mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-21 10:01:00 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Javier Carrasco 0252e359af Input: bcm5974 - check endpoint type before starting traffic 
[ Upstream commit 2b9c3eb32a ]

syzbot has found a type mismatch between a USB pipe and the transfer
endpoint, which is triggered by the bcm5974 driver[1].

This driver expects the device to provide input interrupt endpoints and
if that is not the case, the driver registration should terminate.

Repros are available to reproduce this issue with a certain setup for
the dummy_hcd, leading to an interrupt/bulk mismatch which is caught in
the USB core after calling usb_submit_urb() with the following message:
"BOGUS urb xfer, pipe 1 != type 3"

Some other device drivers (like the appletouch driver bcm5974 is mainly
based on) provide some checking mechanism to make sure that an IN
interrupt endpoint is available. In this particular case the endpoint
addresses are provided by a config table, so the checking can be
targeted to the provided endpoints.

Add some basic checking to guarantee that the endpoints available match
the expected type for both the trackpad and button endpoints.

This issue was only found for the trackpad endpoint, but the checking
has been added to the button endpoint as well for the same reasons.

Given that there was never a check for the endpoint type, this bug has
been there since the first implementation of the driver (f89bd95c5c).

[1] https://syzkaller.appspot.com/bug?extid=348331f63b034f89b622

Fixes: f89bd95c5c ("Input: bcm5974 - add driver for Macbook Air and Pro Penryn touchpads")
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Reported-and-tested-by: syzbot+348331f63b034f89b622@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20231007-topic-bcm5974_bulk-v3-1-d0f38b9d2935@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-08-19 06:04:26 +02:00
..
accel kthread: add kthread_stop_put 2024-06-12 11:12:52 +02:00
accessibility speakup: Fix sizeof() vs ARRAY_SIZE() bug 2024-06-12 11:11:18 +02:00
acpi ACPI: SBS: manage alarm sysfs attribute through psy core 2024-08-14 13:58:42 +02:00
amba
android binder: fix hang of unregistered readers 2024-08-03 08:54:21 +02:00
ata ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error 2024-08-03 08:54:15 +02:00
atm
auxdisplay auxdisplay: ht16k33: Drop reference after LED registration 2024-08-03 08:54:39 +02:00
base driver core: Fix uevent_show() vs driver detach race 2024-08-14 13:58:56 +02:00
bcma
block rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings 2024-08-03 08:54:32 +02:00
bluetooth Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading 2024-08-14 13:58:44 +02:00
bus
cache
cdrom cdrom: rearrange last_media_change check to avoid unintentional overflow 2024-07-11 12:49:10 +02:00
cdx
char hwrng: amd - Convert PCIBIOS_* return codes to errnos 2024-08-03 08:54:21 +02:00
clk clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use 2024-08-03 08:54:23 +02:00
clocksource clocksource/drivers/sh_cmt: Address race condition for clock events 2024-08-14 13:58:41 +02:00
comedi
connector
counter counter: ti-eqep: enable clock at probe 2024-07-05 09:33:56 +02:00
cpufreq cpufreq: qcom-nvmem: fix memory leaks in probe error paths 2024-08-11 12:47:14 +02:00
cpuidle
crypto crypto: qat - extend scope of lock in adf_cfg_add_key_value_param() 2024-08-03 08:54:01 +02:00
cxl cxl/region: check interleave capability 2024-07-05 09:34:07 +02:00
dax
dca
devfreq
dio
dma dmaengine: fsl-edma: change the memory access from local into remote mode in i.MX 8QM 2024-08-11 12:47:17 +02:00
dma-buf dma-buf: handle testing kthreads creation failure 2024-06-21 14:38:40 +02:00
edac EDAC, i10nm: make skx_common.o a separate module 2024-08-03 08:53:19 +02:00
eisa
extcon extcon: max8997: select IRQ_DOMAIN instead of depending on it 2024-06-12 11:12:27 +02:00
firewire firewire: ohci: fulfill timestamp for some local asynchronous transaction 2024-05-17 12:02:30 +02:00
firmware firmware/sysfb: Update screen_info for relocated EFI framebuffers 2024-08-11 12:47:16 +02:00
fpga fpga: region: add owner module and take its refcount 2024-06-12 11:12:23 +02:00
fsi
gnss
gpio gpio: prevent potential speculation leaks in gpio_device_get_desc() 2024-08-14 13:58:40 +02:00
gpu nouveau: set placement to original placement on uvmm validate. 2024-08-14 13:59:03 +02:00
greybus greybus: Fix use-after-free bug in gb_interface_release due to race condition. 2024-06-21 14:38:48 +02:00
hid HID: wacom: Modify pen IDs 2024-08-11 12:47:24 +02:00
hsi
hte
hv
hwmon hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu 2024-08-14 13:58:41 +02:00
hwspinlock
hwtracing coresight: Fix ref leak when of_coresight_parse_endpoint() fails 2024-08-03 08:53:57 +02:00
i2c i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume 2024-08-14 13:58:52 +02:00
i3c i3c: master: svc: fix invalidate IBI type and miss call client IBI handler 2024-06-16 13:47:46 +02:00
idle
iio iio: frequency: adrf6780: rm clk provider include 2024-08-03 08:53:56 +02:00
infiniband RDMA/iwcm: Fix a use-after-free related to destroying CM IDs 2024-08-03 08:54:30 +02:00
input Input: bcm5974 - check endpoint type before starting traffic 2024-08-19 06:04:26 +02:00
interconnect interconnect: qcom: qcm2290: Fix mas_snoc_bimc RPM master ID 2024-08-03 08:53:58 +02:00
iommu iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en 2024-08-03 08:54:41 +02:00
ipack
irqchip irqchip/xilinx: Fix shift out of bounds 2024-08-14 13:58:58 +02:00
isdn mISDN: Fix a use after free in hfcmulti_tx() 2024-08-03 08:54:38 +02:00
leds leds: triggers: Flush pending brightness before activating trigger 2024-08-11 12:47:14 +02:00
macintosh macintosh/therm_windtunnel: fix module unload. 2024-08-03 08:54:02 +02:00
mailbox
mcb
md md/raid5: avoid BUG_ON() while continue reshape after reassembling 2024-08-14 13:58:41 +02:00
media media: xc2028: avoid use-after-free in load_firmware_cb() 2024-08-14 13:58:46 +02:00
memory memory: fsl_ifc: Make FSL_IFC config visible and selectable 2024-08-03 08:53:27 +02:00
memstick
message
mfd mfd: omap-usb-tll: Use struct_size to allocate tll 2024-08-03 08:53:54 +02:00
misc mei: demote client disconnect warning on suspend to debug 2024-07-25 09:50:45 +02:00
mmc mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() 2024-07-05 09:33:55 +02:00
most
mtd ubi: eba: properly rollback inside self_check_eba 2024-08-03 08:54:23 +02:00
mux
net net: stmmac: qcom-ethqos: enable SGMII loopback during DMA reset on sa8775p-ride-r3 2024-08-14 13:58:43 +02:00
nfc nfc/nci: Add the inconsistency check between the input data length and count 2024-07-11 12:49:21 +02:00
ntb
nubus
nvdimm
nvme nvme/pci: Add APST quirk for Lenovo N60z laptop 2024-08-19 06:04:24 +02:00
nvmem nvmem: rockchip-otp: set add_legacy_fixed_of_cells config option 2024-08-03 08:54:01 +02:00
of of/irq: Disable "interrupt-map" parsing for PASEMI Nemo 2024-07-25 09:50:57 +02:00
opp OPP: ti: Fix ti_opp_supply_probe wrong return values 2024-08-03 08:53:27 +02:00
parisc
parport dev/parport: fix the array out-of-bounds risk 2024-08-03 08:54:22 +02:00
pci PCI: Add pci_get_base_class() helper 2024-08-11 12:47:15 +02:00
pcmcia
peci
perf perf: riscv: Fix selecting counters in legacy mode 2024-08-11 12:47:23 +02:00
phy phy: zynqmp: Enable reference clock correctly 2024-08-03 08:54:35 +02:00
pinctrl pinctrl: renesas: r8a779g0: Fix TPU suffixes 2024-08-03 08:54:09 +02:00
platform platform/x86/intel/ifs: Initialize union ifs_status to zero 2024-08-14 13:58:38 +02:00
pmdomain pmdomain: qcom: rpmhpd: Skip retention level for Power Domains 2024-07-18 13:21:22 +02:00
pnp
power power: supply: axp288_charger: Round constant_charge_voltage writes down 2024-08-14 13:58:58 +02:00
powercap
pps
ps3
ptp ptp: fix integer overflow in max_vclocks_store 2024-06-27 13:49:07 +02:00
pwm pwm: atmel-tcb: Fix race condition and convert to guards 2024-08-03 08:53:23 +02:00
rapidio
ras
regulator regulator: bd71815: fix ramp values 2024-06-27 13:49:09 +02:00
remoteproc remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init 2024-08-03 08:54:31 +02:00
reset
rpmsg
rtc rtc: abx80x: Fix return value of nvmem callback on read 2024-08-03 08:54:29 +02:00
s390 s390/sclp: Prevent release of buffer in I/O 2024-08-14 13:58:47 +02:00
sbus
scsi scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES 2024-08-14 13:58:55 +02:00
sh
siox
slimbus slimbus: qcom-ngd-ctrl: Add timeout for wait operation 2024-05-17 12:02:33 +02:00
soc drivers: soc: xilinx: check return status of get_api_version() 2024-08-03 08:54:18 +02:00
soundwire soundwire: cadence: fix invalid PDI offset 2024-06-12 11:12:15 +02:00
spi spi: spi-fsl-lpspi: Fix scldiv calculation 2024-08-14 13:58:52 +02:00
spmi spmi: hisi-spmi-controller: Do not override device identifier 2024-06-21 14:38:40 +02:00
ssb ssb: Fix potential NULL pointer dereference in ssb_device_uevent() 2024-06-27 13:49:01 +02:00
staging greybus: arche-ctrl: move device table to its right location 2024-06-12 11:12:17 +02:00
target
tc
tee tee: optee: ffa: Fix missing-field-initializers warning 2024-07-25 09:50:53 +02:00
thermal thermal/drivers/broadcom: Fix race between removal and clock disable 2024-08-11 12:47:12 +02:00
thunderbolt thunderbolt: debugfs: Fix margin debugfs node creation condition 2024-06-21 14:38:25 +02:00
tty serial: core: check uartclk for zero to avoid divide by zero 2024-08-14 13:58:57 +02:00
ufs scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic 2024-08-14 13:58:55 +02:00
uio
usb usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed. 2024-08-14 13:58:55 +02:00
vdpa vduse: Temporarily fail if control queue feature requested 2024-07-05 09:33:50 +02:00
vfio vfio/pci: Init the count variable in collecting hot-reset devices 2024-07-18 13:21:10 +02:00
vhost vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler 2024-08-14 13:58:55 +02:00
video fbdev: vesafb: Detect VGA compatibility from screen info's VESA attributes 2024-08-11 12:47:16 +02:00
virt drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map() 2024-06-12 11:12:09 +02:00
virtio virtio: delete vq in vp_find_vqs_msix() when request_irq() fails 2024-06-12 11:12:49 +02:00
vlynq
w1
watchdog watchdog: rzg2l_wdt: Check return status of pm_runtime_put() 2024-08-03 08:54:35 +02:00
xen xen: privcmd: Switch from mutex to spinlock for irqfds 2024-08-14 13:58:42 +02:00
zorro
Kconfig
Makefile