From patchwork Tue Dec 10 11:37:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281963 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9219814E3 for ; Tue, 10 Dec 2019 11:38:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 709072073D for ; Tue, 10 Dec 2019 11:38:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977913; bh=NeE6MYZWFRkcp1EprbbpY6tYeXfa9fh1FICc3NB+rDQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=m8CnPGCuI7yxFFC1bxHXb5Y1u+zLoEdZDQvG1sykk09FkMgzSFiNuICaVzI1Tr/oM EIm+Np2ksopFmVf8J5nTnp27IlaCiBr7PKn1P1MgHOvNtt7sbzsKGksgPA/84+l7DV lmDy7aLWMdzlLDmClxZunjS5VO+Hfgqz7plCluI8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727018AbfLJLhv (ORCPT ); Tue, 10 Dec 2019 06:37:51 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:39901 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727131AbfLJLhv (ORCPT ); Tue, 10 Dec 2019 06:37:51 -0500 Received: by mail-lf1-f66.google.com with SMTP id y1so2112150lfb.6; Tue, 10 Dec 2019 03:37:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ZY93hUXgP9MdjxnR094b5yMFKUy+YydKGknr6vwPzSM=; b=ss7kiSP711gFTqT3iMckKzXWfkAlF1673Dcdou2O2mtfrZuvYxjTdzVQsHnwaAOBE2 1XteH/vRG8FgqbVHGMkc59Eff18IF6Aa9vO7toaySTYu0eBmZrWIoZixXRUhmP4ehaI+ K5YkfDSKYy/gyo0bzXeGuwwCluynVEtYverCYT/cHPAaX8zRDv71av4EjoADPWPI257B WhRfgBhoXf//i3Vbu0hzQIK8nV46hGkSR5vaGW9/U94lMTVhKYQTULLVU9XRg15bkNp4 jOTvcJsX+qMXA5NuZLtLoXcKORC2K1El87MwuxVpCEM7f6kr98y8o1ZC3GU62axh1YJo KUeQ== X-Gm-Message-State: APjAAAUILQC8W5G6lHq5zPsNxw6OM587jQqL0U2KKSDFAwCFLJj6Sf+c zkcy3iB39BS/XF7PRxO536M= X-Google-Smtp-Source: APXvYqzqUPnasg7TcmqZwZCL73CR6bdEW7PtC489KLUT5hWmCeetgNTRr1cvB2nHk0JBXWWB5Qq1tg== X-Received: by 2002:a19:6a06:: with SMTP id u6mr14684526lfu.187.1575977868601; Tue, 10 Dec 2019 03:37:48 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id f24sm1615955ljm.12.2019.12.10.03.37.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:47 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpt-00013j-QS; Tue, 10 Dec 2019 12:37:49 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable , Martin Kepplinger Subject: [PATCH 1/7] Input: pegasus_notetaker: fix endpoint sanity check Date: Tue, 10 Dec 2019 12:37:31 +0100 Message-Id: <20191210113737.4016-2-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could be used by a malicious device (or USB descriptor fuzzer) to trigger a NULL-pointer dereference. Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") Cc: stable # 4.8 Cc: Martin Kepplinger Signed-off-by: Johan Hovold Acked-by: Martin Kepplinger --- drivers/input/tablet/pegasus_notetaker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c index a1f3a0cb197e..38f087404f7a 100644 --- a/drivers/input/tablet/pegasus_notetaker.c +++ b/drivers/input/tablet/pegasus_notetaker.c @@ -275,7 +275,7 @@ static int pegasus_probe(struct usb_interface *intf, return -ENODEV; /* Sanity check that the device has an endpoint */ - if (intf->altsetting[0].desc.bNumEndpoints < 1) { + if (intf->cur_altsetting->desc.bNumEndpoints < 1) { dev_err(&intf->dev, "Invalid number of endpoints\n"); return -EINVAL; } From patchwork Tue Dec 10 11:37:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281955 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2B88915AB for ; Tue, 10 Dec 2019 11:38:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 09CCF20838 for ; Tue, 10 Dec 2019 11:38:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977907; bh=IxACIjreGJ4j0wFz3T0BYh3M2Z/+AqaqcbugnaXpsow=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=vfPAlac9p+8vXGqzyUWfgR4twps8RDpefyZqkujrI2ZVbmcFmhdu6+ijr9z5OMYho btOjamwnL4EavQMamaErIIwqWf4Th7nbcfppPqxmstEFf/6CVVMKY2Ub5tt5rxI33P JgyXiC0NrKtRbDtQFTnNz3oS4v2xsFcMwozl/yuA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727421AbfLJLhx (ORCPT ); Tue, 10 Dec 2019 06:37:53 -0500 Received: from mail-lf1-f65.google.com ([209.85.167.65]:37665 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727177AbfLJLhw (ORCPT ); Tue, 10 Dec 2019 06:37:52 -0500 Received: by mail-lf1-f65.google.com with SMTP id b15so13422351lfc.4; Tue, 10 Dec 2019 03:37:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=EqNpTSkza+eQj8K2xj20PlaT6wotGOHkK97zIiEKJAQ=; b=KzN0d8GZAC4erZ09TcavQa5ecG7zuCLKWzEsHufEPKzXWEpD7o7OvLVHQNe7kLHzLL TBhcXmxr6P6Uxj5Q8ZycE8uLfFx36xHj3ifYV1OFu7xhbitEi3ojQM0809wA25Jwh0QQ qm7eqUBevtU3etyWPLJgTkVM9VgOjiLRyAvTWu46WFsRr/aNQkjKTQ2KEvzy7+kyypPp Xmf6tCeYQQlDKGr1VZ3qEc2oA4w+RZT2IWsXDoq9tiRupRxg2la4TMVrVJquOXXfAVzB YTgMgqdTwe0lEMplzCmxp29hrfjY3i54mQitDc0kzwLHQzCgsj87AE3WRYOuqaV6CNJw U2fg== X-Gm-Message-State: APjAAAU0tx4GejOBDrFzK3stZCy3VQ0sEj+8gcaZjNAhdC6K4eZeuqGN raxKkmIPmv85sVbq/nWY2g/ed4vH X-Google-Smtp-Source: APXvYqz3AlE6wPReZrV2ucIUecMHpCKtz7S6dDKY5ME3aa+t3OyIfslalKBvUVIPeddGQ3/bulIcZQ== X-Received: by 2002:a19:cc49:: with SMTP id c70mr11667364lfg.73.1575977869953; Tue, 10 Dec 2019 03:37:49 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id u24sm1569296ljo.77.2019.12.10.03.37.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:47 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpt-00013n-Tc; Tue, 10 Dec 2019 12:37:49 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable , Vladis Dronov Subject: [PATCH 2/7] Input: aiptek: fix endpoint sanity check Date: Tue, 10 Dec 2019 12:37:32 +0100 Message-Id: <20191210113737.4016-3-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could lead to the driver binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints") Cc: stable # 4.4 Cc: Vladis Dronov Signed-off-by: Johan Hovold --- drivers/input/tablet/aiptek.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c index 2ca586fb914f..06d0ffef4a17 100644 --- a/drivers/input/tablet/aiptek.c +++ b/drivers/input/tablet/aiptek.c @@ -1802,14 +1802,14 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id) input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0); /* Verify that a device really has an endpoint */ - if (intf->altsetting[0].desc.bNumEndpoints < 1) { + if (intf->cur_altsetting->desc.bNumEndpoints < 1) { dev_err(&intf->dev, "interface has %d endpoints, but must have minimum 1\n", - intf->altsetting[0].desc.bNumEndpoints); + intf->cur_altsetting->desc.bNumEndpoints); err = -EINVAL; goto fail3; } - endpoint = &intf->altsetting[0].endpoint[0].desc; + endpoint = &intf->cur_altsetting->endpoint[0].desc; /* Go set up our URB, which is called when the tablet receives * input. From patchwork Tue Dec 10 11:37:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281959 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 04DE015AB for ; Tue, 10 Dec 2019 11:38:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id CE9A62077B for ; Tue, 10 Dec 2019 11:38:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977911; bh=TSVeQs7JWEsxKy1hFyFhDjuN0iweEA/CFFVgV4fMmWI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=imzvqcCF7cmqdT1xdYxYgTXSDfqpfBUdUNyAtOUPENlHFDp0CTgTX6Yp6Xhx/Yg2A F6lj6yDpNfDysVMpPWY1xVsfkmCE3EjMqc2gs9pxOmn7f40lelZWmZFpfF5pyTyabE 8qNzDCo0eiOczBlT9hNs/U7aMSWQto1idHAM2ABs= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727374AbfLJLi0 (ORCPT ); Tue, 10 Dec 2019 06:38:26 -0500 Received: from mail-lf1-f65.google.com ([209.85.167.65]:44783 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727385AbfLJLhx (ORCPT ); Tue, 10 Dec 2019 06:37:53 -0500 Received: by mail-lf1-f65.google.com with SMTP id v201so13397047lfa.11; Tue, 10 Dec 2019 03:37:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9Vzfb7uq16SGhOTeNCkEKm8i/+IfT4zo8B8umjQrP2Q=; b=IDeMRsaa2bRO7A7b+lJmCIhd/DU1eXrvM2dFtJAreR/LxuZudurpQzsLi2aXTp+x9G TqlXr+s8hVvX2kqm7ay5Me3z112brDlAKgOCGxicWyX6hbIuf3cVerUFuaPaAo3pj/1V SipM4rnkamrOhBFGEf9yeL0hqAfsV8Buekc3HWz4XX4SKSoCpBveY+uHIeF1VsE21Egm BkV2Uz/MhLkRtLmgefHnKEq375+QlmJmtiVl0plMOB5wy6GDubsbsyA0GsU2aPv9fboD Lh3X2yX6QMDAz7BcUCm2KDKdZVVanapswk+BKNw4PzTgtkjRG1i0muqEJTzHmdiyVsOv z62Q== X-Gm-Message-State: APjAAAWG0IgexfTE4jX+o6GI0k0yBmjwjyfx6i35VkabOOgXWpQHSwK4 WsbX3FO5I1SblzE8DKSEW9KcC85e X-Google-Smtp-Source: APXvYqxkYaor8ZxGswMpVmxWvaZhxt0v514WJ5beneZnfPx7VLTil1pUVT4+cYcZwGtAESyfBdx7og== X-Received: by 2002:a19:7401:: with SMTP id v1mr18239687lfe.129.1575977871028; Tue, 10 Dec 2019 03:37:51 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id g6sm1623983lja.10.2019.12.10.03.37.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:48 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpu-00013s-0a; Tue, 10 Dec 2019 12:37:50 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold Subject: [PATCH 3/7] Input: aiptek: use descriptors of current altsetting Date: Tue, 10 Dec 2019 12:37:33 +0100 Message-Id: <20191210113737.4016-4-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org Make sure to always use the descriptors of the current alternate setting to avoid future issues when accessing fields that may differ between settings. Signed-off-by: Johan Hovold --- drivers/input/tablet/aiptek.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c index 06d0ffef4a17..e08b0ef078e8 100644 --- a/drivers/input/tablet/aiptek.c +++ b/drivers/input/tablet/aiptek.c @@ -1713,7 +1713,7 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id) aiptek->inputdev = inputdev; aiptek->intf = intf; - aiptek->ifnum = intf->altsetting[0].desc.bInterfaceNumber; + aiptek->ifnum = intf->cur_altsetting->desc.bInterfaceNumber; aiptek->inDelay = 0; aiptek->endDelay = 0; aiptek->previousJitterable = 0; From patchwork Tue Dec 10 11:37:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281945 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 154B914BD for ; Tue, 10 Dec 2019 11:38:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E844B21556 for ; Tue, 10 Dec 2019 11:38:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977887; bh=Q0jorCsltGwylbBIhu9LwIkUoXO0lNS7YFUltbjwJQA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=pZNsUD0afv22SJOy9lNVduGFXTSlh+iizTqCJ/ApRbuPhzPUCR0Afwc25dMwDCloO TK9mI8wmBpdUBFfA7ZKRc7VqazDPIk/TiZqZlWQsekfh1k3YMdobnK+cD/zWiJRLc+ hZ1/UJySbd1HRqEGycM0iBhEbJ0en0rI41tUOmEc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727531AbfLJLiF (ORCPT ); Tue, 10 Dec 2019 06:38:05 -0500 Received: from mail-lj1-f194.google.com ([209.85.208.194]:43633 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727434AbfLJLhz (ORCPT ); Tue, 10 Dec 2019 06:37:55 -0500 Received: by mail-lj1-f194.google.com with SMTP id a13so19475094ljm.10; Tue, 10 Dec 2019 03:37:53 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=H0ckkvmbuP0M6RAigoxMjD95QOpCoqkmvi2yCF+Kpfg=; b=e42vnHZIyrMoektAOGrEsvrUExgS0TMQ2gcqPtSlYy7ewXzHgHt1EnmtU11AstA8MV puQMdinf9AITU5xLn95JLvrEw7fHdkOozkhbUAbrgHdlJ3YMNUm0ZAhChgzeE3IHNWfV xG69zfOn3L5PP4mqFhHyLRJcjAEOjUPpLrv7OJl3JEeWPAfgBGW/Cy3vuTHYhRmyq8su RRAxgQLiW3ru6Iw0AuneqB/JVzWYAeQ73LnKNkbzGU8UKkjezduX5eRYj0m7X+OJEUXN V3JYVbgNmJGLDVOqaJKUU6XSx9fiIPLFRpPrzb/WghXhegQMD9m3/Nx02CZWzYHeNN2z +sDg== X-Gm-Message-State: APjAAAVptLHmiql00aVeZWurIfnr9X6EQyDUfJOsFJEYkzvr3fGKZM0J 2BZvvTJ9gtHwA73v0jI4eeNhgyrS X-Google-Smtp-Source: APXvYqwi1wEz7XIEpXMu/kzhK6QPZO1dEJNS67w1U/4kgV9xrjSipawTKdJ28IEhBXu5NGupE2kU3A== X-Received: by 2002:a2e:9987:: with SMTP id w7mr14897151lji.107.1575977872858; Tue, 10 Dec 2019 03:37:52 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id e21sm1736363lfc.63.2019.12.10.03.37.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:51 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpu-00013x-3X; Tue, 10 Dec 2019 12:37:50 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable , Vladis Dronov Subject: [PATCH 4/7] Input: gtco: fix endpoint sanity check Date: Tue, 10 Dec 2019 12:37:34 +0100 Message-Id: <20191210113737.4016-5-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could lead to the driver binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints") Cc: stable # 4.6 Cc: Vladis Dronov Signed-off-by: Johan Hovold --- drivers/input/tablet/gtco.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c index 35031228a6d0..799c94dda651 100644 --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -875,18 +875,14 @@ static int gtco_probe(struct usb_interface *usbinterface, } /* Sanity check that a device has an endpoint */ - if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { + if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) { dev_err(&usbinterface->dev, "Invalid number of endpoints\n"); error = -EINVAL; goto err_free_urb; } - /* - * The endpoint is always altsetting 0, we know this since we know - * this device only has one interrupt endpoint - */ - endpoint = &usbinterface->altsetting[0].endpoint[0].desc; + endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; /* Some debug */ dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting); @@ -973,7 +969,7 @@ static int gtco_probe(struct usb_interface *usbinterface, input_dev->dev.parent = &usbinterface->dev; /* Setup the URB, it will be posted later on open of input device */ - endpoint = &usbinterface->altsetting[0].endpoint[0].desc; + endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; usb_fill_int_urb(gtco->urbinfo, udev, From patchwork Tue Dec 10 11:37:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281943 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AA39415AB for ; Tue, 10 Dec 2019 11:38:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7F2FD207FF for ; Tue, 10 Dec 2019 11:38:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977886; bh=qvDEURgXf1zZaogVb2zqlt4yf7T+OeVJZgU818oEH2s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=qCAL4RMVVDJQiiKhy9VG7iWad12Fn3gmwrDp9kBoVOINgRISMiasHsOLPlB+Cv5br qZuSYXOsmLU36SToJ12Muifi2GD6l2upSPqFtl0llIOr/EF3X3dIhM+NpaPPr3A7eZ fkDA4bvgcXCd5QoIUrU49qTajRMrQP2hqB0EzPTo= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727483AbfLJLh4 (ORCPT ); Tue, 10 Dec 2019 06:37:56 -0500 Received: from mail-lj1-f195.google.com ([209.85.208.195]:46403 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727444AbfLJLhz (ORCPT ); Tue, 10 Dec 2019 06:37:55 -0500 Received: by mail-lj1-f195.google.com with SMTP id z17so19422577ljk.13; Tue, 10 Dec 2019 03:37:53 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BnAjIRm8SkZt82a6IZa+nqu/H+3MFQ2/VQwVjJgBPlk=; b=D76ZoydOozLVU1dlzUaTBmu/aiVkOE8bVPjlgLBGkXSC8lIp1jKwIX22w9Y5qWJZ4K A0XeOWCCDVQbJel5S2Uipef2TtVs08vdNm7K4I9jZooLuIP3o2imlJ6w4mh3yU+/8sau j0Y3tDTgwWxVRjJ23jROz9wJ8pdtS0oHgnu1eWwG7nZK/cJKLkvH7SnollXpvWj2ypuv qpy9FoDiIJ/6nT7lSUjI0YU4uhc1DVh5aB+h2550MIdn6cIbTx6XfNSMyTNrFVbZ3E6l z/vp7z3e5qqAX7VIwDf6OLjHoJbmtr98e0f9TiHSfltR7B1mRJ18VuXzXmK5lU3UOk82 vF6A== X-Gm-Message-State: APjAAAVoz+UAcDIQajuonS+zaLf8YxMtLx6D1VvSVdkBs4XLzd4/CWIV SWYutFAWUM1KaC2WhRatV8g= X-Google-Smtp-Source: APXvYqyoRA7zMtHIgITzo6HTBEJt5wOrrIL1Np5LvhalZ6iLRNxgTNgR1UhmzwiPQuNbWDN+9KJjkg== X-Received: by 2002:a2e:93c5:: with SMTP id p5mr17342392ljh.192.1575977873213; Tue, 10 Dec 2019 03:37:53 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id v7sm1394045lfa.10.2019.12.10.03.37.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:51 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpu-000144-6o; Tue, 10 Dec 2019 12:37:50 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold Subject: [PATCH 5/7] Input: gtco: fix extra-descriptor debug message Date: Tue, 10 Dec 2019 12:37:35 +0100 Message-Id: <20191210113737.4016-6-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org Make sure to use the current altsetting when printing size of any extra descriptors of the interface. Also fix the s/endpoint/interface/ mixup in the message itself. Signed-off-by: Johan Hovold --- drivers/input/tablet/gtco.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c index 799c94dda651..eef5946a6ba4 100644 --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -892,7 +892,8 @@ static int gtco_probe(struct usb_interface *usbinterface, if (usb_endpoint_xfer_int(endpoint)) dev_dbg(&usbinterface->dev, "endpoint: we have interrupt endpoint\n"); - dev_dbg(&usbinterface->dev, "endpoint extra len:%d\n", usbinterface->altsetting[0].extralen); + dev_dbg(&usbinterface->dev, "interface extra len:%d\n", + usbinterface->cur_altsetting->extralen); /* * Find the HID descriptor so we can find out the size of the From patchwork Tue Dec 10 11:37:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281939 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 64D2414E3 for ; Tue, 10 Dec 2019 11:38:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 42D02207FF for ; Tue, 10 Dec 2019 11:38:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977884; bh=dRQl+KcJF7mL4kd1EROTqjGxaPFQ77zNrBSs9JIZFaE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=fIKKN8JrceZBHVPOGmWDrevav8RT3JixELn3ZfHfNlhZG1siE0AEmPEpS7+J0o6B2 WfLHTJ+WKNfCIVP502ur6yx4MatrBjf8ulltYKCNIZcmKJ0AcropmWhBhaegaH+ErO qzj2h7DFXr3q99aMymyB+LJ6g10XsY4jpRCx/Awo= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727508AbfLJLh6 (ORCPT ); Tue, 10 Dec 2019 06:37:58 -0500 Received: from mail-lj1-f193.google.com ([209.85.208.193]:41080 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727467AbfLJLh4 (ORCPT ); Tue, 10 Dec 2019 06:37:56 -0500 Received: by mail-lj1-f193.google.com with SMTP id h23so19462041ljc.8; Tue, 10 Dec 2019 03:37:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=TGONKFKCYbqiEX3DExtl3ks0dQN/C/p6ASZk392VZQ8=; b=G9aBaRVQwJ53U7co8JCrRgSLKFmQwReSdtcxni0HBtBEeDCbPWLH1xhLVbhibxLSyR gjmxDMSZu6uOkFgCIXDhKDF/GqtfLQkU9df5FYSGPMJU10gANLkBfOMhdAf2kJDg5jtL vnf2XGDe2ldxd1qj8eRlZAGzmc2rsh5iHUY0tbjf5zgnMmZLz83XCeQLI1LLGZtonRmz bJ2AGRSFFO57kxUeEUoL5zBxhTBd8TMOEuJVcaA45dOWlFlfg6xzkTWMW5txyFDO8rGt /pDEiQw4li/r8OXdee7rTCOBGmdhW+CIrtJg9VLuRbuEhJ9gZc08KI6DZdmWl5Wr3z5l SHDw== X-Gm-Message-State: APjAAAVowecMeoz773NYCWqs3mrpuBxL8RJFo6JbAWL4yfpVLZVrmemq MR6da7vIzZoyNB2izOnEGKtHxt2I X-Google-Smtp-Source: APXvYqyqaOiuo38RmYodGLQPrNI3fRmPmtb0hrtSlb53u1NW3HrlEbQlCo1FtioTbrMd91nFnwnljA== X-Received: by 2002:a2e:91c1:: with SMTP id u1mr20145358ljg.181.1575977874402; Tue, 10 Dec 2019 03:37:54 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id z7sm1698158lfa.81.2019.12.10.03.37.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:51 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpu-000149-9v; Tue, 10 Dec 2019 12:37:50 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold Subject: [PATCH 6/7] Input: gtco: drop redundant variable reinit Date: Tue, 10 Dec 2019 12:37:36 +0100 Message-Id: <20191210113737.4016-7-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org Drop the second, redundant reinitialisation of the endpoint-descriptor pointer from probe. Signed-off-by: Johan Hovold --- drivers/input/tablet/gtco.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c index eef5946a6ba4..96d65575f75a 100644 --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -970,8 +970,6 @@ static int gtco_probe(struct usb_interface *usbinterface, input_dev->dev.parent = &usbinterface->dev; /* Setup the URB, it will be posted later on open of input device */ - endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; - usb_fill_int_urb(gtco->urbinfo, udev, usb_rcvintpipe(udev, From patchwork Tue Dec 10 11:37:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281949 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D4C2514E3 for ; Tue, 10 Dec 2019 11:38:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B3B5720828 for ; Tue, 10 Dec 2019 11:38:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977894; bh=jnqG6qrJA03sFgDKpKwGlZp+vI8IzN9r5vJ9YDbx3DQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=vsFfNOZGQEcmtBWNqo4mZPW0D5XqS9FVSHjYKn5GyhELdppfxstYuD47bJav63qZm zFofbmqvnw8j18RPEXcgqJsJAwMepaWKrbpfjWdDCPlH22K1ue84AFIoJWDB/ez+P7 tyJ+/L6WV8boXKU/qXEm1mrz5m9miQSoy/1N2zkg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727434AbfLJLiO (ORCPT ); Tue, 10 Dec 2019 06:38:14 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:39907 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727407AbfLJLhy (ORCPT ); Tue, 10 Dec 2019 06:37:54 -0500 Received: by mail-lf1-f66.google.com with SMTP id y1so2112276lfb.6; Tue, 10 Dec 2019 03:37:52 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=gizESJPdbXxmJNJeGwhGZnMnlbvzjtAzhsJxIVT6qdY=; b=mwNvFNSxoM7/7S0054957ZfHrptP32CUtj0SL5MQ2LCqMZpWqhaTub7ZBuQVNoWAc5 T+fJZx/duFNzSvLbW3klt1nae6s7wLMscazySjVkSb7UuvTx+F20g/94fiPUCEzpEMTH 7xleGnqBqX1GDDzoQduPZUqwuMY42azI46xTLfAXBIGvkNGCDlf7XVCwVy+ugBar1cIM u3rMWmfVhafIcLnLxU7pU5ZMsdAbZqSCeoGoIhq6TYDmyurJwMyjAQKYSeu0LU9qKP71 3ODcNSJgKaNuZ96edUzvWFZI+DeKkfYIjh6Z/T3dJ5Hi0UZ7d7ADXMrmrzgegoi3dwDj bn4w== X-Gm-Message-State: APjAAAXKGCKnTwa/WY4hRf4ycaQvUTyGkSXfDLcCPqArF58HrvGkFS8P wQL5+bO2SNTXXH55Yl+MtXCr1fQA X-Google-Smtp-Source: APXvYqy6D+qpHF61I1Tn+xu/XYGTKK0i1vpyVAhneBoDXI+DraQ+/PosTwlLTDMvhQC2Yk4jQocOGw== X-Received: by 2002:a19:2389:: with SMTP id j131mr17056148lfj.86.1575977871489; Tue, 10 Dec 2019 03:37:51 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id 207sm1941884ljj.72.2019.12.10.03.37.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:49 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpu-00014F-Cx; Tue, 10 Dec 2019 12:37:50 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable , Florian Echtler Subject: [PATCH 7/7] Input: sur40: fix interface sanity checks Date: Tue, 10 Dec 2019 12:37:37 +0100 Message-Id: <20191210113737.4016-8-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org Make sure to use the current alternate setting when verifying the interface descriptors to avoid binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40 (aka MS Surface 2.0/Pixelsense)") Cc: stable # 3.13 Cc: Florian Echtler Signed-off-by: Johan Hovold --- drivers/input/touchscreen/sur40.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/input/touchscreen/sur40.c b/drivers/input/touchscreen/sur40.c index 1dd47dda71cd..34d31c7ec8ba 100644 --- a/drivers/input/touchscreen/sur40.c +++ b/drivers/input/touchscreen/sur40.c @@ -661,7 +661,7 @@ static int sur40_probe(struct usb_interface *interface, int error; /* Check if we really have the right interface. */ - iface_desc = &interface->altsetting[0]; + iface_desc = interface->cur_altsetting; if (iface_desc->desc.bInterfaceClass != 0xFF) return -ENODEV;