50a2e7cbb4f775d04@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e6a50a2e7cbb4f775d04
Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
---
 drivers/media/usb/dvb-usb/dtv5100.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/dvb-usb/dtv5100.c b/drivers/media/usb/dvb-usb/dtv5100.c
index c448e2ebda1a..a16406cc8db7 100644
--- a/drivers/media/usb/dvb-usb/dtv5100.c
+++ b/drivers/media/usb/dvb-usb/dtv5100.c
@@ -62,8 +62,8 @@ static int dtv5100_i2c_msg(struct dvb_usb_device *d, u8 addr,
 
 	memcpy(st->data, rbuf, rlen);
 	msleep(1); /* avoid I2C errors */
-	return usb_control_msg(d->udev, pipe, request,
-			       type, value, index, st->data, rlen,
+	return usb_control_msg(d->udev, rlen ? pipe : usb_sndctrlpipe(d->udev, 0),
+			       request, type, value, index, st->data, rlen,
 			       DTV5100_USB_TIMEOUT);
 }
 
-- 
2.52.0