* [PATCH] Input: Check sanity of endpoint in pegasus_open()
@ 2022-08-29 12:39 ` Soumya Negi
0 siblings, 0 replies; 4+ messages in thread
From: Soumya Negi @ 2022-08-29 12:39 UTC (permalink / raw)
To: Dmitry Torokhov, Shuah Khan
Cc: linux-kernel-mentees, linux-kernel, linux-input
Fix WARNING in pegasus_open/usb_submit_urb
Syzbot bug: https://syzkaller.appspot.com/bug?id=bbc107584dcf3262253ce93183e51f3612aaeb13
Add sanity check of endpoint for Pegasus URB in pegasus_open() so that
transfer requests for bogus URBs are not submitted. If the URB is bogus
pegasus_open() will fail.
Reported-by: syzbot+04ee0cb4caccaed12d78@syzkaller.appspotmail.com
Signed-off-by: Soumya Negi <soumya.negi97@gmail.com>
---
drivers/input/tablet/pegasus_notetaker.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c
index c608ac505d1b..5e47882ee4c0 100644
--- a/drivers/input/tablet/pegasus_notetaker.c
+++ b/drivers/input/tablet/pegasus_notetaker.c
@@ -225,6 +225,15 @@ static int pegasus_open(struct input_dev *dev)
mutex_lock(&pegasus->pm_mutex);
pegasus->irq->dev = pegasus->usbdev;
+
+ /* Sanity check of endpoint in Pegasus URB */
+ error = usb_urb_ep_type_check(pegasus->irq);
+ if (error) {
+ dev_err(&pegasus->usbdev->dev,
+ "URB failed endpoint sanity check: %d\n", error);
+ goto err_autopm_put;
+ }
+
if (usb_submit_urb(pegasus->irq, GFP_KERNEL)) {
error = -EIO;
goto err_autopm_put;
--
2.17.1
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] Input: Check sanity of endpoint in pegasus_open()
@ 2022-08-29 12:39 ` Soumya Negi
0 siblings, 0 replies; 4+ messages in thread
From: Soumya Negi @ 2022-08-29 12:39 UTC (permalink / raw)
To: Dmitry Torokhov, Shuah Khan
Cc: Soumya Negi, linux-kernel-mentees, linux-input, linux-kernel
Fix WARNING in pegasus_open/usb_submit_urb
Syzbot bug: https://syzkaller.appspot.com/bug?id=bbc107584dcf3262253ce93183e51f3612aaeb13
Add sanity check of endpoint for Pegasus URB in pegasus_open() so that
transfer requests for bogus URBs are not submitted. If the URB is bogus
pegasus_open() will fail.
Reported-by: syzbot+04ee0cb4caccaed12d78@syzkaller.appspotmail.com
Signed-off-by: Soumya Negi <soumya.negi97@gmail.com>
---
drivers/input/tablet/pegasus_notetaker.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c
index c608ac505d1b..5e47882ee4c0 100644
--- a/drivers/input/tablet/pegasus_notetaker.c
+++ b/drivers/input/tablet/pegasus_notetaker.c
@@ -225,6 +225,15 @@ static int pegasus_open(struct input_dev *dev)
mutex_lock(&pegasus->pm_mutex);
pegasus->irq->dev = pegasus->usbdev;
+
+ /* Sanity check of endpoint in Pegasus URB */
+ error = usb_urb_ep_type_check(pegasus->irq);
+ if (error) {
+ dev_err(&pegasus->usbdev->dev,
+ "URB failed endpoint sanity check: %d\n", error);
+ goto err_autopm_put;
+ }
+
if (usb_submit_urb(pegasus->irq, GFP_KERNEL)) {
error = -EIO;
goto err_autopm_put;
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] Input: Check sanity of endpoint in pegasus_open()
2022-08-29 12:39 ` Soumya Negi
@ 2022-08-29 14:51 ` Greg KH
-1 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2022-08-29 14:51 UTC (permalink / raw)
To: Soumya Negi
Cc: Dmitry Torokhov, Shuah Khan, linux-kernel-mentees, linux-kernel,
linux-input
On Mon, Aug 29, 2022 at 05:39:59AM -0700, Soumya Negi wrote:
> Fix WARNING in pegasus_open/usb_submit_urb
> Syzbot bug: https://syzkaller.appspot.com/bug?id=bbc107584dcf3262253ce93183e51f3612aaeb13
>
> Add sanity check of endpoint for Pegasus URB in pegasus_open() so that
> transfer requests for bogus URBs are not submitted. If the URB is bogus
> pegasus_open() will fail.
>
> Reported-by: syzbot+04ee0cb4caccaed12d78@syzkaller.appspotmail.com
> Signed-off-by: Soumya Negi <soumya.negi97@gmail.com>
> ---
> drivers/input/tablet/pegasus_notetaker.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c
> index c608ac505d1b..5e47882ee4c0 100644
> --- a/drivers/input/tablet/pegasus_notetaker.c
> +++ b/drivers/input/tablet/pegasus_notetaker.c
> @@ -225,6 +225,15 @@ static int pegasus_open(struct input_dev *dev)
>
> mutex_lock(&pegasus->pm_mutex);
> pegasus->irq->dev = pegasus->usbdev;
> +
> + /* Sanity check of endpoint in Pegasus URB */
> + error = usb_urb_ep_type_check(pegasus->irq);
That is not checking for the type of the endpoint, so are you sure this
works?
And this should happen at probe time, not when the device is opened.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Input: Check sanity of endpoint in pegasus_open()
@ 2022-08-29 14:51 ` Greg KH
0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2022-08-29 14:51 UTC (permalink / raw)
To: Soumya Negi
Cc: linux-input, Dmitry Torokhov, linux-kernel-mentees, linux-kernel
On Mon, Aug 29, 2022 at 05:39:59AM -0700, Soumya Negi wrote:
> Fix WARNING in pegasus_open/usb_submit_urb
> Syzbot bug: https://syzkaller.appspot.com/bug?id=bbc107584dcf3262253ce93183e51f3612aaeb13
>
> Add sanity check of endpoint for Pegasus URB in pegasus_open() so that
> transfer requests for bogus URBs are not submitted. If the URB is bogus
> pegasus_open() will fail.
>
> Reported-by: syzbot+04ee0cb4caccaed12d78@syzkaller.appspotmail.com
> Signed-off-by: Soumya Negi <soumya.negi97@gmail.com>
> ---
> drivers/input/tablet/pegasus_notetaker.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c
> index c608ac505d1b..5e47882ee4c0 100644
> --- a/drivers/input/tablet/pegasus_notetaker.c
> +++ b/drivers/input/tablet/pegasus_notetaker.c
> @@ -225,6 +225,15 @@ static int pegasus_open(struct input_dev *dev)
>
> mutex_lock(&pegasus->pm_mutex);
> pegasus->irq->dev = pegasus->usbdev;
> +
> + /* Sanity check of endpoint in Pegasus URB */
> + error = usb_urb_ep_type_check(pegasus->irq);
That is not checking for the type of the endpoint, so are you sure this
works?
And this should happen at probe time, not when the device is opened.
thanks,
greg k-h
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-08-29 14:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-29 12:39 [PATCH] Input: Check sanity of endpoint in pegasus_open() Soumya Negi
2022-08-29 12:39 ` Soumya Negi
2022-08-29 14:51 ` Greg KH
2022-08-29 14:51 ` Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.