--- /dev/null
+From 5600f6986628dde8881734090588474f54a540a8 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Sun, 13 Mar 2022 22:56:32 -0700
+Subject: Input: aiptek - properly check endpoint type
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 5600f6986628dde8881734090588474f54a540a8 upstream.
+
+Syzbot reported warning in usb_submit_urb() which is caused by wrong
+endpoint type. There was a check for the number of endpoints, but not
+for the type of endpoint.
+
+Fix it by replacing old desc.bNumEndpoints check with
+usb_find_common_endpoints() helper for finding endpoints
+
+Fail log:
+
+usb 5-1: BOGUS urb xfer, pipe 1 != type 3
+WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
+Modules linked in:
+CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
+Workqueue: usb_hub_wq hub_event
+...
+Call Trace:
+ <TASK>
+ aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830
+ input_open_device+0x1bb/0x320 drivers/input/input.c:629
+ kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593
+
+Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints")
+Reported-and-tested-by: syzbot+75cccf2b7da87fb6f84b@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/20220308194328.26220-1-paskripkin@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/tablet/aiptek.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/input/tablet/aiptek.c
++++ b/drivers/input/tablet/aiptek.c
+@@ -1801,15 +1801,13 @@ aiptek_probe(struct usb_interface *intf,
+ input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0);
+ input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
+
+- /* Verify that a device really has an endpoint */
+- if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
++ err = usb_find_common_endpoints(intf->cur_altsetting,
++ NULL, NULL, &endpoint, NULL);
++ if (err) {
+ dev_err(&intf->dev,
+- "interface has %d endpoints, but must have minimum 1\n",
+- intf->cur_altsetting->desc.bNumEndpoints);
+- err = -EINVAL;
++ "interface has no int in endpoints, but must have minimum 1\n");
+ goto fail3;
+ }
+- endpoint = &intf->cur_altsetting->endpoint[0].desc;
+
+ /* Go set up our URB, which is called when the tablet receives
+ * input.
--- /dev/null
+From 3cf6a32f3f2a45944dd5be5c6ac4deb46bcd3bee Mon Sep 17 00:00:00 2001
+From: Michael Petlan <mpetlan@redhat.com>
+Date: Thu, 17 Mar 2022 14:55:36 +0100
+Subject: perf symbols: Fix symbol size calculation condition
+
+From: Michael Petlan <mpetlan@redhat.com>
+
+commit 3cf6a32f3f2a45944dd5be5c6ac4deb46bcd3bee upstream.
+
+Before this patch, the symbol end address fixup to be called, needed two
+conditions being met:
+
+ if (prev->end == prev->start && prev->end != curr->start)
+
+Where
+ "prev->end == prev->start" means that prev is zero-long
+ (and thus needs a fixup)
+and
+ "prev->end != curr->start" means that fixup hasn't been applied yet
+
+However, this logic is incorrect in the following situation:
+
+*curr = {rb_node = {__rb_parent_color = 278218928,
+ rb_right = 0x0, rb_left = 0x0},
+ start = 0xc000000000062354,
+ end = 0xc000000000062354, namelen = 40, type = 2 '\002',
+ binding = 0 '\000', idle = 0 '\000', ignore = 0 '\000',
+ inlined = 0 '\000', arch_sym = 0 '\000', annotate2 = false,
+ name = 0x1159739e "kprobe_optinsn_page\t[__builtin__kprobes]"}
+
+*prev = {rb_node = {__rb_parent_color = 278219041,
+ rb_right = 0x109548b0, rb_left = 0x109547c0},
+ start = 0xc000000000062354,
+ end = 0xc000000000062354, namelen = 12, type = 2 '\002',
+ binding = 1 '\001', idle = 0 '\000', ignore = 0 '\000',
+ inlined = 0 '\000', arch_sym = 0 '\000', annotate2 = false,
+ name = 0x1095486e "optinsn_slot"}
+
+In this case, prev->start == prev->end == curr->start == curr->end,
+thus the condition above thinks that "we need a fixup due to zero
+length of prev symbol, but it has been probably done, since the
+prev->end == curr->start", which is wrong.
+
+After the patch, the execution path proceeds to arch__symbols__fixup_end
+function which fixes up the size of prev symbol by adding page_size to
+its end offset.
+
+Fixes: 3b01a413c196c910 ("perf symbols: Improve kallsyms symbol end addr calculation")
+Signed-off-by: Michael Petlan <mpetlan@redhat.com>
+Cc: Athira Jajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kajol Jain <kjain@linux.ibm.com>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: http://lore.kernel.org/lkml/20220317135536.805-1-mpetlan@redhat.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/symbol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/symbol.c
++++ b/tools/perf/util/symbol.c
+@@ -231,7 +231,7 @@ void symbols__fixup_end(struct rb_root_c
+ prev = curr;
+ curr = rb_entry(nd, struct symbol, rb_node);
+
+- if (prev->end == prev->start && prev->end != curr->start)
++ if (prev->end == prev->start || prev->end != curr->start)
+ arch__symbols__fixup_end(prev, curr);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
