From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johan Hovold <johan@kernel.org>,
Vladis Dronov <vdronov@redhat.com>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Subject: [PATCH 4.14 29/46] Input: gtco - fix endpoint sanity check
Date: Tue, 28 Jan 2020 14:58:03 +0100 [thread overview]
Message-ID: <20200128135753.817028576@linuxfoundation.org> (raw)
In-Reply-To: <20200128135749.822297911@linuxfoundation.org>
From: Johan Hovold <johan@kernel.org>
commit a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 upstream.
The driver was checking the number of endpoints of the first alternate
setting instead of the current one, something which could lead to the
driver binding to an invalid interface.
This in turn could cause the driver to misbehave or trigger a WARN() in
usb_submit_urb() that kernels with panic_on_warn set would choke on.
Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Vladis Dronov <vdronov@redhat.com>
Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/tablet/gtco.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
--- a/drivers/input/tablet/gtco.c
+++ b/drivers/input/tablet/gtco.c
@@ -875,18 +875,14 @@ static int gtco_probe(struct usb_interfa
}
/* Sanity check that a device has an endpoint */
- if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
+ if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) {
dev_err(&usbinterface->dev,
"Invalid number of endpoints\n");
error = -EINVAL;
goto err_free_urb;
}
- /*
- * The endpoint is always altsetting 0, we know this since we know
- * this device only has one interrupt endpoint
- */
- endpoint = &usbinterface->altsetting[0].endpoint[0].desc;
+ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc;
/* Some debug */
dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting);
@@ -973,7 +969,7 @@ static int gtco_probe(struct usb_interfa
input_dev->dev.parent = &usbinterface->dev;
/* Setup the URB, it will be posted later on open of input device */
- endpoint = &usbinterface->altsetting[0].endpoint[0].desc;
+ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc;
usb_fill_int_urb(gtco->urbinfo,
udev,
next prev parent reply other threads:[~2020-01-28 14:00 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 01/46] can, slip: Protect tty->disc_data in write_wakeup and close with RCU Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 02/46] firestream: fix memory leaks Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 03/46] gtp: make sure only SOCK_DGRAM UDP sockets are accepted Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 04/46] ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 05/46] net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 06/46] net, ip6_tunnel: fix namespaces move Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 07/46] net, ip_tunnel: " Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 08/46] net_sched: fix datalen for ematch Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 09/46] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 10/46] net-sysfs: fix netdev_queue_add_kobject() breakage Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 11/46] net-sysfs: Call dev_hold always in netdev_queue_add_kobject Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 12/46] net-sysfs: Call dev_hold always in rx_queue_add_kobject Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 13/46] net-sysfs: Fix reference count leak Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 14/46] net: usb: lan78xx: Add .ndo_features_check Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 15/46] tcp_bbr: improve arithmetic division in bbr_update_bw() Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 16/46] net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 17/46] hwmon: (adt7475) Make volt2reg return same reg as reg2volt input Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 18/46] hwmon: Deal with errors from the thermal subsystem Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 19/46] hwmon: (core) Fix double-free in __hwmon_device_register() Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 20/46] hwmon: (core) Do not use device managed functions for memory allocations Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 21/46] Input: keyspan-remote - fix control-message timeouts Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 22/46] Revert "Input: synaptics-rmi4 - dont increment rmiaddr for SMBus transfers" Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 23/46] ARM: 8950/1: ftrace/recordmcount: filter relocation types Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 24/46] mmc: tegra: fix SDR50 tuning override Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 25/46] mmc: sdhci: fix minimum clock rate for v3 controller Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 26/46] Documentation: Document arm64 kpti control Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 27/46] Input: pm8xxx-vib - fix handling of separate enable register Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 28/46] Input: sur40 - fix interface sanity checks Greg Kroah-Hartman
2020-01-28 13:58 ` Greg Kroah-Hartman [this message]
2020-01-28 13:58 ` [PATCH 4.14 30/46] Input: aiptek - fix endpoint sanity check Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 31/46] Input: pegasus_notetaker " Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 32/46] Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 33/46] hwmon: (nct7802) Fix voltage limits to wrong registers Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 34/46] scsi: RDMA/isert: Fix a recently introduced regression related to logout Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 35/46] tracing: xen: Ordered comparison of function pointers Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 36/46] do_last(): fetch directory ->i_mode and ->i_uid before its too late Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 37/46] sd: Fix REQ_OP_ZONE_REPORT completion handling Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 38/46] coresight: etb10: Do not call smp_processor_id from preemptible Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 39/46] coresight: tmc-etf: " Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 40/46] libertas: Fix two buffer overflows at parsing bss descriptor Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 41/46] media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 42/46] scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 43/46] md: Avoid namespace collision with bitmap API Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 44/46] bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free() Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 45/46] netfilter: ipset: use bitmap infrastructure completely Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 46/46] net/x25: fix nonblocking connect Greg Kroah-Hartman
2020-01-28 23:05 ` [PATCH 4.14 00/46] 4.14.169-stable review shuah
2020-01-29 4:53 ` Naresh Kamboju
2020-01-29 13:13 ` Jon Hunter
2020-01-29 14:42 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200128135753.817028576@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dmitry.torokhov@gmail.com \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vdronov@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).