From: Greg Kroah-Hartman Date: Mon, 21 Mar 2022 09:15:04 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.9.308~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ecd8f3e718ef65cc450dd560732c0c5b3aa07743;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: input-aiptek-properly-check-endpoint-type.patch --- diff --git a/queue-4.9/input-aiptek-properly-check-endpoint-type.patch b/queue-4.9/input-aiptek-properly-check-endpoint-type.patch new file mode 100644 index 00000000000..08cf6470405 --- /dev/null +++ b/queue-4.9/input-aiptek-properly-check-endpoint-type.patch @@ -0,0 +1,63 @@ +From 5600f6986628dde8881734090588474f54a540a8 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Sun, 13 Mar 2022 22:56:32 -0700 +Subject: Input: aiptek - properly check endpoint type + +From: Pavel Skripkin + +commit 5600f6986628dde8881734090588474f54a540a8 upstream. + +Syzbot reported warning in usb_submit_urb() which is caused by wrong +endpoint type. There was a check for the number of endpoints, but not +for the type of endpoint. + +Fix it by replacing old desc.bNumEndpoints check with +usb_find_common_endpoints() helper for finding endpoints + +Fail log: + +usb 5-1: BOGUS urb xfer, pipe 1 != type 3 +WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 +Modules linked in: +CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 +Workqueue: usb_hub_wq hub_event +... +Call Trace: + + aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830 + input_open_device+0x1bb/0x320 drivers/input/input.c:629 + kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593 + +Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints") +Reported-and-tested-by: syzbot+75cccf2b7da87fb6f84b@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/20220308194328.26220-1-paskripkin@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/tablet/aiptek.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/input/tablet/aiptek.c ++++ b/drivers/input/tablet/aiptek.c +@@ -1821,15 +1821,13 @@ aiptek_probe(struct usb_interface *intf, + input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0); + input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0); + +- /* Verify that a device really has an endpoint */ +- if (intf->cur_altsetting->desc.bNumEndpoints < 1) { ++ err = usb_find_common_endpoints(intf->cur_altsetting, ++ NULL, NULL, &endpoint, NULL); ++ if (err) { + dev_err(&intf->dev, +- "interface has %d endpoints, but must have minimum 1\n", +- intf->cur_altsetting->desc.bNumEndpoints); +- err = -EINVAL; ++ "interface has no int in endpoints, but must have minimum 1\n"); + goto fail3; + } +- endpoint = &intf->cur_altsetting->endpoint[0].desc; + + /* Go set up our URB, which is called when the tablet receives + * input. diff --git a/queue-4.9/series b/queue-4.9/series index 9ecd1cdfbd9..1ceff2fa154 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -13,3 +13,4 @@ net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch atm-eni-add-check-for-dma_map_single.patch usb-gadget-rndis-prevent-integer-overflow-in-rndis_set_response.patch usb-gadget-fix-use-after-free-bug-by-not-setting-udc-dev.driver.patch +input-aiptek-properly-check-endpoint-type.patch