--- /dev/null
+From 3111491fca4f01764e0c158c5e0f7ced808eef51 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Jan 2020 11:59:32 -0800
+Subject: Input: aiptek - fix endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3111491fca4f01764e0c158c5e0f7ced808eef51 upstream.
+
+The driver was checking the number of endpoints of the first alternate
+setting instead of the current one, something which could lead to the
+driver binding to an invalid interface.
+
+This in turn could cause the driver to misbehave or trigger a WARN() in
+usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Vladis Dronov <vdronov@redhat.com>
+Link: https://lore.kernel.org/r/20191210113737.4016-3-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/aiptek.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/tablet/aiptek.c
++++ b/drivers/input/tablet/aiptek.c
+@@ -1822,14 +1822,14 @@ aiptek_probe(struct usb_interface *intf,
+ input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
+
+ /* Verify that a device really has an endpoint */
+- if (intf->altsetting[0].desc.bNumEndpoints < 1) {
++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
+ dev_err(&intf->dev,
+ "interface has %d endpoints, but must have minimum 1\n",
+- intf->altsetting[0].desc.bNumEndpoints);
++ intf->cur_altsetting->desc.bNumEndpoints);
+ err = -EINVAL;
+ goto fail3;
+ }
+- endpoint = &intf->altsetting[0].endpoint[0].desc;
++ endpoint = &intf->cur_altsetting->endpoint[0].desc;
+
+ /* Go set up our URB, which is called when the tablet receives
+ * input.
--- /dev/null
+From a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Jan 2020 12:00:18 -0800
+Subject: Input: gtco - fix endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 upstream.
+
+The driver was checking the number of endpoints of the first alternate
+setting instead of the current one, something which could lead to the
+driver binding to an invalid interface.
+
+This in turn could cause the driver to misbehave or trigger a WARN() in
+usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Vladis Dronov <vdronov@redhat.com>
+Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/gtco.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -875,18 +875,14 @@ static int gtco_probe(struct usb_interfa
+ }
+
+ /* Sanity check that a device has an endpoint */
+- if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
++ if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) {
+ dev_err(&usbinterface->dev,
+ "Invalid number of endpoints\n");
+ error = -EINVAL;
+ goto err_free_urb;
+ }
+
+- /*
+- * The endpoint is always altsetting 0, we know this since we know
+- * this device only has one interrupt endpoint
+- */
+- endpoint = &usbinterface->altsetting[0].endpoint[0].desc;
++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc;
+
+ /* Some debug */
+ dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting);
+@@ -973,7 +969,7 @@ static int gtco_probe(struct usb_interfa
+ input_dev->dev.parent = &usbinterface->dev;
+
+ /* Setup the URB, it will be posted later on open of input device */
+- endpoint = &usbinterface->altsetting[0].endpoint[0].desc;
++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc;
+
+ usb_fill_int_urb(gtco->urbinfo,
+ udev,
--- /dev/null
+From bcfcb7f9b480dd0be8f0df2df17340ca92a03b98 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Jan 2020 11:55:47 -0800
+Subject: Input: pegasus_notetaker - fix endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit bcfcb7f9b480dd0be8f0df2df17340ca92a03b98 upstream.
+
+The driver was checking the number of endpoints of the first alternate
+setting instead of the current one, something which could be used by a
+malicious device (or USB descriptor fuzzer) to trigger a NULL-pointer
+dereference.
+
+Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Martin Kepplinger <martink@posteo.de>
+Acked-by: Vladis Dronov <vdronov@redhat.com>
+Link: https://lore.kernel.org/r/20191210113737.4016-2-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/pegasus_notetaker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/tablet/pegasus_notetaker.c
++++ b/drivers/input/tablet/pegasus_notetaker.c
+@@ -260,7 +260,7 @@ static int pegasus_probe(struct usb_inte
+ return -ENODEV;
+
+ /* Sanity check that the device has an endpoint */
+- if (intf->altsetting[0].desc.bNumEndpoints < 1) {
++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
+ dev_err(&intf->dev, "Invalid number of endpoints\n");
+ return -EINVAL;
+ }
--- /dev/null
+From 996d5d5f89a558a3608a46e73ccd1b99f1b1d058 Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan@gerhold.net>
+Date: Fri, 17 Jan 2020 13:40:36 -0800
+Subject: Input: pm8xxx-vib - fix handling of separate enable register
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+commit 996d5d5f89a558a3608a46e73ccd1b99f1b1d058 upstream.
+
+Setting the vibrator enable_mask is not implemented correctly:
+
+For regmap_update_bits(map, reg, mask, val) we give in either
+regs->enable_mask or 0 (= no-op) as mask and "val" as value.
+But "val" actually refers to the vibrator voltage control register,
+which has nothing to do with the enable_mask.
+
+So we usually end up doing nothing when we really wanted
+to enable the vibrator.
+
+We want to set or clear the enable_mask (to enable/disable the vibrator).
+Therefore, change the call to always modify the enable_mask
+and set the bits only if we want to enable the vibrator.
+
+Fixes: d4c7c5c96c92 ("Input: pm8xxx-vib - handle separate enable register")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20200114183442.45720-1-stephan@gerhold.net
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/pm8xxx-vibrator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/misc/pm8xxx-vibrator.c
++++ b/drivers/input/misc/pm8xxx-vibrator.c
+@@ -98,7 +98,7 @@ static int pm8xxx_vib_set(struct pm8xxx_
+
+ if (regs->enable_mask)
+ rc = regmap_update_bits(vib->regmap, regs->enable_addr,
+- on ? regs->enable_mask : 0, val);
++ regs->enable_mask, on ? ~0 : 0);
+
+ return rc;
+ }
--- /dev/null
+From 97e24b095348a15ec08c476423c3b3b939186ad7 Mon Sep 17 00:00:00 2001
+From: Chuhong Yuan <hslester96@gmail.com>
+Date: Fri, 10 Jan 2020 10:30:04 -0800
+Subject: Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+commit 97e24b095348a15ec08c476423c3b3b939186ad7 upstream.
+
+The driver misses a check for devm_thermal_zone_of_sensor_register().
+Add a check to fix it.
+
+Fixes: e28d0c9cd381 ("input: convert sun4i-ts to use devm_thermal_zone_of_sensor_register")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/sun4i-ts.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/sun4i-ts.c
++++ b/drivers/input/touchscreen/sun4i-ts.c
+@@ -246,6 +246,7 @@ static int sun4i_ts_probe(struct platfor
+ struct device *dev = &pdev->dev;
+ struct device_node *np = dev->of_node;
+ struct device *hwmon;
++ struct thermal_zone_device *thermal;
+ int error;
+ u32 reg;
+ bool ts_attached;
+@@ -365,7 +366,10 @@ static int sun4i_ts_probe(struct platfor
+ if (IS_ERR(hwmon))
+ return PTR_ERR(hwmon);
+
+- devm_thermal_zone_of_sensor_register(ts->dev, 0, ts, &sun4i_ts_tz_ops);
++ thermal = devm_thermal_zone_of_sensor_register(ts->dev, 0, ts,
++ &sun4i_ts_tz_ops);
++ if (IS_ERR(thermal))
++ return PTR_ERR(thermal);
+
+ writel(TEMP_IRQ_EN(1), ts->base + TP_INT_FIFOC);
+
--- /dev/null
+From 6b32391ed675827f8425a414abbc6fbd54ea54fe Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Jan 2020 12:01:27 -0800
+Subject: Input: sur40 - fix interface sanity checks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6b32391ed675827f8425a414abbc6fbd54ea54fe upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+This in turn could cause the driver to misbehave or trigger a WARN() in
+usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40 (aka MS Surface 2.0/Pixelsense)")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Vladis Dronov <vdronov@redhat.com>
+Link: https://lore.kernel.org/r/20191210113737.4016-8-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/sur40.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/sur40.c
++++ b/drivers/input/touchscreen/sur40.c
+@@ -537,7 +537,7 @@ static int sur40_probe(struct usb_interf
+ int error;
+
+ /* Check if we really have the right interface. */
+- iface_desc = &interface->altsetting[0];
++ iface_desc = interface->cur_altsetting;
+ if (iface_desc->desc.bInterfaceClass != 0xFF)
+ return -ENODEV;
+
mmc-tegra-fix-sdr50-tuning-override.patch
mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch
documentation-document-arm64-kpti-control.patch
+input-pm8xxx-vib-fix-handling-of-separate-enable-register.patch
+input-sur40-fix-interface-sanity-checks.patch
+input-gtco-fix-endpoint-sanity-check.patch
+input-aiptek-fix-endpoint-sanity-check.patch
+input-pegasus_notetaker-fix-endpoint-sanity-check.patch
+input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
