superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers
History
Alan Stern c8fdf7feca fbdev: udlfb: Fix endpoint check 
commit ed9de4ed39 upstream.

The syzbot fuzzer detected a problem in the udlfb driver, caused by an
endpoint not having the expected type:

usb 1-1: Read EDID byte 0 failed: -71
usb 1-1: Unable to get valid EDID from device/display
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 0 PID: 9 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880
drivers/usb/core/urb.c:504
Modules linked in:
CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted
6.4.0-rc1-syzkaller-00016-ga4422ff22142 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
04/28/2023
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
...
Call Trace:
 <TASK>
 dlfb_submit_urb+0x92/0x180 drivers/video/fbdev/udlfb.c:1980
 dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315
 dlfb_ops_set_par+0x2a7/0x8d0 drivers/video/fbdev/udlfb.c:1111
 dlfb_usb_probe+0x149a/0x2710 drivers/video/fbdev/udlfb.c:1743

The current approach for this issue failed to catch the problem
because it only checks for the existence of a bulk-OUT endpoint; it
doesn't check whether this endpoint is the one that the driver will
actually use.

We can fix the problem by instead checking that the endpoint used by
the driver does exist and is bulk-OUT.

Reported-and-tested-by: syzbot+0e22d63dcebb802b9bc8@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Pavel Skripkin <paskripkin@gmail.com>
Fixes: aaf7dbe073 ("video: fbdev: udlfb: properly check endpoint type")
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2023-05-30 14:03:20 +01:00
..
accessibility
acpi ACPI: video: Remove desktops without backlight DMI quirks 2023-05-24 17:32:36 +01:00
amba
android binder: fix UAF of alloc->vma in race with munmap() 2023-05-30 14:03:19 +01:00
ata
atm atm: idt77252: fix kmemleak when rmmod idt77252 2023-03-30 12:49:09 +02:00
auxdisplay
base platform: Provide a remove callback that returns no value 2023-05-24 17:32:43 +01:00
bcma
block nbd: fix incomplete validation of ioctl arg 2023-05-24 17:32:39 +01:00
bluetooth Bluetooth: btrtl: Add the support for RTL8851B 2023-05-24 17:32:40 +01:00
bus bus: mhi: host: Range check CHDBOFF and ERDBOFF 2023-05-11 23:03:05 +09:00
cdrom
char tpm: Prevent hwrng from activating during resume 2023-05-30 14:03:16 +01:00
clk clk: rockchip: rk3399: allow clk_cifout to force clk_cifout_src to reparent 2023-05-11 23:03:40 +09:00
clocksource clocksource/drivers/davinci: Fix memory leak in davinci_timer_register when init fails 2023-05-11 23:03:35 +09:00
comedi
connector
counter counter: 104-quad-8: Fix Synapse action reported for Index signals 2023-04-13 16:55:31 +02:00
cpufreq cpufreq: use correct unit when verify cur freq 2023-05-11 23:03:16 +09:00
cpuidle RISC-V: Align SBI probe implementation with spec 2023-05-11 23:03:04 +09:00
crypto crypto: sun8i-ss - Fix a test in sun8i_ss_setup_ivs() 2023-05-17 11:53:40 +02:00
cxl cxl/hdm: Fail upon detecting 0-sized decoders 2023-05-11 23:03:05 +09:00
dax
dca
devfreq
dio
dma dmaengine: at_xdmac: do not enable all cyclic channels 2023-05-11 23:03:37 +09:00
dma-buf
edac qcom: llcc/edac: Support polling mode for ECC handling 2023-05-17 11:53:28 +02:00
eisa
extcon
firewire
firmware irqchip/gicv3: Workaround for NVIDIA erratum T241-FABRIC-4 2023-05-24 17:32:36 +01:00
fpga fpga: bridge: fix kernel-doc parameter description 2023-05-11 23:03:27 +09:00
fsi
gnss
gpio gpio: mockup: Fix mode of debugfs files 2023-05-30 14:03:18 +01:00
gpu drm/amd/amdgpu: limit one queue per gang 2023-05-30 14:03:19 +01:00
greybus
hid HID: wacom: generic: Set battery quirk only when we see battery data 2023-05-24 17:32:41 +01:00
hsi
hte hte: tegra-194: Fix off by one in tegra_hte_map_to_line_id() 2023-05-11 23:03:38 +09:00
hv Drivers: vmbus: Check for channel allocation before looking up relids 2023-04-13 16:55:18 +02:00
hwmon hwmon: (pmbus/fsp-3y) Fix functionality bitmask in FSP-3Y YM-2151E 2023-05-11 23:03:16 +09:00
hwspinlock
hwtracing coresight: etm_pmu: Set the module field 2023-05-11 23:03:29 +09:00
i2c i2c: tegra: Fix PEC support for SMBUS block read 2023-05-17 11:53:34 +02:00
i3c
idle Revert "cpuidle, intel_idle: Fix CPUIDLE_FLAG_IRQ_ENABLE *again*" 2023-04-06 12:10:58 +02:00
iio iio: light: max44009: add missing OF device matching 2023-05-11 23:03:27 +09:00
infiniband RDMA/mlx5: Use correct device num_ports when modify DC 2023-05-11 23:03:35 +09:00
input Input: raspberrypi-ts - fix refcount leak in rpi_ts_probe 2023-05-11 23:03:35 +09:00
interconnect interconnect: qcom: rpm: drop bogus pm domain attach 2023-05-11 23:03:28 +09:00
iommu iommu/amd: Set page size bitmap during V2 domain allocation 2023-05-11 23:03:34 +09:00
ipack
irqchip irqchip/mips-gic: Use raw spinlock for gic_lock 2023-05-30 14:03:20 +01:00
isdn
leds leds: tca6507: Fix error handling of using fwnode_property_read_string 2023-05-11 23:03:36 +09:00
macintosh macintosh: via-pmu-led: requires ATA to be set 2023-05-11 23:03:31 +09:00
mailbox mailbox: zynqmp: Fix counts of child nodes 2023-05-17 11:53:28 +02:00
mcb mcb-pci: Reallocate memory region to avoid memory overlapping 2023-05-24 17:32:41 +01:00
md md: fix soft lockup in status_resync 2023-05-24 17:32:38 +01:00
media media: netup_unidvb: fix use-after-free at del_timer() 2023-05-24 17:32:45 +01:00
memory memory: tegra30-emc: fix interconnect registration race 2023-03-22 13:33:56 +01:00
memstick memstick: r592: Fix UAF bug in r592_remove due to race condition 2023-05-24 17:32:35 +01:00
message scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition 2023-05-24 17:32:37 +01:00
mfd mfd: intel-lpss: Add Intel Meteor Lake PCH-S LPSS PCI IDs 2023-05-24 17:32:42 +01:00
misc lkdtm/stackleak: Fix noinstr violation 2023-05-24 17:32:41 +01:00
mmc mmc: block: ensure error propagation for non-blk 2023-05-30 14:03:17 +01:00
most
mtd mtd: spi-nor: spansion: Enable JFFS2 write buffer for Infineon s25hx SEMPER flash 2023-05-17 11:53:29 +02:00
mux
net net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize 2023-05-30 14:03:18 +01:00
nfc nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition 2023-03-22 13:33:46 +01:00
ntb
nubus
nvdimm
nvme nvme-fcloop: fix "inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage" 2023-05-11 23:03:22 +09:00
nvmem
of of: Fix modalias string generation 2023-05-11 23:03:28 +09:00
opp
parisc parisc: Replace regular spinlock with spin_trylock on panic path 2023-05-24 17:32:42 +01:00
parport
pci PCI/PM: Extend D3hot delay for NVIDIA HDA controllers 2023-05-11 23:03:29 +09:00
pcmcia
peci
perf perf/arm-cmn: Fix port detection for CMN-700 2023-05-11 23:03:16 +09:00
phy phy: st: miphy28lp: use _poll_timeout functions for waits 2023-05-24 17:32:41 +01:00
pinctrl pinctrl-bcm2835.c: fix race condition when setting gpio dir 2023-05-11 23:03:37 +09:00
platform platform/x86/intel/ifs: Annotate work queue on stack so object debug does not complain 2023-05-30 14:03:17 +01:00
pnp
power power: supply: bq25890: Fix external_power_changed race 2023-05-30 14:03:18 +01:00
powercap
pps
ps3
ptp ptp_qoriq: fix memory leak in probe() 2023-04-06 12:10:44 +02:00
pwm pwm: mtk-disp: Configure double buffering before reading in .get_state() 2023-05-11 23:03:37 +09:00
rapidio
ras
regulator regulator: stm32-pwr: fix of_iomap leak 2023-05-11 23:03:16 +09:00
remoteproc remoteproc: imx_dsp_rproc: Fix kernel test robot sparse warning 2023-05-24 17:32:53 +01:00
reset
rpmsg rpmsg: glink: Propagate TX failures in intentless mode as well 2023-05-11 23:03:16 +09:00
rtc rtc: k3: handle errors while enabling wake irq 2023-05-11 23:03:33 +09:00
s390 s390/qdio: fix do_sqbs() inline assembly constraint 2023-05-24 17:32:52 +01:00
sbus
scsi scsi: storvsc: Don't pass unused PFNs to Hyper-V host 2023-05-24 17:32:47 +01:00
sh
siox
slimbus
soc soc: qcom: llcc: Do not create EDAC platform device on SDM845 2023-05-17 11:53:28 +02:00
soundwire soundwire: bus: Fix unbalanced pm_runtime_put() causing usage count underflow 2023-05-24 17:32:42 +01:00
spi spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3 2023-05-24 17:32:40 +01:00
spmi spmi: Add a check for remove callback when removing a SPMI driver 2023-05-11 23:03:31 +09:00
ssb
staging staging: axis-fifo: initialize timeouts in init only 2023-05-24 17:32:40 +01:00
target scsi: target: iscsit: Free cmds before session free 2023-05-24 17:32:37 +01:00
tc
tee tee: amdtee: fix race condition in amdtee_open_session 2023-03-30 12:49:29 +02:00
thermal thermal/drivers/mediatek: Use devm_of_iomap to avoid resource leak in mtk_thermal_probe 2023-05-11 23:03:37 +09:00
thunderbolt thunderbolt: Clear registers properly when auto clear isn't in use 2023-05-24 17:32:51 +01:00
tty vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF 2023-05-24 17:32:51 +01:00
ufs scsi: ufs: ufs-pci: Add support for Intel Lunar Lake 2023-05-24 17:32:37 +01:00
uio
usb usb: dwc3: fix gadget mode suspend interrupt handler issue 2023-05-30 14:03:16 +01:00
vdpa vp_vdpa: fix the crash in hot unplug with vp_vdpa 2023-03-22 13:34:03 +01:00
vfio
vhost vhost_vdpa: fix unmap process in no-batch mode 2023-05-11 23:03:41 +09:00
video fbdev: udlfb: Fix endpoint check 2023-05-30 14:03:20 +01:00
virt virt/coco/sev-guest: Double-buffer messages 2023-05-11 23:03:10 +09:00
virtio virtio_ring: don't update event idx on get_buf 2023-05-11 23:03:31 +09:00
vlynq
w1
watchdog watchdog: sp5100_tco: Immediately trigger upon starting. 2023-05-30 14:03:16 +01:00
xen ACPI: processor: Fix evaluating _PDC method when running as Xen dom0 2023-05-11 23:03:11 +09:00
zorro
Kconfig
Makefile