Message ID | 20220829123959.21298-1-soumya.negi97@gmail.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Input: Check sanity of endpoint in pegasus_open() | expand |
On Mon, Aug 29, 2022 at 05:39:59AM -0700, Soumya Negi wrote: > Fix WARNING in pegasus_open/usb_submit_urb > Syzbot bug: https://syzkaller.appspot.com/bug?id=bbc107584dcf3262253ce93183e51f3612aaeb13 > > Add sanity check of endpoint for Pegasus URB in pegasus_open() so that > transfer requests for bogus URBs are not submitted. If the URB is bogus > pegasus_open() will fail. > > Reported-by: syzbot+04ee0cb4caccaed12d78@syzkaller.appspotmail.com > Signed-off-by: Soumya Negi <soumya.negi97@gmail.com> > --- > drivers/input/tablet/pegasus_notetaker.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c > index c608ac505d1b..5e47882ee4c0 100644 > --- a/drivers/input/tablet/pegasus_notetaker.c > +++ b/drivers/input/tablet/pegasus_notetaker.c > @@ -225,6 +225,15 @@ static int pegasus_open(struct input_dev *dev) > > mutex_lock(&pegasus->pm_mutex); > pegasus->irq->dev = pegasus->usbdev; > + > + /* Sanity check of endpoint in Pegasus URB */ > + error = usb_urb_ep_type_check(pegasus->irq); That is not checking for the type of the endpoint, so are you sure this works? And this should happen at probe time, not when the device is opened. thanks, greg k-h
diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c index c608ac505d1b..5e47882ee4c0 100644 --- a/drivers/input/tablet/pegasus_notetaker.c +++ b/drivers/input/tablet/pegasus_notetaker.c @@ -225,6 +225,15 @@ static int pegasus_open(struct input_dev *dev) mutex_lock(&pegasus->pm_mutex); pegasus->irq->dev = pegasus->usbdev; + + /* Sanity check of endpoint in Pegasus URB */ + error = usb_urb_ep_type_check(pegasus->irq); + if (error) { + dev_err(&pegasus->usbdev->dev, + "URB failed endpoint sanity check: %d\n", error); + goto err_autopm_put; + } + if (usb_submit_urb(pegasus->irq, GFP_KERNEL)) { error = -EIO; goto err_autopm_put;
Fix WARNING in pegasus_open/usb_submit_urb Syzbot bug: https://syzkaller.appspot.com/bug?id=bbc107584dcf3262253ce93183e51f3612aaeb13 Add sanity check of endpoint for Pegasus URB in pegasus_open() so that transfer requests for bogus URBs are not submitted. If the URB is bogus pegasus_open() will fail. Reported-by: syzbot+04ee0cb4caccaed12d78@syzkaller.appspotmail.com Signed-off-by: Soumya Negi <soumya.negi97@gmail.com> --- drivers/input/tablet/pegasus_notetaker.c | 9 +++++++++ 1 file changed, 9 insertions(+)