parse_hid_report_descriptor() has a while (i < length) loop, which
only guarantees that there's at least 1 byte in the buffer, but the
loop body can read multiple bytes which causes out-of-bounds access.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
This was entirely automated, using the script by Al:
PATT='^[[:blank:]]*#[[:blank:]]*include[[:blank:]]*<asm/uaccess.h>'
sed -i -e "s!$PATT!#include <linux/uaccess.h>!" \
$(git grep -l "$PATT"|grep -v ^include/linux/uaccess.h)
to do the replacement at the end of the merge window.
Requested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The device can now easily be derived from the interface.
Stop leaving a private copy.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
The gtco driver expects at least one valid endpoint. If given malicious
descriptors that specify 0 for the number of endpoints, it will crash in
the probe function. Ensure there is at least one endpoint on the interface
before using it.
Also let's fix a minor coding style issue.
The full correct report of this issue can be found in the public
Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1283385
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
There is usb_get_dev() in gtco_probe(), but there is no usb_put_dev()
anywhere in the driver.
As pointed out by Dmitry Torokhov:
The lifetime of gtco structure is already directly tied to lifetime of
usb_dev: when destroying usb_dev driver core will call remove() function
of currently bound driver (in our case gtco) which will destroy gtco
memory. Taking additional reference is not needed here.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
None of these files are actually using any __init type directives
and hence don't need to include <linux/init.h>. Most are just a
left over from __devinit and __cpuinit removal, or simply due to
code getting copied from one driver to the next.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Previously I had made the struct device point to the input device, but
after talking with Dmitry, he said that the USB device would make more
sense for this driver to point to. So converted it to use that instead.
CC: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
dbg() was a very old USB-specific macro that should no longer
be used. This patch removes it from being used in the driver
and uses dev_dbg() instead.
CC: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We should always reference the input device for dev_err(), not the USB
device. Fix up the places where I got this wrong.
Reported-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
err() was a very old USB-specific macro that I thought had
gone away. This patch removes it from being used in the
driver and uses dev_err() instead.
CC: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This converts the drivers in drivers/input/* to use the
module_usb_driver() macro which makes the code smaller and a bit
simpler.
Added bonus is that it removes some unneeded kernel log messages about
drivers loading and/or unloading.
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Ville Syrjala <syrjala@sci.fi>
Cc: Henk Vergonet <Henk.Vergonet@gmail.com>
Cc: Alessandro Rubini <rubini@ipvvis.unipv.it>
Cc: Henrik Rydberg <rydberg@euromail.se>
Cc: "Magnus Hörlin" <magnus@alefors.se>
Cc: Chris Moeller <kode54@gmail.c>
Cc: Christoph Fritz <chf.fritz@googlemail.com>
Cc: Lucas De Marchi <lucas.demarchi@profusion.mobi>
Cc: Jesper Juhl <jj@chaosbits.net>
Cc: Edwin van Vliet <edwin@cheatah.nl>
Cc: Ping Cheng <pingc@wacom.com>
Cc: Eduard Hasenleithner <eduard@hasenleithner.at>
Cc: Alexander Strakh <strakh@ispras.ru>
Cc: Glenn Sommer <gsommer@datanordisk.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
For more clearance what the functions actually do,
usb_buffer_alloc() is renamed to usb_alloc_coherent()
usb_buffer_free() is renamed to usb_free_coherent()
They should only be used in code which really needs DMA coherency.
All call sites have been changed accordingly, except for staging
drivers.
Signed-off-by: Daniel Mack <daniel@caiaq.de>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Pedro Ribeiro <pedrib@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The id_table field of the struct usb_device_id is constant in <linux/usb.h>
so it makes sense to mark the initialization data also constant.
Signed-off-by: Márton Németh <nm127@freemail.hu>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Use usb_endpoint_xfer_int(epd) instead of open-conding the check.
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
USB should not be having it's own printk macros, so remove info() and
use the system-wide standard of dev_info() wherever possible.
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
If a driver dies not use LINUX_VERSION_CODE nor KERNEL_VERSION
then it does not need to include version.h
Signed-off-by: Huang Weiyi <weiyi.huang@gmail.com>
Acked-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
There seems to be no reason why this error case should do less
cleaning up than the other adjacent ones, so the goto, which is
currently dead code, seems to be what is intended.
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
The code would try to free 'report' twice upon input_register_device()
failure.
Reported-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
get rid of input BIT* duplicate defines
use newly global defined macros for input layer. Also remove includes of
input.h from non-input sources only for BIT macro definiton. Define the
macro temporarily in local manner, all those local definitons will be
removed further in this patchset (to not break bisecting).
BIT macro will be globally defined (1<<x)
Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Cc: <dtor@mail.ru>
Acked-by: Jiri Kosina <jkosina@suse.cz>
Cc: <lenb@kernel.org>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Cc: <perex@suse.cz>
Acked-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Cc: <vernux@us.ibm.com>
Cc: <malattia@linux.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This will allow concentrating all input devices in one place
in {menu|x|q}config.
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>