Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp4637812iob; Sun, 8 May 2022 20:09:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxnWc1KMZEQEQGrc/zFnf/D1QQ0zegYAzgvYCRtJlwqMzbC4DH+lnlSmx/uOjJ9Bw1tgwrM X-Received: by 2002:a05:6a00:1a49:b0:510:a1d9:7d73 with SMTP id h9-20020a056a001a4900b00510a1d97d73mr4498006pfv.53.1652065779485; Sun, 08 May 2022 20:09:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652065779; cv=none; d=google.com; s=arc-20160816; b=QjAtZdkFHcheJlTl4PsawaRTycIIdWT/vK4vbTk9AOH1mYKHZOKq1of4cSrvMnNtQe HfBD6/6rfhNMiA/mR0GcLVbXCbeJNcrjL3p06Pz32FLJkS99XTDEVOSssU0Vn7jbUr90 l97BZEjjzmnn1Pq7JZDzZVbJpDpOqTCCvw1pUiV97ZF6YPYy6wJ/Zl8UjCfjVdsvu3JL jI5OShdMnziiY51pp6fTvQtVTAkV4ej1wZn+ow+4Bdch5GKK9SgW6KKDZ1cqoqqZF8lB NahC2XjYUybiAALqF7Hv1SPKnHyTkp9IUY33zlQCYp13FvXQfKMNdLiF7Dr/+fUynA2l zxiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rNowNYNn9ne7NeU36o6vTv3ohKD4ZVECHoyCD2VXnnw=; b=DVdUcsdfUb8iAN7Q7ogfLZ9m4KC8o3MpCPnnmONSjyAvdaHCOs+qPuvVrGX4Ha8ZEB RMVpJEVW4AcnWoiWSpOUrtUCC41Xz1mU9vRuu5hnn5IdtvLNMkO/2gOnLnexCOiVcn/e nmAcJ/xekPIZY2+PWiRiEY8TRqsn+pdkroiLhZlUnrRWmRjmF8yNyMRHo8PG8VJ4vaq+ aQ/u4vRGOsqSzRlUQ4rM9bs2hWpSST7AiwHbEShgY8dJLNFJxc4G/fkdp095U+ent0tB 5e7fvEOo5URdjPvUCwlEuzZSRL8mPSnp1Vn+2jg6HxG+ld8moJ6hlWLKFaROB2uvDjg5 2fwg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=JyUluXrL; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id c20-20020a6566d4000000b003816043f0dasi14803909pgw.719.2022.05.08.20.09.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 May 2022 20:09:39 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=JyUluXrL; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D48B48E1B4; Sun, 8 May 2022 20:09:26 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357570AbiEDRbw (ORCPT + 99 others); Wed, 4 May 2022 13:31:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356926AbiEDRJt (ORCPT ); Wed, 4 May 2022 13:09:49 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4E7F94738D; Wed, 4 May 2022 09:56:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id DEA72617A6; Wed, 4 May 2022 16:56:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 28DC5C385AA; Wed, 4 May 2022 16:56:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1651683387; bh=2AHMO1rt09lcgtSq7YM7IIDJOOXaAVwLycWd1FnTCxA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JyUluXrLQfaVwneNAFkOfb/ATq/40wEBpIsLny+ZNk84Htqv6FBJAxayNeXA89z6t Z7gy4280Iu7rtkdZSypTCV8G9JEav3VQEYBorJdU/zbCES/jmkdBMco/7GBVmz91dM Ku2EVgBivokv6gt+VWMJXmj6k1u01M3+M4Nk4scc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , Helge Deller , Sasha Levin , syzbot+53ce4a4246d0fe0fee34@syzkaller.appspotmail.com Subject: [PATCH 5.17 059/225] video: fbdev: udlfb: properly check endpoint type Date: Wed, 4 May 2022 18:44:57 +0200 Message-Id: <20220504153115.436114773@linuxfoundation.org> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220504153110.096069935@linuxfoundation.org> References: <20220504153110.096069935@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Skripkin [ Upstream commit aaf7dbe07385e0b8deb7237eca2a79926bbc7091 ] syzbot reported warning in usb_submit_urb, which is caused by wrong endpoint type. This driver uses out bulk endpoint for communication, so let's check if this endpoint is present and bail out early if not. Fail log: usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 4822 at drivers/usb/core/urb.c:493 usb_submit_urb+0xd27/0x1540 drivers/usb/core/urb.c:493 Modules linked in: CPU: 0 PID: 4822 Comm: kworker/0:3 Tainted: G W 5.13.0-syzkaller #0 ... Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xd27/0x1540 drivers/usb/core/urb.c:493 ... Call Trace: dlfb_submit_urb+0x89/0x160 drivers/video/fbdev/udlfb.c:1969 dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315 dlfb_ops_set_par+0x2a3/0x840 drivers/video/fbdev/udlfb.c:1110 dlfb_usb_probe.cold+0x113e/0x1f4a drivers/video/fbdev/udlfb.c:1732 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 Fixes: 88e58b1a42f8 ("Staging: add udlfb driver") Reported-and-tested-by: syzbot+53ce4a4246d0fe0fee34@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Helge Deller Signed-off-by: Sasha Levin --- drivers/video/fbdev/udlfb.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c index 90f48b71fd8f..d9eec1b60e66 100644 --- a/drivers/video/fbdev/udlfb.c +++ b/drivers/video/fbdev/udlfb.c @@ -1649,8 +1649,9 @@ static int dlfb_usb_probe(struct usb_interface *intf, const struct device_attribute *attr; struct dlfb_data *dlfb; struct fb_info *info; - int retval = -ENOMEM; + int retval; struct usb_device *usbdev = interface_to_usbdev(intf); + struct usb_endpoint_descriptor *out; /* usb initialization */ dlfb = kzalloc(sizeof(*dlfb), GFP_KERNEL); @@ -1664,6 +1665,12 @@ static int dlfb_usb_probe(struct usb_interface *intf, dlfb->udev = usb_get_dev(usbdev); usb_set_intfdata(intf, dlfb); + retval = usb_find_common_endpoints(intf->cur_altsetting, NULL, &out, NULL, NULL); + if (retval) { + dev_err(&intf->dev, "Device should have at lease 1 bulk endpoint!\n"); + goto error; + } + dev_dbg(&intf->dev, "console enable=%d\n", console); dev_dbg(&intf->dev, "fb_defio enable=%d\n", fb_defio); dev_dbg(&intf->dev, "shadow enable=%d\n", shadow); @@ -1673,6 +1680,7 @@ static int dlfb_usb_probe(struct usb_interface *intf, if (!dlfb_parse_vendor_descriptor(dlfb, intf)) { dev_err(&intf->dev, "firmware not recognized, incompatible device?\n"); + retval = -ENODEV; goto error; } @@ -1686,8 +1694,10 @@ static int dlfb_usb_probe(struct usb_interface *intf, /* allocates framebuffer driver structure, not framebuffer memory */ info = framebuffer_alloc(0, &dlfb->udev->dev); - if (!info) + if (!info) { + retval = -ENOMEM; goto error; + } dlfb->info = info; info->par = dlfb; -- 2.35.1