linux-stable.git/drivers/input/misc/powermate.c, branch v4.14.331 Linux kernel stable tree Input: powermate - fix use-after-free in powermate_config_complete 2023-10-25T09:13:30+00:00 Javier Carrasco javier.carrasco.cruz@gmail.com 2023-10-14T03:11:33+00:00 8677575c4f39d65bf0d719b5d20e8042e550ccb9 commit 5c15c60e7be615f05a45cd905093a54b11f461bc upstream. syzbot has found a use-after-free bug [1] in the powermate driver. This happens when the device is disconnected, which leads to a memory free from the powermate_device struct. When an asynchronous control message completes after the kfree and its callback is invoked, the lock does not exist anymore and hence the bug. Use usb_kill_urb() on pm->config to cancel any in-progress requests upon device disconnection. [1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com> Reported-by: syzbot+0434ac83f907a1dbdd1e@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20230916-topic-powermate_use_after_free-v3-1-64412b81a7a2@gmail.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 5c15c60e7be615f05a45cd905093a54b11f461bc upstream.

syzbot has found a use-after-free bug [1] in the powermate driver. This
happens when the device is disconnected, which leads to a memory free from
the powermate_device struct.  When an asynchronous control message
completes after the kfree and its callback is invoked, the lock does not
exist anymore and hence the bug.

Use usb_kill_urb() on pm->config to cancel any in-progress requests upon
device disconnection.

[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e

Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Reported-by: syzbot+0434ac83f907a1dbdd1e@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20230916-topic-powermate_use_after_free-v3-1-64412b81a7a2@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Input: powermate - constify usb_device_id and fix space before '[' error 2017-08-08T03:10:18+00:00 Arvind Yadav arvind.yadav.cs@gmail.com 2017-08-08T02:44:10+00:00 81c3d81c9404855f072eb4e5a2764f06c243d338 usb_device_id are not supposed to change at runtime. All functions working with usb_device_id provided by <linux/usb.h> work with const usb_device_id. So mark the non-const structs as const. Fix checkpatch.pl error: ERROR: space prohibited before open square bracket '['. Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 
usb_device_id are not supposed to change at runtime. All functions
working with usb_device_id provided by <linux/usb.h> work with
const usb_device_id. So mark the non-const structs as const.

Fix checkpatch.pl error:
ERROR: space prohibited before open square bracket '['.

Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
 Input: powermate - fix oops with malicious USB descriptors 2016-03-14T16:36:49+00:00 Josh Boyer jwboyer@fedoraproject.org 2016-03-14T16:33:40+00:00 9c6ba456711687b794dcf285856fc14e2c76074f The powermate driver expects at least one valid USB endpoint in its probe function. If given malicious descriptors that specify 0 for the number of endpoints, it will crash. Validate the number of endpoints on the interface before using them. The full report for this issue can be found here: http://seclists.org/bugtraq/2016/Mar/85 Reported-by: Ralf Spenneberg <ralf@spenneberg.net> Cc: stable <stable@vger.kernel.org> Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 
The powermate driver expects at least one valid USB endpoint in its
probe function.  If given malicious descriptors that specify 0 for
the number of endpoints, it will crash.  Validate the number of
endpoints on the interface before using them.

The full report for this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/85

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
 Input: delete non-required instances of include <linux/init.h> 2014-01-07T07:23:57+00:00 Paul Gortmaker paul.gortmaker@windriver.com 2014-01-06T18:27:05+00:00 bf9a9f8e5105b13cea954b254008f383ed0b4045 None of these files are actually using any __init type directives and hence don't need to include <linux/init.h>. Most are just a left over from __devinit and __cpuinit removal, or simply due to code getting copied from one driver to the next. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 
None of these files are actually using any __init type directives
and hence don't need to include <linux/init.h>.  Most are just a
left over from __devinit and __cpuinit removal, or simply due to
code getting copied from one driver to the next.

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
USB: input: powermate.c: fix up dev_* messages 2012-05-04T22:33:00+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2012-05-04T22:33:00+00:00 c25e647836cd53f2da7ceff6fabf2603b4362212 Previously I had made the struct device point to the input device, but after talking with Dmitry, he said that the USB device would make more sense for this driver to point to. So converted it to use that instead. CC: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Previously I had made the struct device point to the input device, but
after talking with Dmitry, he said that the USB device would make more
sense for this driver to point to.  So converted it to use that instead.

CC: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: powermate.c: remove dbg() usage 2012-05-02T04:33:03+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2012-05-02T04:33:03+00:00 8b0725c0593871106d24ed94e7a14cf2316cb21d dbg() was a very old USB-specific macro that should no longer be used. This patch removes it from being used in the driver and uses dev_dbg() instead. CC: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
dbg() was a very old USB-specific macro that should no longer
be used. This patch removes it from being used in the driver
and uses dev_dbg() instead.

CC: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: input: powermate.c: fix up dev_err() usage 2012-05-02T00:56:45+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2012-05-02T00:56:45+00:00 6b37dbba5d5f4e167eb5ca57e43c1bd49a696831 We should always reference the input device for dev_err(), not the USB device. Fix up the places where I got this wrong. Reported-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We should always reference the input device for dev_err(), not the USB
device.  Fix up the places where I got this wrong.

Reported-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: powermate.c: remove err() usage 2012-04-25T21:48:30+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2012-04-25T21:48:30+00:00 2385f3c3c757b6ffb766c320df4a7f7a45593f24 err() was a very old USB-specific macro that I thought had gone away. This patch removes it from being used in the driver and uses dev_err() instead. CC: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
err() was a very old USB-specific macro that I thought had
gone away.  This patch removes it from being used in the
driver and uses dev_err() instead.

CC: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: convert drivers/input/* to use module_usb_driver() 2011-11-18T17:48:31+00:00 Greg Kroah-Hartman gregkh@suse.de 2011-11-18T17:48:31+00:00 08642e7c52cf43616821520828e504bc717e54a6 This converts the drivers in drivers/input/* to use the module_usb_driver() macro which makes the code smaller and a bit simpler. Added bonus is that it removes some unneeded kernel log messages about drivers loading and/or unloading. Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com> Cc: Ville Syrjala <syrjala@sci.fi> Cc: Henk Vergonet <Henk.Vergonet@gmail.com> Cc: Alessandro Rubini <rubini@ipvvis.unipv.it> Cc: Henrik Rydberg <rydberg@euromail.se> Cc: "Magnus Hörlin" <magnus@alefors.se> Cc: Chris Moeller <kode54@gmail.c> Cc: Christoph Fritz <chf.fritz@googlemail.com> Cc: Lucas De Marchi <lucas.demarchi@profusion.mobi> Cc: Jesper Juhl <jj@chaosbits.net> Cc: Edwin van Vliet <edwin@cheatah.nl> Cc: Ping Cheng <pingc@wacom.com> Cc: Eduard Hasenleithner <eduard@hasenleithner.at> Cc: Alexander Strakh <strakh@ispras.ru> Cc: Glenn Sommer <gsommer@datanordisk.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
This converts the drivers in drivers/input/* to use the
module_usb_driver() macro which makes the code smaller and a bit
simpler.

Added bonus is that it removes some unneeded kernel log messages about
drivers loading and/or unloading.

Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Ville Syrjala <syrjala@sci.fi>
Cc: Henk Vergonet <Henk.Vergonet@gmail.com>
Cc: Alessandro Rubini <rubini@ipvvis.unipv.it>
Cc: Henrik Rydberg <rydberg@euromail.se>
Cc: "Magnus Hörlin" <magnus@alefors.se>
Cc: Chris Moeller <kode54@gmail.c>
Cc: Christoph Fritz <chf.fritz@googlemail.com>
Cc: Lucas De Marchi <lucas.demarchi@profusion.mobi>
Cc: Jesper Juhl <jj@chaosbits.net>
Cc: Edwin van Vliet <edwin@cheatah.nl>
Cc: Ping Cheng <pingc@wacom.com>
Cc: Eduard Hasenleithner <eduard@hasenleithner.at>
Cc: Alexander Strakh <strakh@ispras.ru>
Cc: Glenn Sommer <gsommer@datanordisk.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Input: return -ENOMEM in select drivers when memory allocation fails 2010-10-13T14:49:23+00:00 Davidlohr Bueso dave@gnu.org 2010-09-30T01:53:35+00:00 6792cbbb254712a8c0fa8a4c97c8d521c7c41c28 Instead of using -1 let's start using proper error codes. Signed-off-by: Davidlohr Bueso <dave@gnu.org> Signed-off-by: Dmitry Torokhov <dtor@mail.ru> 
Instead of using -1 let's start using proper error codes.

Signed-off-by: Davidlohr Bueso <dave@gnu.org>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>