Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v5.10.249 2025-12-06T21:08:22Z 2025-12-06T21:08:22Z Seungjin Bae eeodqql09@gmail.com 2025-11-24T18:57:18Z urn:sha1:36bc92b838ff72f62f2c17751a9013b29ead2513 [ Upstream commit 69aeb507312306f73495598a055293fa749d454e ] In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer. Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access. Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") Signed-off-by: Seungjin Bae <eeodqql09@gmail.com> Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-12-06T21:08:22Z Vincent Mailhol mailhol.vincent@wanadoo.fr 2025-11-24T18:57:17Z urn:sha1:0032d1cb75f7e3d73726015cbd1e7a5ab9b7d727 [ Upstream commit 948bf187694fc1f4c20cf972fa18b1a6fb3d7603 ] The third argument of usb_maxpacket(): in_out has been deprecated because it could be derived from the second argument (e.g. using usb_pipeout(pipe)). N.B. function usb_maxpacket() was made variadic to accommodate the transition from the old prototype with three arguments to the new one with only two arguments (so that no renaming is needed). The variadic argument is to be removed once all users of usb_maxpacket() get migrated. CC: Ville Syrjala <syrjala@sci.fi> CC: Dmitry Torokhov <dmitry.torokhov@gmail.com> CC: Henk Vergonet <Henk.Vergonet@gmail.com> Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr> Link: https://lore.kernel.org/r/20220317035514.6378-4-mailhol.vincent@wanadoo.fr Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Stable-dep-of: 69aeb5073123 ("Input: pegasus-notetaker - fix potential out-of-bounds access") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-03-23T08:13:29Z Pavel Skripkin paskripkin@gmail.com 2022-03-14T05:56:32Z urn:sha1:f0d43d22d24182b94d7eb78a2bf6ae7e2b33204a commit 5600f6986628dde8881734090588474f54a540a8 upstream. Syzbot reported warning in usb_submit_urb() which is caused by wrong endpoint type. There was a check for the number of endpoints, but not for the type of endpoint. Fix it by replacing old desc.bNumEndpoints check with usb_find_common_endpoints() helper for finding endpoints Fail log: usb 5-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Modules linked in: CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Workqueue: usb_hub_wq hub_event ... Call Trace: <TASK> aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830 input_open_device+0x1bb/0x320 drivers/input/input.c:629 kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593 Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints") Reported-and-tested-by: syzbot+75cccf2b7da87fb6f84b@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> Link: https://lore.kernel.org/r/20220308194328.26220-1-paskripkin@gmail.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-08-23T22:36:59Z Gustavo A. R. Silva gustavoars@kernel.org 2020-08-23T22:36:59Z urn:sha1:df561f6688fef775baa341a0f5d960becd248b11 Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary fall-through markings when it is the case. [1] https://www.kernel.org/doc/html/v5.7/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> 2020-07-07T18:25:54Z Gustavo A. R. Silva gustavoars@kernel.org 2020-07-07T18:24:55Z urn:sha1:6f49c4f5b95b9ac8ead1ec39066489fb10fcbde8 Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary fall-through markings when it is the case. [1] https://www.kernel.org/doc/html/latest/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Link: https://lore.kernel.org/r/20200707180857.GA30600@embeddedor Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2020-01-10T22:43:00Z Johan Hovold johan@kernel.org 2020-01-10T20:01:07Z urn:sha1:cea7991144754044c540bf9f974550ea5fec500c Drop the second, redundant reinitialisation of the endpoint-descriptor pointer from probe. Signed-off-by: Johan Hovold <johan@kernel.org> Acked-by: Vladis Dronov <vdronov@redhat.com> Link: https://lore.kernel.org/r/20191210113737.4016-7-johan@kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2020-01-10T22:42:58Z Johan Hovold johan@kernel.org 2020-01-10T20:00:41Z urn:sha1:3563c629fb9a29b08df53747217b89444f4cd32b Make sure to use the current altsetting when printing size of any extra descriptors of the interface. Also fix the s/endpoint/interface/ mixup in the message itself. Signed-off-by: Johan Hovold <johan@kernel.org> Acked-by: Vladis Dronov <vdronov@redhat.com> Link: https://lore.kernel.org/r/20191210113737.4016-6-johan@kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2020-01-10T22:42:57Z Johan Hovold johan@kernel.org 2020-01-10T20:00:18Z urn:sha1:a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could lead to the driver binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints") Signed-off-by: Johan Hovold <johan@kernel.org> Acked-by: Vladis Dronov <vdronov@redhat.com> Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2020-01-10T22:42:56Z Johan Hovold johan@kernel.org 2020-01-10T19:59:52Z urn:sha1:cfa4f6a99fb183742cace65ec551b444852b8ef6 Make sure to always use the descriptors of the current alternate setting to avoid future issues when accessing fields that may differ between settings. Signed-off-by: Johan Hovold <johan@kernel.org> Acked-by: Vladis Dronov <vdronov@redhat.com> Link: https://lore.kernel.org/r/20191210113737.4016-4-johan@kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2020-01-10T22:42:54Z Johan Hovold johan@kernel.org 2020-01-10T19:59:32Z urn:sha1:3111491fca4f01764e0c158c5e0f7ced808eef51 The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could lead to the driver binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints") Signed-off-by: Johan Hovold <johan@kernel.org> Acked-by: Vladis Dronov <vdronov@redhat.com> Link: https://lore.kernel.org/r/20191210113737.4016-3-johan@kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>