4.9-stable patches

added patches:
	input-aiptek-properly-check-endpoint-type.patch

diff --git a/queue-4.9/input-aiptek-properly-check-endpoint-type.patch b/queue-4.9/input-aiptek-properly-check-endpoint-type.patch
new file mode 100644 (file)
index 0000000..08cf647
--- /dev/null
+++ b/queue-4.9/input-aiptek-properly-check-endpoint-type.patch
@@ -0,0 +1,63 @@
+From 5600f6986628dde8881734090588474f54a540a8 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Sun, 13 Mar 2022 22:56:32 -0700
+Subject: Input: aiptek - properly check endpoint type
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 5600f6986628dde8881734090588474f54a540a8 upstream.
+
+Syzbot reported warning in usb_submit_urb() which is caused by wrong
+endpoint type. There was a check for the number of endpoints, but not
+for the type of endpoint.
+
+Fix it by replacing old desc.bNumEndpoints check with
+usb_find_common_endpoints() helper for finding endpoints
+
+Fail log:
+
+usb 5-1: BOGUS urb xfer, pipe 1 != type 3
+WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
+Modules linked in:
+CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
+Workqueue: usb_hub_wq hub_event
+...
+Call Trace:
+ <TASK>
+ aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830
+ input_open_device+0x1bb/0x320 drivers/input/input.c:629
+ kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593
+
+Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints")
+Reported-and-tested-by: syzbot+75cccf2b7da87fb6f84b@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/20220308194328.26220-1-paskripkin@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/tablet/aiptek.c |   10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/input/tablet/aiptek.c
++++ b/drivers/input/tablet/aiptek.c
+@@ -1821,15 +1821,13 @@ aiptek_probe(struct usb_interface *intf,
+       input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0);
+       input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
+ 
+-      /* Verify that a device really has an endpoint */
+-      if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
++      err = usb_find_common_endpoints(intf->cur_altsetting,
++                                      NULL, NULL, &endpoint, NULL);
++      if (err) {
+               dev_err(&intf->dev,
+-                      "interface has %d endpoints, but must have minimum 1\n",
+-                      intf->cur_altsetting->desc.bNumEndpoints);
+-              err = -EINVAL;
++                      "interface has no int in endpoints, but must have minimum 1\n");
+               goto fail3;
+       }
+-      endpoint = &intf->cur_altsetting->endpoint[0].desc;
+ 
+       /* Go set up our URB, which is called when the tablet receives
+        * input.

diff --git a/queue-4.9/series b/queue-4.9/series
index 9ecd1cdfbd9cc685620b905b0554f63c29e9c819..1ceff2fa1542d77d8075403e497eb8849a8e5703 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -13,3 +13,4 @@ net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch
 atm-eni-add-check-for-dma_map_single.patch
 usb-gadget-rndis-prevent-integer-overflow-in-rndis_set_response.patch
 usb-gadget-fix-use-after-free-bug-by-not-setting-udc-dev.driver.patch
+input-aiptek-properly-check-endpoint-type.patch