From cd57810cbd1a35f19239a689d42fb3f798af1633 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 27 Jan 2020 17:45:15 +0100 Subject: [PATCH] 4.9-stable patches added patches: input-aiptek-fix-endpoint-sanity-check.patch input-gtco-fix-endpoint-sanity-check.patch input-pegasus_notetaker-fix-endpoint-sanity-check.patch input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch input-sur40-fix-interface-sanity-checks.patch --- ...put-aiptek-fix-endpoint-sanity-check.patch | 47 +++++++++++++++ ...input-gtco-fix-endpoint-sanity-check.patch | 59 +++++++++++++++++++ ..._notetaker-fix-endpoint-sanity-check.patch | 37 ++++++++++++ ...devm_thermal_zone_of_sensor_register.patch | 43 ++++++++++++++ ...ut-sur40-fix-interface-sanity-checks.patch | 37 ++++++++++++ queue-4.9/series | 5 ++ 6 files changed, 228 insertions(+) create mode 100644 queue-4.9/input-aiptek-fix-endpoint-sanity-check.patch create mode 100644 queue-4.9/input-gtco-fix-endpoint-sanity-check.patch create mode 100644 queue-4.9/input-pegasus_notetaker-fix-endpoint-sanity-check.patch create mode 100644 queue-4.9/input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch create mode 100644 queue-4.9/input-sur40-fix-interface-sanity-checks.patch diff --git a/queue-4.9/input-aiptek-fix-endpoint-sanity-check.patch b/queue-4.9/input-aiptek-fix-endpoint-sanity-check.patch new file mode 100644 index 00000000000..b6ca9d6f635 --- /dev/null +++ b/queue-4.9/input-aiptek-fix-endpoint-sanity-check.patch @@ -0,0 +1,47 @@ +From 3111491fca4f01764e0c158c5e0f7ced808eef51 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Jan 2020 11:59:32 -0800 +Subject: Input: aiptek - fix endpoint sanity check + +From: Johan Hovold + +commit 3111491fca4f01764e0c158c5e0f7ced808eef51 upstream. + +The driver was checking the number of endpoints of the first alternate +setting instead of the current one, something which could lead to the +driver binding to an invalid interface. + +This in turn could cause the driver to misbehave or trigger a WARN() in +usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints") +Signed-off-by: Johan Hovold +Acked-by: Vladis Dronov +Link: https://lore.kernel.org/r/20191210113737.4016-3-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/aiptek.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/input/tablet/aiptek.c ++++ b/drivers/input/tablet/aiptek.c +@@ -1822,14 +1822,14 @@ aiptek_probe(struct usb_interface *intf, + input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0); + + /* Verify that a device really has an endpoint */ +- if (intf->altsetting[0].desc.bNumEndpoints < 1) { ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) { + dev_err(&intf->dev, + "interface has %d endpoints, but must have minimum 1\n", +- intf->altsetting[0].desc.bNumEndpoints); ++ intf->cur_altsetting->desc.bNumEndpoints); + err = -EINVAL; + goto fail3; + } +- endpoint = &intf->altsetting[0].endpoint[0].desc; ++ endpoint = &intf->cur_altsetting->endpoint[0].desc; + + /* Go set up our URB, which is called when the tablet receives + * input. diff --git a/queue-4.9/input-gtco-fix-endpoint-sanity-check.patch b/queue-4.9/input-gtco-fix-endpoint-sanity-check.patch new file mode 100644 index 00000000000..7215eb72621 --- /dev/null +++ b/queue-4.9/input-gtco-fix-endpoint-sanity-check.patch @@ -0,0 +1,59 @@ +From a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Jan 2020 12:00:18 -0800 +Subject: Input: gtco - fix endpoint sanity check + +From: Johan Hovold + +commit a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 upstream. + +The driver was checking the number of endpoints of the first alternate +setting instead of the current one, something which could lead to the +driver binding to an invalid interface. + +This in turn could cause the driver to misbehave or trigger a WARN() in +usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints") +Signed-off-by: Johan Hovold +Acked-by: Vladis Dronov +Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/gtco.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -875,18 +875,14 @@ static int gtco_probe(struct usb_interfa + } + + /* Sanity check that a device has an endpoint */ +- if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { ++ if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) { + dev_err(&usbinterface->dev, + "Invalid number of endpoints\n"); + error = -EINVAL; + goto err_free_urb; + } + +- /* +- * The endpoint is always altsetting 0, we know this since we know +- * this device only has one interrupt endpoint +- */ +- endpoint = &usbinterface->altsetting[0].endpoint[0].desc; ++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; + + /* Some debug */ + dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting); +@@ -973,7 +969,7 @@ static int gtco_probe(struct usb_interfa + input_dev->dev.parent = &usbinterface->dev; + + /* Setup the URB, it will be posted later on open of input device */ +- endpoint = &usbinterface->altsetting[0].endpoint[0].desc; ++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; + + usb_fill_int_urb(gtco->urbinfo, + udev, diff --git a/queue-4.9/input-pegasus_notetaker-fix-endpoint-sanity-check.patch b/queue-4.9/input-pegasus_notetaker-fix-endpoint-sanity-check.patch new file mode 100644 index 00000000000..a0234bb7d4d --- /dev/null +++ b/queue-4.9/input-pegasus_notetaker-fix-endpoint-sanity-check.patch @@ -0,0 +1,37 @@ +From bcfcb7f9b480dd0be8f0df2df17340ca92a03b98 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Jan 2020 11:55:47 -0800 +Subject: Input: pegasus_notetaker - fix endpoint sanity check + +From: Johan Hovold + +commit bcfcb7f9b480dd0be8f0df2df17340ca92a03b98 upstream. + +The driver was checking the number of endpoints of the first alternate +setting instead of the current one, something which could be used by a +malicious device (or USB descriptor fuzzer) to trigger a NULL-pointer +dereference. + +Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") +Signed-off-by: Johan Hovold +Acked-by: Martin Kepplinger +Acked-by: Vladis Dronov +Link: https://lore.kernel.org/r/20191210113737.4016-2-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/pegasus_notetaker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/tablet/pegasus_notetaker.c ++++ b/drivers/input/tablet/pegasus_notetaker.c +@@ -260,7 +260,7 @@ static int pegasus_probe(struct usb_inte + return -ENODEV; + + /* Sanity check that the device has an endpoint */ +- if (intf->altsetting[0].desc.bNumEndpoints < 1) { ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) { + dev_err(&intf->dev, "Invalid number of endpoints\n"); + return -EINVAL; + } diff --git a/queue-4.9/input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch b/queue-4.9/input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch new file mode 100644 index 00000000000..dc1960e6dfe --- /dev/null +++ b/queue-4.9/input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch @@ -0,0 +1,43 @@ +From 97e24b095348a15ec08c476423c3b3b939186ad7 Mon Sep 17 00:00:00 2001 +From: Chuhong Yuan +Date: Fri, 10 Jan 2020 10:30:04 -0800 +Subject: Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register + +From: Chuhong Yuan + +commit 97e24b095348a15ec08c476423c3b3b939186ad7 upstream. + +The driver misses a check for devm_thermal_zone_of_sensor_register(). +Add a check to fix it. + +Fixes: e28d0c9cd381 ("input: convert sun4i-ts to use devm_thermal_zone_of_sensor_register") +Signed-off-by: Chuhong Yuan +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/sun4i-ts.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/sun4i-ts.c ++++ b/drivers/input/touchscreen/sun4i-ts.c +@@ -246,6 +246,7 @@ static int sun4i_ts_probe(struct platfor + struct device *dev = &pdev->dev; + struct device_node *np = dev->of_node; + struct device *hwmon; ++ struct thermal_zone_device *thermal; + int error; + u32 reg; + bool ts_attached; +@@ -365,7 +366,10 @@ static int sun4i_ts_probe(struct platfor + if (IS_ERR(hwmon)) + return PTR_ERR(hwmon); + +- devm_thermal_zone_of_sensor_register(ts->dev, 0, ts, &sun4i_ts_tz_ops); ++ thermal = devm_thermal_zone_of_sensor_register(ts->dev, 0, ts, ++ &sun4i_ts_tz_ops); ++ if (IS_ERR(thermal)) ++ return PTR_ERR(thermal); + + writel(TEMP_IRQ_EN(1), ts->base + TP_INT_FIFOC); + diff --git a/queue-4.9/input-sur40-fix-interface-sanity-checks.patch b/queue-4.9/input-sur40-fix-interface-sanity-checks.patch new file mode 100644 index 00000000000..36670a6932e --- /dev/null +++ b/queue-4.9/input-sur40-fix-interface-sanity-checks.patch @@ -0,0 +1,37 @@ +From 6b32391ed675827f8425a414abbc6fbd54ea54fe Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Jan 2020 12:01:27 -0800 +Subject: Input: sur40 - fix interface sanity checks + +From: Johan Hovold + +commit 6b32391ed675827f8425a414abbc6fbd54ea54fe upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +This in turn could cause the driver to misbehave or trigger a WARN() in +usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40 (aka MS Surface 2.0/Pixelsense)") +Signed-off-by: Johan Hovold +Acked-by: Vladis Dronov +Link: https://lore.kernel.org/r/20191210113737.4016-8-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/sur40.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/sur40.c ++++ b/drivers/input/touchscreen/sur40.c +@@ -523,7 +523,7 @@ static int sur40_probe(struct usb_interf + int error; + + /* Check if we really have the right interface. */ +- iface_desc = &interface->altsetting[0]; ++ iface_desc = interface->cur_altsetting; + if (iface_desc->desc.bInterfaceClass != 0xFF) + return -ENODEV; + diff --git a/queue-4.9/series b/queue-4.9/series index 2b67935b720..1568160720b 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -250,3 +250,8 @@ input-keyspan-remote-fix-control-message-timeouts.patch arm-8950-1-ftrace-recordmcount-filter-relocation-types.patch mmc-tegra-fix-sdr50-tuning-override.patch mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch +input-sur40-fix-interface-sanity-checks.patch +input-gtco-fix-endpoint-sanity-check.patch +input-aiptek-fix-endpoint-sanity-check.patch +input-pegasus_notetaker-fix-endpoint-sanity-check.patch +input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch -- 2.47.3