From patchwork Tue Dec 10 11:37:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281961 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 357D114BD for ; Tue, 10 Dec 2019 11:38:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 13F2B2073B for ; Tue, 10 Dec 2019 11:38:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977913; bh=NeE6MYZWFRkcp1EprbbpY6tYeXfa9fh1FICc3NB+rDQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=JkCw096yC1qBhl1W8L9kO7+nwiF/87vjwpVviG5hUblBxbTHEsO5cR5kZ4YhTCY1c h16doVsWD4oVXuO2gX4o7iin1VxJjPV4DZzTx3JPQpdFpAAEqNI1TyUpCXmW+UD7WE aqDoDjxGadGWCSG6TFk6o6XOfa0xYUL8s3p+Ez8E= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727381AbfLJLhv (ORCPT ); Tue, 10 Dec 2019 06:37:51 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:39901 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727131AbfLJLhv (ORCPT ); Tue, 10 Dec 2019 06:37:51 -0500 Received: by mail-lf1-f66.google.com with SMTP id y1so2112150lfb.6; Tue, 10 Dec 2019 03:37:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ZY93hUXgP9MdjxnR094b5yMFKUy+YydKGknr6vwPzSM=; b=ss7kiSP711gFTqT3iMckKzXWfkAlF1673Dcdou2O2mtfrZuvYxjTdzVQsHnwaAOBE2 1XteH/vRG8FgqbVHGMkc59Eff18IF6Aa9vO7toaySTYu0eBmZrWIoZixXRUhmP4ehaI+ K5YkfDSKYy/gyo0bzXeGuwwCluynVEtYverCYT/cHPAaX8zRDv71av4EjoADPWPI257B WhRfgBhoXf//i3Vbu0hzQIK8nV46hGkSR5vaGW9/U94lMTVhKYQTULLVU9XRg15bkNp4 jOTvcJsX+qMXA5NuZLtLoXcKORC2K1El87MwuxVpCEM7f6kr98y8o1ZC3GU62axh1YJo KUeQ== X-Gm-Message-State: APjAAAUILQC8W5G6lHq5zPsNxw6OM587jQqL0U2KKSDFAwCFLJj6Sf+c zkcy3iB39BS/XF7PRxO536M= X-Google-Smtp-Source: APXvYqzqUPnasg7TcmqZwZCL73CR6bdEW7PtC489KLUT5hWmCeetgNTRr1cvB2nHk0JBXWWB5Qq1tg== X-Received: by 2002:a19:6a06:: with SMTP id u6mr14684526lfu.187.1575977868601; Tue, 10 Dec 2019 03:37:48 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id f24sm1615955ljm.12.2019.12.10.03.37.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:47 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpt-00013j-QS; Tue, 10 Dec 2019 12:37:49 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable , Martin Kepplinger Subject: [PATCH 1/7] Input: pegasus_notetaker: fix endpoint sanity check Date: Tue, 10 Dec 2019 12:37:31 +0100 Message-Id: <20191210113737.4016-2-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could be used by a malicious device (or USB descriptor fuzzer) to trigger a NULL-pointer dereference. Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") Cc: stable # 4.8 Cc: Martin Kepplinger Signed-off-by: Johan Hovold Acked-by: Martin Kepplinger --- drivers/input/tablet/pegasus_notetaker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c index a1f3a0cb197e..38f087404f7a 100644 --- a/drivers/input/tablet/pegasus_notetaker.c +++ b/drivers/input/tablet/pegasus_notetaker.c @@ -275,7 +275,7 @@ static int pegasus_probe(struct usb_interface *intf, return -ENODEV; /* Sanity check that the device has an endpoint */ - if (intf->altsetting[0].desc.bNumEndpoints < 1) { + if (intf->cur_altsetting->desc.bNumEndpoints < 1) { dev_err(&intf->dev, "Invalid number of endpoints\n"); return -EINVAL; } From patchwork Tue Dec 10 11:37:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281953 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BD31A14E3 for ; Tue, 10 Dec 2019 11:38:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9C46D2073D for ; Tue, 10 Dec 2019 11:38:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977906; bh=IxACIjreGJ4j0wFz3T0BYh3M2Z/+AqaqcbugnaXpsow=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=PKGGfSNy3WdmqwjeEk1YfGMxq7vy3c6jrLqFk046TuY/xtx79klz2z66ObLr44UCr seeWhzdi5O19bJMdpBMydksfpHadg6A+3str0pv86eVbgSONiXrwxSKcReH4PY52O3 iM/mvHJUVYIEv+nKdoNqGM56GIjSra0AL594eMEs= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727426AbfLJLhx (ORCPT ); Tue, 10 Dec 2019 06:37:53 -0500 Received: from mail-lf1-f65.google.com ([209.85.167.65]:37665 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727177AbfLJLhw (ORCPT ); Tue, 10 Dec 2019 06:37:52 -0500 Received: by mail-lf1-f65.google.com with SMTP id b15so13422351lfc.4; Tue, 10 Dec 2019 03:37:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=EqNpTSkza+eQj8K2xj20PlaT6wotGOHkK97zIiEKJAQ=; b=KzN0d8GZAC4erZ09TcavQa5ecG7zuCLKWzEsHufEPKzXWEpD7o7OvLVHQNe7kLHzLL TBhcXmxr6P6Uxj5Q8ZycE8uLfFx36xHj3ifYV1OFu7xhbitEi3ojQM0809wA25Jwh0QQ qm7eqUBevtU3etyWPLJgTkVM9VgOjiLRyAvTWu46WFsRr/aNQkjKTQ2KEvzy7+kyypPp Xmf6tCeYQQlDKGr1VZ3qEc2oA4w+RZT2IWsXDoq9tiRupRxg2la4TMVrVJquOXXfAVzB YTgMgqdTwe0lEMplzCmxp29hrfjY3i54mQitDc0kzwLHQzCgsj87AE3WRYOuqaV6CNJw U2fg== X-Gm-Message-State: APjAAAU0tx4GejOBDrFzK3stZCy3VQ0sEj+8gcaZjNAhdC6K4eZeuqGN raxKkmIPmv85sVbq/nWY2g/ed4vH X-Google-Smtp-Source: APXvYqz3AlE6wPReZrV2ucIUecMHpCKtz7S6dDKY5ME3aa+t3OyIfslalKBvUVIPeddGQ3/bulIcZQ== X-Received: by 2002:a19:cc49:: with SMTP id c70mr11667364lfg.73.1575977869953; Tue, 10 Dec 2019 03:37:49 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id u24sm1569296ljo.77.2019.12.10.03.37.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:47 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpt-00013n-Tc; Tue, 10 Dec 2019 12:37:49 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable , Vladis Dronov Subject: [PATCH 2/7] Input: aiptek: fix endpoint sanity check Date: Tue, 10 Dec 2019 12:37:32 +0100 Message-Id: <20191210113737.4016-3-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could lead to the driver binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints") Cc: stable # 4.4 Cc: Vladis Dronov Signed-off-by: Johan Hovold --- drivers/input/tablet/aiptek.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c index 2ca586fb914f..06d0ffef4a17 100644 --- a/drivers/input/tablet/aiptek.c +++ b/drivers/input/tablet/aiptek.c @@ -1802,14 +1802,14 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id) input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0); /* Verify that a device really has an endpoint */ - if (intf->altsetting[0].desc.bNumEndpoints < 1) { + if (intf->cur_altsetting->desc.bNumEndpoints < 1) { dev_err(&intf->dev, "interface has %d endpoints, but must have minimum 1\n", - intf->altsetting[0].desc.bNumEndpoints); + intf->cur_altsetting->desc.bNumEndpoints); err = -EINVAL; goto fail3; } - endpoint = &intf->altsetting[0].endpoint[0].desc; + endpoint = &intf->cur_altsetting->endpoint[0].desc; /* Go set up our URB, which is called when the tablet receives * input. From patchwork Tue Dec 10 11:37:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281957 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A158614BD for ; Tue, 10 Dec 2019 11:38:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7E9AE2073D for ; Tue, 10 Dec 2019 11:38:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977911; bh=TSVeQs7JWEsxKy1hFyFhDjuN0iweEA/CFFVgV4fMmWI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=JwK/G3Xeb6bxflyqEWCzXfGQQ9WZS2rmZ8i/GNo0zcTyUezrzu0Sv5Kpl6lULsoV+ BbbW6k5ljh/pyounTpxPpJzAqUhjFm0esSt24QgBBaVsHGToH/CCcM9R4qOcAVSODN noNFdfYTzYD+UsSMvguX7i+MnD2jR9i5m9fm+sUY= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727602AbfLJLi0 (ORCPT ); Tue, 10 Dec 2019 06:38:26 -0500 Received: from mail-lf1-f65.google.com ([209.85.167.65]:44783 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727385AbfLJLhx (ORCPT ); Tue, 10 Dec 2019 06:37:53 -0500 Received: by mail-lf1-f65.google.com with SMTP id v201so13397047lfa.11; Tue, 10 Dec 2019 03:37:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9Vzfb7uq16SGhOTeNCkEKm8i/+IfT4zo8B8umjQrP2Q=; b=IDeMRsaa2bRO7A7b+lJmCIhd/DU1eXrvM2dFtJAreR/LxuZudurpQzsLi2aXTp+x9G TqlXr+s8hVvX2kqm7ay5Me3z112brDlAKgOCGxicWyX6hbIuf3cVerUFuaPaAo3pj/1V SipM4rnkamrOhBFGEf9yeL0hqAfsV8Buekc3HWz4XX4SKSoCpBveY+uHIeF1VsE21Egm BkV2Uz/MhLkRtLmgefHnKEq375+QlmJmtiVl0plMOB5wy6GDubsbsyA0GsU2aPv9fboD Lh3X2yX6QMDAz7BcUCm2KDKdZVVanapswk+BKNw4PzTgtkjRG1i0muqEJTzHmdiyVsOv z62Q== X-Gm-Message-State: APjAAAWG0IgexfTE4jX+o6GI0k0yBmjwjyfx6i35VkabOOgXWpQHSwK4 WsbX3FO5I1SblzE8DKSEW9KcC85e X-Google-Smtp-Source: APXvYqxkYaor8ZxGswMpVmxWvaZhxt0v514WJ5beneZnfPx7VLTil1pUVT4+cYcZwGtAESyfBdx7og== X-Received: by 2002:a19:7401:: with SMTP id v1mr18239687lfe.129.1575977871028; Tue, 10 Dec 2019 03:37:51 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id g6sm1623983lja.10.2019.12.10.03.37.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:48 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpu-00013s-0a; Tue, 10 Dec 2019 12:37:50 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold Subject: [PATCH 3/7] Input: aiptek: use descriptors of current altsetting Date: Tue, 10 Dec 2019 12:37:33 +0100 Message-Id: <20191210113737.4016-4-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Make sure to always use the descriptors of the current alternate setting to avoid future issues when accessing fields that may differ between settings. Signed-off-by: Johan Hovold --- drivers/input/tablet/aiptek.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c index 06d0ffef4a17..e08b0ef078e8 100644 --- a/drivers/input/tablet/aiptek.c +++ b/drivers/input/tablet/aiptek.c @@ -1713,7 +1713,7 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id) aiptek->inputdev = inputdev; aiptek->intf = intf; - aiptek->ifnum = intf->altsetting[0].desc.bInterfaceNumber; + aiptek->ifnum = intf->cur_altsetting->desc.bInterfaceNumber; aiptek->inDelay = 0; aiptek->endDelay = 0; aiptek->previousJitterable = 0; From patchwork Tue Dec 10 11:37:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281947 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D8E4E14E3 for ; Tue, 10 Dec 2019 11:38:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B618B20828 for ; Tue, 10 Dec 2019 11:38:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977890; bh=Q0jorCsltGwylbBIhu9LwIkUoXO0lNS7YFUltbjwJQA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=FMq9q68+pZxbJh4ihhXyZTgD/MFeMN6FPlLnXKX3IoUPYpS3RggJ1rebKOWBUcVit 8ZojB7asUbCuQ3wIefBx6Tn7Ls8aqV7RGasZOQCp504knQld5pmdHsLKbBVxTKiT06 1/c+ucneHw2pz0JVCDbEZsEmBEMYMS1VCw5oaeGo= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727535AbfLJLiG (ORCPT ); Tue, 10 Dec 2019 06:38:06 -0500 Received: from mail-lj1-f194.google.com ([209.85.208.194]:43633 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727434AbfLJLhz (ORCPT ); Tue, 10 Dec 2019 06:37:55 -0500 Received: by mail-lj1-f194.google.com with SMTP id a13so19475094ljm.10; Tue, 10 Dec 2019 03:37:53 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=H0ckkvmbuP0M6RAigoxMjD95QOpCoqkmvi2yCF+Kpfg=; b=e42vnHZIyrMoektAOGrEsvrUExgS0TMQ2gcqPtSlYy7ewXzHgHt1EnmtU11AstA8MV puQMdinf9AITU5xLn95JLvrEw7fHdkOozkhbUAbrgHdlJ3YMNUm0ZAhChgzeE3IHNWfV xG69zfOn3L5PP4mqFhHyLRJcjAEOjUPpLrv7OJl3JEeWPAfgBGW/Cy3vuTHYhRmyq8su RRAxgQLiW3ru6Iw0AuneqB/JVzWYAeQ73LnKNkbzGU8UKkjezduX5eRYj0m7X+OJEUXN V3JYVbgNmJGLDVOqaJKUU6XSx9fiIPLFRpPrzb/WghXhegQMD9m3/Nx02CZWzYHeNN2z +sDg== X-Gm-Message-State: APjAAAVptLHmiql00aVeZWurIfnr9X6EQyDUfJOsFJEYkzvr3fGKZM0J 2BZvvTJ9gtHwA73v0jI4eeNhgyrS X-Google-Smtp-Source: APXvYqwi1wEz7XIEpXMu/kzhK6QPZO1dEJNS67w1U/4kgV9xrjSipawTKdJ28IEhBXu5NGupE2kU3A== X-Received: by 2002:a2e:9987:: with SMTP id w7mr14897151lji.107.1575977872858; Tue, 10 Dec 2019 03:37:52 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id e21sm1736363lfc.63.2019.12.10.03.37.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:51 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpu-00013x-3X; Tue, 10 Dec 2019 12:37:50 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable , Vladis Dronov Subject: [PATCH 4/7] Input: gtco: fix endpoint sanity check Date: Tue, 10 Dec 2019 12:37:34 +0100 Message-Id: <20191210113737.4016-5-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could lead to the driver binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints") Cc: stable # 4.6 Cc: Vladis Dronov Signed-off-by: Johan Hovold --- drivers/input/tablet/gtco.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c index 35031228a6d0..799c94dda651 100644 --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -875,18 +875,14 @@ static int gtco_probe(struct usb_interface *usbinterface, } /* Sanity check that a device has an endpoint */ - if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { + if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) { dev_err(&usbinterface->dev, "Invalid number of endpoints\n"); error = -EINVAL; goto err_free_urb; } - /* - * The endpoint is always altsetting 0, we know this since we know - * this device only has one interrupt endpoint - */ - endpoint = &usbinterface->altsetting[0].endpoint[0].desc; + endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; /* Some debug */ dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting); @@ -973,7 +969,7 @@ static int gtco_probe(struct usb_interface *usbinterface, input_dev->dev.parent = &usbinterface->dev; /* Setup the URB, it will be posted later on open of input device */ - endpoint = &usbinterface->altsetting[0].endpoint[0].desc; + endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; usb_fill_int_urb(gtco->urbinfo, udev, From patchwork Tue Dec 10 11:37:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281941 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6786314BD for ; Tue, 10 Dec 2019 11:38:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 45B4D20828 for ; Tue, 10 Dec 2019 11:38:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977885; bh=qvDEURgXf1zZaogVb2zqlt4yf7T+OeVJZgU818oEH2s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=nYXCveweXb+XXaxRMMMcFU1Q3yvpC1ZrJGpQyc3qvxLMsCpkfm5YxRCgybVhK6c62 +R2mNScgff+ranM5JYNcQMt4d+1pm+bXeYuqky7hA3+UIsONaz0Ylv0R0yOmHKEesc KgQDAXYWHD+T+nStH2njpTnZmnbG8tTZNQikd580= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727489AbfLJLh4 (ORCPT ); Tue, 10 Dec 2019 06:37:56 -0500 Received: from mail-lj1-f195.google.com ([209.85.208.195]:46403 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727444AbfLJLhz (ORCPT ); Tue, 10 Dec 2019 06:37:55 -0500 Received: by mail-lj1-f195.google.com with SMTP id z17so19422577ljk.13; Tue, 10 Dec 2019 03:37:53 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BnAjIRm8SkZt82a6IZa+nqu/H+3MFQ2/VQwVjJgBPlk=; b=D76ZoydOozLVU1dlzUaTBmu/aiVkOE8bVPjlgLBGkXSC8lIp1jKwIX22w9Y5qWJZ4K A0XeOWCCDVQbJel5S2Uipef2TtVs08vdNm7K4I9jZooLuIP3o2imlJ6w4mh3yU+/8sau j0Y3tDTgwWxVRjJ23jROz9wJ8pdtS0oHgnu1eWwG7nZK/cJKLkvH7SnollXpvWj2ypuv qpy9FoDiIJ/6nT7lSUjI0YU4uhc1DVh5aB+h2550MIdn6cIbTx6XfNSMyTNrFVbZ3E6l z/vp7z3e5qqAX7VIwDf6OLjHoJbmtr98e0f9TiHSfltR7B1mRJ18VuXzXmK5lU3UOk82 vF6A== X-Gm-Message-State: APjAAAVoz+UAcDIQajuonS+zaLf8YxMtLx6D1VvSVdkBs4XLzd4/CWIV SWYutFAWUM1KaC2WhRatV8g= X-Google-Smtp-Source: APXvYqyoRA7zMtHIgITzo6HTBEJt5wOrrIL1Np5LvhalZ6iLRNxgTNgR1UhmzwiPQuNbWDN+9KJjkg== X-Received: by 2002:a2e:93c5:: with SMTP id p5mr17342392ljh.192.1575977873213; Tue, 10 Dec 2019 03:37:53 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id v7sm1394045lfa.10.2019.12.10.03.37.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:51 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpu-000144-6o; Tue, 10 Dec 2019 12:37:50 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold Subject: [PATCH 5/7] Input: gtco: fix extra-descriptor debug message Date: Tue, 10 Dec 2019 12:37:35 +0100 Message-Id: <20191210113737.4016-6-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Make sure to use the current altsetting when printing size of any extra descriptors of the interface. Also fix the s/endpoint/interface/ mixup in the message itself. Signed-off-by: Johan Hovold --- drivers/input/tablet/gtco.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c index 799c94dda651..eef5946a6ba4 100644 --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -892,7 +892,8 @@ static int gtco_probe(struct usb_interface *usbinterface, if (usb_endpoint_xfer_int(endpoint)) dev_dbg(&usbinterface->dev, "endpoint: we have interrupt endpoint\n"); - dev_dbg(&usbinterface->dev, "endpoint extra len:%d\n", usbinterface->altsetting[0].extralen); + dev_dbg(&usbinterface->dev, "interface extra len:%d\n", + usbinterface->cur_altsetting->extralen); /* * Find the HID descriptor so we can find out the size of the From patchwork Tue Dec 10 11:37:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281937 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 714B015AB for ; Tue, 10 Dec 2019 11:37:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4F94A207FF for ; Tue, 10 Dec 2019 11:37:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977879; bh=dRQl+KcJF7mL4kd1EROTqjGxaPFQ77zNrBSs9JIZFaE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=p2fdbLGzg3Oa4mLkkQUirCI/xzfKUJRP0Ndv/bnr0g3bOloY/HygfDTTHY6RzljnI E2hf+zp1+n/t18t/Q2IsE/8gQ5ke3EPc4vWVnwgYfXygQ9tFm9Nyx/vg0fzoKLbQKS LrCj22pKlr/6W4e2pR8w8yR2ouHGtgk1G2VTgSrU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727510AbfLJLh6 (ORCPT ); Tue, 10 Dec 2019 06:37:58 -0500 Received: from mail-lj1-f193.google.com ([209.85.208.193]:41080 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727467AbfLJLh4 (ORCPT ); Tue, 10 Dec 2019 06:37:56 -0500 Received: by mail-lj1-f193.google.com with SMTP id h23so19462041ljc.8; Tue, 10 Dec 2019 03:37:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=TGONKFKCYbqiEX3DExtl3ks0dQN/C/p6ASZk392VZQ8=; b=G9aBaRVQwJ53U7co8JCrRgSLKFmQwReSdtcxni0HBtBEeDCbPWLH1xhLVbhibxLSyR gjmxDMSZu6uOkFgCIXDhKDF/GqtfLQkU9df5FYSGPMJU10gANLkBfOMhdAf2kJDg5jtL vnf2XGDe2ldxd1qj8eRlZAGzmc2rsh5iHUY0tbjf5zgnMmZLz83XCeQLI1LLGZtonRmz bJ2AGRSFFO57kxUeEUoL5zBxhTBd8TMOEuJVcaA45dOWlFlfg6xzkTWMW5txyFDO8rGt /pDEiQw4li/r8OXdee7rTCOBGmdhW+CIrtJg9VLuRbuEhJ9gZc08KI6DZdmWl5Wr3z5l SHDw== X-Gm-Message-State: APjAAAVowecMeoz773NYCWqs3mrpuBxL8RJFo6JbAWL4yfpVLZVrmemq MR6da7vIzZoyNB2izOnEGKtHxt2I X-Google-Smtp-Source: APXvYqyqaOiuo38RmYodGLQPrNI3fRmPmtb0hrtSlb53u1NW3HrlEbQlCo1FtioTbrMd91nFnwnljA== X-Received: by 2002:a2e:91c1:: with SMTP id u1mr20145358ljg.181.1575977874402; Tue, 10 Dec 2019 03:37:54 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id z7sm1698158lfa.81.2019.12.10.03.37.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:51 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpu-000149-9v; Tue, 10 Dec 2019 12:37:50 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold Subject: [PATCH 6/7] Input: gtco: drop redundant variable reinit Date: Tue, 10 Dec 2019 12:37:36 +0100 Message-Id: <20191210113737.4016-7-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Drop the second, redundant reinitialisation of the endpoint-descriptor pointer from probe. Signed-off-by: Johan Hovold --- drivers/input/tablet/gtco.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c index eef5946a6ba4..96d65575f75a 100644 --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -970,8 +970,6 @@ static int gtco_probe(struct usb_interface *usbinterface, input_dev->dev.parent = &usbinterface->dev; /* Setup the URB, it will be posted later on open of input device */ - endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; - usb_fill_int_urb(gtco->urbinfo, udev, usb_rcvintpipe(udev, From patchwork Tue Dec 10 11:37:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11281951 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B993D14BD for ; Tue, 10 Dec 2019 11:38:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 984C020838 for ; Tue, 10 Dec 2019 11:38:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575977895; bh=jnqG6qrJA03sFgDKpKwGlZp+vI8IzN9r5vJ9YDbx3DQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=ePfgMBxmqpeWn0brJLnldxkYPfV6HRwupo55PmrJlYDZU72jxtZ0pjEpxdAm+8kyt VZYQvsG6xxpiSX16BEM9uB2A0ZpMpqWWtlJM7CIYTliIcc+mtfdzsaiwueb0JOABVZ 6edYVhdNBv8HDpWCPurOLcPB1IwE5ehhNdiBshVU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727558AbfLJLiO (ORCPT ); Tue, 10 Dec 2019 06:38:14 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:39907 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727407AbfLJLhy (ORCPT ); Tue, 10 Dec 2019 06:37:54 -0500 Received: by mail-lf1-f66.google.com with SMTP id y1so2112276lfb.6; Tue, 10 Dec 2019 03:37:52 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=gizESJPdbXxmJNJeGwhGZnMnlbvzjtAzhsJxIVT6qdY=; b=mwNvFNSxoM7/7S0054957ZfHrptP32CUtj0SL5MQ2LCqMZpWqhaTub7ZBuQVNoWAc5 T+fJZx/duFNzSvLbW3klt1nae6s7wLMscazySjVkSb7UuvTx+F20g/94fiPUCEzpEMTH 7xleGnqBqX1GDDzoQduPZUqwuMY42azI46xTLfAXBIGvkNGCDlf7XVCwVy+ugBar1cIM u3rMWmfVhafIcLnLxU7pU5ZMsdAbZqSCeoGoIhq6TYDmyurJwMyjAQKYSeu0LU9qKP71 3ODcNSJgKaNuZ96edUzvWFZI+DeKkfYIjh6Z/T3dJ5Hi0UZ7d7ADXMrmrzgegoi3dwDj bn4w== X-Gm-Message-State: APjAAAXKGCKnTwa/WY4hRf4ycaQvUTyGkSXfDLcCPqArF58HrvGkFS8P wQL5+bO2SNTXXH55Yl+MtXCr1fQA X-Google-Smtp-Source: APXvYqy6D+qpHF61I1Tn+xu/XYGTKK0i1vpyVAhneBoDXI+DraQ+/PosTwlLTDMvhQC2Yk4jQocOGw== X-Received: by 2002:a19:2389:: with SMTP id j131mr17056148lfj.86.1575977871489; Tue, 10 Dec 2019 03:37:51 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id 207sm1941884ljj.72.2019.12.10.03.37.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Dec 2019 03:37:49 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1iedpu-00014F-Cx; Tue, 10 Dec 2019 12:37:50 +0100 From: Johan Hovold To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable , Florian Echtler Subject: [PATCH 7/7] Input: sur40: fix interface sanity checks Date: Tue, 10 Dec 2019 12:37:37 +0100 Message-Id: <20191210113737.4016-8-johan@kernel.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191210113737.4016-1-johan@kernel.org> References: <20191210113737.4016-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Make sure to use the current alternate setting when verifying the interface descriptors to avoid binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40 (aka MS Surface 2.0/Pixelsense)") Cc: stable # 3.13 Cc: Florian Echtler Signed-off-by: Johan Hovold --- drivers/input/touchscreen/sur40.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/input/touchscreen/sur40.c b/drivers/input/touchscreen/sur40.c index 1dd47dda71cd..34d31c7ec8ba 100644 --- a/drivers/input/touchscreen/sur40.c +++ b/drivers/input/touchscreen/sur40.c @@ -661,7 +661,7 @@ static int sur40_probe(struct usb_interface *interface, int error; /* Check if we really have the right interface. */ - iface_desc = &interface->altsetting[0]; + iface_desc = interface->cur_altsetting; if (iface_desc->desc.bInterfaceClass != 0xFF) return -ENODEV;