Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2337100ybz; Thu, 23 Apr 2020 16:16:37 -0700 (PDT) X-Google-Smtp-Source: APiQypJuwfkHZC4bpKF9kKoCQJ2TOo3r18dyvMUjaIILsmr9c1Vxgf8yViiUVHxGVOtp1NI2Anwz X-Received: by 2002:a50:9f85:: with SMTP id c5mr4936631edf.278.1587683796759; Thu, 23 Apr 2020 16:16:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587683796; cv=none; d=google.com; s=arc-20160816; b=l5LUxn3Y/jBBKBfoyVdP6P0Ji1wu+aXyMstyTPAdIUkPTj45bRVEqCLBU0gSXRFVH6 tugJfjSSAi9u31CXVldpYDlWLKFWZXyWxto5TrDzJc07SIO9s8+/WsB7sHnnP43HTakJ ipI0xlSenjxgORpkL1pH7z5hy83gQyu1Q3fgEk/D1V2Q0+H/JREeURRtKtvSP3CkE/Cv xNsw5PZYV2IFT3whTgFREsPq9aBeS8Ihet82HOFCtO152mfl1FaE9gtFgmEP8xU+PDOj xrRg05G/e179VlXqjdrDkUJ9V25vendMZU8BVU0OBReRn363s4MAo1zULg5EpBU1qQ3f 4pEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=R9IsewYTpa++j0sXUp9YxSxD87cNKXYkH74m4Vvebx8=; b=GHnU3xwNexZVyxzifcCTRIx9+f1Ds671y4tt/XUztGDL3GY6No1bMP7R7dnvBDNeAL R9x3EpbiEGygJrG3emW+wzan5BQanrXP2SqT0pbBZIqdIDNCdAcuOBpO7zgxJMoxa+bH f3Kd1fDFPha6fMdrYi20h0QMD+0Zx95lVVGfzbCeVzQr6h4+xyenX7W6CDou5ftj1y/C QAm8MrWM0gwMhTUihUq5/jOPBwZVIEmk7ZQ3Lta+izC9lKCKDOUK0ChC2+WpUbMPP8nz 8mw+CgdqZTf8iEjG56/YavEh9mVN28km4YtGHoMDMNpwanL47gDmuxbd0lHVvQ2Gqk83 mWeA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g24si1967286ejb.433.2020.04.23.16.16.12; Thu, 23 Apr 2020 16:16:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729411AbgDWXNJ (ORCPT + 99 others); Thu, 23 Apr 2020 19:13:09 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:50052 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728500AbgDWXGv (ORCPT ); Thu, 23 Apr 2020 19:06:51 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jRkvZ-0004n5-02; Fri, 24 Apr 2020 00:06:41 +0100 Received: from ben by deadeye with local (Exim 4.93) (envelope-from ) id 1jRkvV-00E6vg-CG; Fri, 24 Apr 2020 00:06:37 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "Johan Hovold" , "Vladis Dronov" , "Dmitry Torokhov" Date: Fri, 24 Apr 2020 00:06:40 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 173/245] Input: gtco - fix endpoint sanity check In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.83-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Johan Hovold commit a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 upstream. The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could lead to the driver binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints") Signed-off-by: Johan Hovold Acked-by: Vladis Dronov Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings --- drivers/input/tablet/gtco.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -886,18 +886,14 @@ static int gtco_probe(struct usb_interfa } /* Sanity check that a device has an endpoint */ - if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { + if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) { dev_err(&usbinterface->dev, "Invalid number of endpoints\n"); error = -EINVAL; goto err_free_urb; } - /* - * The endpoint is always altsetting 0, we know this since we know - * this device only has one interrupt endpoint - */ - endpoint = &usbinterface->altsetting[0].endpoint[0].desc; + endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; /* Some debug */ dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting); @@ -984,7 +980,7 @@ static int gtco_probe(struct usb_interfa input_dev->dev.parent = &usbinterface->dev; /* Setup the URB, it will be posted later on open of input device */ - endpoint = &usbinterface->altsetting[0].endpoint[0].desc; + endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; usb_fill_int_urb(gtco->urbinfo, gtco->usbdev,