| From 5600f6986628dde8881734090588474f54a540a8 Mon Sep 17 00:00:00 2001 |
| From: Pavel Skripkin <paskripkin@gmail.com> |
| Date: Sun, 13 Mar 2022 22:56:32 -0700 |
| Subject: Input: aiptek - properly check endpoint type |
| |
| From: Pavel Skripkin <paskripkin@gmail.com> |
| |
| commit 5600f6986628dde8881734090588474f54a540a8 upstream. |
| |
| Syzbot reported warning in usb_submit_urb() which is caused by wrong |
| endpoint type. There was a check for the number of endpoints, but not |
| for the type of endpoint. |
| |
| Fix it by replacing old desc.bNumEndpoints check with |
| usb_find_common_endpoints() helper for finding endpoints |
| |
| Fail log: |
| |
| usb 5-1: BOGUS urb xfer, pipe 1 != type 3 |
| WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 |
| Modules linked in: |
| CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0 |
| Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 |
| Workqueue: usb_hub_wq hub_event |
| ... |
| Call Trace: |
| <TASK> |
| aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830 |
| input_open_device+0x1bb/0x320 drivers/input/input.c:629 |
| kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593 |
| |
| Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints") |
| Reported-and-tested-by: syzbot+75cccf2b7da87fb6f84b@syzkaller.appspotmail.com |
| Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> |
| Link: https://lore.kernel.org/r/20220308194328.26220-1-paskripkin@gmail.com |
| Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/input/tablet/aiptek.c | 10 ++++------ |
| 1 file changed, 4 insertions(+), 6 deletions(-) |
| |
| --- a/drivers/input/tablet/aiptek.c |
| +++ b/drivers/input/tablet/aiptek.c |
| @@ -1801,15 +1801,13 @@ aiptek_probe(struct usb_interface *intf, |
| input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0); |
| input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0); |
| |
| - /* Verify that a device really has an endpoint */ |
| - if (intf->cur_altsetting->desc.bNumEndpoints < 1) { |
| + err = usb_find_common_endpoints(intf->cur_altsetting, |
| + NULL, NULL, &endpoint, NULL); |
| + if (err) { |
| dev_err(&intf->dev, |
| - "interface has %d endpoints, but must have minimum 1\n", |
| - intf->cur_altsetting->desc.bNumEndpoints); |
| - err = -EINVAL; |
| + "interface has no int in endpoints, but must have minimum 1\n"); |
| goto fail3; |
| } |
| - endpoint = &intf->cur_altsetting->endpoint[0].desc; |
| |
| /* Go set up our URB, which is called when the tablet receives |
| * input. |