Drop the second, redundant reinitialisation of the endpoint-descriptor
pointer from probe.
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Vladis Dronov <vdronov@redhat.com>
Link: https://lore.kernel.org/r/20191210113737.4016-7-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Make sure to use the current altsetting when printing size of any extra
descriptors of the interface.
Also fix the s/endpoint/interface/ mixup in the message itself.
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Vladis Dronov <vdronov@redhat.com>
Link: https://lore.kernel.org/r/20191210113737.4016-6-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
The driver was checking the number of endpoints of the first alternate
setting instead of the current one, something which could lead to the
driver binding to an invalid interface.
This in turn could cause the driver to misbehave or trigger a WARN() in
usb_submit_urb() that kernels with panic_on_warn set would choke on.
Fixes: 162f98dea4 ("Input: gtco - fix crash on detecting device without endpoints")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Vladis Dronov <vdronov@redhat.com>
Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
The GTCO tablet input driver configures itself from an HID report sent
via USB during the initial enumeration process. Some debugging messages
are generated during the parsing. A debugging message indentation
counter is not bounds checked, leading to the ability for a specially
crafted HID report to cause '-' and null bytes be written past the end
of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG
enabled, this code will not be optimized out. This was discovered
during code review after a previous syzkaller bug was found in this
driver.
Signed-off-by: Grant Hernandez <granthernandez@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
parse_hid_report_descriptor() has a while (i < length) loop, which
only guarantees that there's at least 1 byte in the buffer, but the
loop body can read multiple bytes which causes out-of-bounds access.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
This was entirely automated, using the script by Al:
PATT='^[[:blank:]]*#[[:blank:]]*include[[:blank:]]*<asm/uaccess.h>'
sed -i -e "s!$PATT!#include <linux/uaccess.h>!" \
$(git grep -l "$PATT"|grep -v ^include/linux/uaccess.h)
to do the replacement at the end of the merge window.
Requested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The device can now easily be derived from the interface.
Stop leaving a private copy.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
The gtco driver expects at least one valid endpoint. If given malicious
descriptors that specify 0 for the number of endpoints, it will crash in
the probe function. Ensure there is at least one endpoint on the interface
before using it.
Also let's fix a minor coding style issue.
The full correct report of this issue can be found in the public
Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1283385
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
There is usb_get_dev() in gtco_probe(), but there is no usb_put_dev()
anywhere in the driver.
As pointed out by Dmitry Torokhov:
The lifetime of gtco structure is already directly tied to lifetime of
usb_dev: when destroying usb_dev driver core will call remove() function
of currently bound driver (in our case gtco) which will destroy gtco
memory. Taking additional reference is not needed here.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
None of these files are actually using any __init type directives
and hence don't need to include <linux/init.h>. Most are just a
left over from __devinit and __cpuinit removal, or simply due to
code getting copied from one driver to the next.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Previously I had made the struct device point to the input device, but
after talking with Dmitry, he said that the USB device would make more
sense for this driver to point to. So converted it to use that instead.
CC: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
dbg() was a very old USB-specific macro that should no longer
be used. This patch removes it from being used in the driver
and uses dev_dbg() instead.
CC: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We should always reference the input device for dev_err(), not the USB
device. Fix up the places where I got this wrong.
Reported-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
err() was a very old USB-specific macro that I thought had
gone away. This patch removes it from being used in the
driver and uses dev_err() instead.
CC: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This converts the drivers in drivers/input/* to use the
module_usb_driver() macro which makes the code smaller and a bit
simpler.
Added bonus is that it removes some unneeded kernel log messages about
drivers loading and/or unloading.
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Ville Syrjala <syrjala@sci.fi>
Cc: Henk Vergonet <Henk.Vergonet@gmail.com>
Cc: Alessandro Rubini <rubini@ipvvis.unipv.it>
Cc: Henrik Rydberg <rydberg@euromail.se>
Cc: "Magnus Hörlin" <magnus@alefors.se>
Cc: Chris Moeller <kode54@gmail.c>
Cc: Christoph Fritz <chf.fritz@googlemail.com>
Cc: Lucas De Marchi <lucas.demarchi@profusion.mobi>
Cc: Jesper Juhl <jj@chaosbits.net>
Cc: Edwin van Vliet <edwin@cheatah.nl>
Cc: Ping Cheng <pingc@wacom.com>
Cc: Eduard Hasenleithner <eduard@hasenleithner.at>
Cc: Alexander Strakh <strakh@ispras.ru>
Cc: Glenn Sommer <gsommer@datanordisk.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
For more clearance what the functions actually do,
usb_buffer_alloc() is renamed to usb_alloc_coherent()
usb_buffer_free() is renamed to usb_free_coherent()
They should only be used in code which really needs DMA coherency.
All call sites have been changed accordingly, except for staging
drivers.
Signed-off-by: Daniel Mack <daniel@caiaq.de>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Pedro Ribeiro <pedrib@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The id_table field of the struct usb_device_id is constant in <linux/usb.h>
so it makes sense to mark the initialization data also constant.
Signed-off-by: Márton Németh <nm127@freemail.hu>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Use usb_endpoint_xfer_int(epd) instead of open-conding the check.
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
USB should not be having it's own printk macros, so remove info() and
use the system-wide standard of dev_info() wherever possible.
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
If a driver dies not use LINUX_VERSION_CODE nor KERNEL_VERSION
then it does not need to include version.h
Signed-off-by: Huang Weiyi <weiyi.huang@gmail.com>
Acked-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
There seems to be no reason why this error case should do less
cleaning up than the other adjacent ones, so the goto, which is
currently dead code, seems to be what is intended.
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
The code would try to free 'report' twice upon input_register_device()
failure.
Reported-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
get rid of input BIT* duplicate defines
use newly global defined macros for input layer. Also remove includes of
input.h from non-input sources only for BIT macro definiton. Define the
macro temporarily in local manner, all those local definitons will be
removed further in this patchset (to not break bisecting).
BIT macro will be globally defined (1<<x)
Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Cc: <dtor@mail.ru>
Acked-by: Jiri Kosina <jkosina@suse.cz>
Cc: <lenb@kernel.org>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Cc: <perex@suse.cz>
Acked-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Cc: <vernux@us.ibm.com>
Cc: <malattia@linux.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This will allow concentrating all input devices in one place
in {menu|x|q}config.
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
Johan Hovold