This is a note to let you know that I've just added the patch titled media: ati_remote: sanity check for both endpoints to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: media-ati_remote-sanity-check-for-both-endpoints.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 4c2e70438a7435a08968cff366f48fceb4d1c7e0 Author: Oliver Neukum <oneukum@xxxxxxxx> Date: Wed Sep 16 15:50:51 2020 +0200 media: ati_remote: sanity check for both endpoints [ Upstream commit a8be80053ea74bd9c3f9a3810e93b802236d6498 ] If you do sanity checks, you should do them for both endpoints. Hence introduce checking for endpoint type for the output endpoint, too. Reported-by: syzbot+998261c2ae5932458f6c@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx> Signed-off-by: Sean Young <sean@xxxxxxxx> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/drivers/media/rc/ati_remote.c b/drivers/media/rc/ati_remote.c index 9f5b59706741c..7f98db4bc0277 100644 --- a/drivers/media/rc/ati_remote.c +++ b/drivers/media/rc/ati_remote.c @@ -850,6 +850,10 @@ static int ati_remote_probe(struct usb_interface *interface, err("%s: endpoint_in message size==0? \n", __func__); return -ENODEV; } + if (!usb_endpoint_is_int_out(endpoint_out)) { + err("%s: Unexpected endpoint_out\n", __func__); + return -ENODEV; + } ati_remote = kzalloc(sizeof (struct ati_remote), GFP_KERNEL); rc_dev = rc_allocate_device();