[PATCH] Input: hanwang - require Interrupt IN endpoint

[Vasiliy Kovalev <kovalev@xxxxxxxxxxxx>]

Fix binding to compromised USB devices using non-Interrupt endpoint
(e.g., Bulk), which can trigger a system crash with panic_on_warn
enabled. Replace endpoint count check with usb_find_int_in_endpoint()
to enforce Interrupt IN.

Syzbot report:
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 2827 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
Modules linked in:
CPU: 0 UID: 0 PID: 2827 Comm: acpid Not tainted 6.14.0-rc3-syzkaller-00071-gb331a3d8097f #0

Call Trace:
 <TASK>
 hanwang_open+0xa8/0xf0 drivers/input/tablet/hanwang.c:284
 input_open_device+0x230/0x390 drivers/input/input.c:600
 evdev_open+0x52d/0x690 drivers/input/evdev.c:478
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0x6cb/0x1390 fs/open.c:956
 vfs_open+0x82/0x3f0 fs/open.c:1086
 do_open fs/namei.c:3830 [inline]
 path_openat+0x1e88/0x2d80 fs/namei.c:3989
 do_filp_open+0x20c/0x470 fs/namei.c:4016
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
 __x64_sys_openat+0x175/0x210 fs/open.c:1454
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Found by Linux Verification Center (linuxtesting.org) with
"USB Gadget Tests" [1]:

$ make input-tab-hanwang
$ sudo ./src/input-tab-hanwang/input-tab-hanwang --invalid_ep_int_type

Fixes: bba5394ad3bd ("Input: add support for Hanwang tablets")
Cc: stable@xxxxxxxxxxxxxxx
[1] Link: https://github.com/kovalev0/usb-gadget-tests
Reported-by: syzbot+9fe8f6caeb5661802ca2@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=9fe8f6caeb5661802ca2
Signed-off-by: Vasiliy Kovalev <kovalev@xxxxxxxxxxxx>
---
 drivers/input/tablet/hanwang.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/input/tablet/hanwang.c b/drivers/input/tablet/hanwang.c
index 42c1e5eaddd50..7315bee4f3fe7 100644
--- a/drivers/input/tablet/hanwang.c
+++ b/drivers/input/tablet/hanwang.c
@@ -319,8 +319,11 @@ static int hanwang_probe(struct usb_interface *intf, const struct usb_device_id
 	int error;
 	int i;
 
-	if (intf->cur_altsetting->desc.bNumEndpoints < 1)
+	if (usb_find_int_in_endpoint(intf->cur_altsetting,
+				     &endpoint) != 0) {
+		dev_err(&intf->dev, "int in endpoint not found\n");
 		return -ENODEV;
+	}
 
 	hanwang = kzalloc(sizeof(*hanwang), GFP_KERNEL);
 	input_dev = input_allocate_device();
@@ -387,7 +390,6 @@ static int hanwang_probe(struct usb_interface *intf, const struct usb_device_id
 	input_set_abs_params(input_dev, ABS_PRESSURE,
 			     0, hanwang->features->max_pressure, 0, 0);
 
-	endpoint = &intf->cur_altsetting->endpoint[0].desc;
 	usb_fill_int_urb(hanwang->irq, dev,
 			usb_rcvintpipe(dev, endpoint->bEndpointAddress),
 			hanwang->data, hanwang->features->pkg_len,
-- 
2.42.2