Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.4.232 2020-01-29T15:45:28+00:00 2020-01-29T15:45:28+00:00 Johan Hovold johan@kernel.org 2020-01-10T20:00:18+00:00 urn:sha1:56ded4adf16e91ee522549e3d724fa3e1cdcdb4b commit a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 upstream. The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could lead to the driver binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints") Signed-off-by: Johan Hovold <johan@kernel.org> Acked-by: Vladis Dronov <vdronov@redhat.com> Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-07-13T08:43:10+00:00 Grant Hernandez granthernandez@google.com 2019-07-13T08:00:12+00:00 urn:sha1:2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 The GTCO tablet input driver configures itself from an HID report sent via USB during the initial enumeration process. Some debugging messages are generated during the parsing. A debugging message indentation counter is not bounds checked, leading to the ability for a specially crafted HID report to cause '-' and null bytes be written past the end of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG enabled, this code will not be optimized out. This was discovered during code review after a previous syzkaller bug was found in this driver. Signed-off-by: Grant Hernandez <granthernandez@google.com> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2017-10-27T22:14:41+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2017-10-23T23:46:00+00:00 urn:sha1:a50829479f58416a013a4ccca791336af3c584c7 parse_hid_report_descriptor() has a while (i < length) loop, which only guarantees that there's at least 1 byte in the buffer, but the loop body can read multiple bytes which causes out-of-bounds access. Reported-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Andrey Konovalov <andreyknvl@google.com> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2016-12-24T19:46:01+00:00 Linus Torvalds torvalds@linux-foundation.org 2016-12-24T19:46:01+00:00 urn:sha1:7c0f6ba682b9c7632072ffbedf8d328c8f3c42ba This was entirely automated, using the script by Al: PATT='^[[:blank:]]*#[[:blank:]]*include[[:blank:]]*<asm/uaccess.h>' sed -i -e "s!$PATT!#include <linux/uaccess.h>!" \ $(git grep -l "$PATT"|grep -v ^include/linux/uaccess.h) to do the replacement at the end of the merge window. Requested-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2016-05-17T00:25:08+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2016-05-17T00:25:08+00:00 urn:sha1:23ea5967d6bd30ed59480edbc5fe21eec81682a3 Prepare first round of input updates for 4.7 merge window. 2016-03-31T20:13:41+00:00 Oliver Neukum oneukum@suse.com 2016-03-31T18:01:07+00:00 urn:sha1:ed752e5ddedb68c9d69484baa1a712cf966e1f22 The device can now easily be derived from the interface. Stop leaving a private copy. Signed-off-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2016-03-31T20:10:00+00:00 Vladis Dronov vdronov@redhat.com 2016-03-31T17:53:42+00:00 urn:sha1:162f98dea487206d9ab79fc12ed64700667a894d The gtco driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it. Also let's fix a minor coding style issue. The full correct report of this issue can be found in the public Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283385 Reported-by: Ralf Spenneberg <ralf@spenneberg.net> Signed-off-by: Vladis Dronov <vdronov@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2015-01-27T07:07:45+00:00 Martin Kepplinger martink@posteo.de 2015-01-24T00:40:53+00:00 urn:sha1:8d2128203682cb1b223e08f19c6b3ba72400bb96 Signed-off-by: Martin Kepplinger <martink@posteo.de> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2014-01-28T06:34:49+00:00 Alexey Khoroshilov khoroshilov@ispras.ru 2014-01-27T20:25:47+00:00 urn:sha1:1f906f8376c2d53dca347b15c0caef71d91087b4 There is usb_get_dev() in gtco_probe(), but there is no usb_put_dev() anywhere in the driver. As pointed out by Dmitry Torokhov: The lifetime of gtco structure is already directly tied to lifetime of usb_dev: when destroying usb_dev driver core will call remove() function of currently bound driver (in our case gtco) which will destroy gtco memory. Taking additional reference is not needed here. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2014-01-07T07:23:57+00:00 Paul Gortmaker paul.gortmaker@windriver.com 2014-01-06T18:27:05+00:00 urn:sha1:bf9a9f8e5105b13cea954b254008f383ed0b4045 None of these files are actually using any __init type directives and hence don't need to include <linux/init.h>. Most are just a left over from __devinit and __cpuinit removal, or simply due to code getting copied from one driver to the next. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>