Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp2298666ybl;
        Thu, 19 Dec 2019 11:11:58 -0800 (PST)
X-Google-Smtp-Source: APXvYqyUug/wDAj5NbvSWnGIf/MIRdRFOrkZ9Nn+s6X/d93ywrhEKQbXOhzD62aLeWpfNnePqYMk
X-Received: by 2002:a05:6808:aba:: with SMTP id r26mr2725459oij.4.1576782718589;
        Thu, 19 Dec 2019 11:11:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1576782718; cv=none;
        d=google.com; s=arc-20160816;
        b=tZ6CtsVtCiy3BeZgZj/PTYhoBaexxdnVJFDdUug9ARUmXYnaWtRnlzu56mNQz0rCOt
         QAtIdEy97WwZStNOTJ6CJgKZfd+7tWZMwLKMItGF4dFU2QjuXHcYQXK3aejUPxgB2E7/
         xH8Xd8kVj2G3/HXq9epmYbtcpMStfoUwTbr0W8KFRp+Dx6fxqTimVRI+DFMQICVxAsT0
         KtVToiCce+F6XIuUUX7dw4mB12F5FyzpLzloxXC8BqRdiAwLbS84RShEI1GmV5ec0eaa
         aDCJ6xcsQz5++5fFWoh6oIaprrIOMHMsxUshmXxfjbMcWWt8UEyuO/J2ixCo7XbNDjYA
         UA3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=T9M7TQ1Ky79sK3JUNsL+AhUKDTLgptyEwVLCAMcQojw=;
        b=0+FjFa+DprqCMHI5V61G2p0qJXQVltMAZCicTanAHZfrs4dWeaVY6cg6Ayd5V9jshL
         srwgCjf4lHeAGwDRmf4WrFgupehegKoCQnlFMcs3jv0/awfUN/TledKRoUiURWL0gc3e
         JpWU6mGratj3319E7G9JnSL02dkKP/nJlDg1Z11AB269AYLa+iASJIJbarhLs92AFInw
         Z4CWYaqnyzwZBBXI6exHmr+GvW/yxELk1XnnUlgkXpgX/UGE3mnNbJljK6wvN4EjiZm7
         3gP1th1RMP91axRxgJs7fARXYZ9ZQzryZ+itYniyQ1KABhVhrlmiMpoRNaRSbZTUT8zL
         iwOw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ejiB5CY5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e9si3625821otk.318.2019.12.19.11.11.46;
        Thu, 19 Dec 2019 11:11:58 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ejiB5CY5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727239AbfLSSis (ORCPT <rfc822;parkch98@gmail.com> + 99 others);
        Thu, 19 Dec 2019 13:38:48 -0500
Received: from mail.kernel.org ([198.145.29.99]:56742 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727768AbfLSSip (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 19 Dec 2019 13:38:45 -0500
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 2934D222C2;
        Thu, 19 Dec 2019 18:38:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1576780724;
        bh=6s41C/ku8CxZtDH/9HpVSknr1nn7NPsSuaDaixRw6lQ=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ejiB5CY55U6GX+/MhGBQhW0mw5VrcOkoZWecKds+SmHcJt1vZ1Cv+iamFjt7wLG1t
         K0/CKZPCla/gTI4rigd+lTECwuorWVTSFYxmdsDXNYkTlnqGXcFUSM1rsUb/RME/h9
         XsuSEEzySR7T2VKXDPet5S+bwyWdm+GjddSKIgcY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Johan Hovold <johan@kernel.org>
Subject: [PATCH 4.4 091/162] USB: atm: ueagle-atm: add missing endpoint check
Date:   Thu, 19 Dec 2019 19:33:19 +0100
Message-Id: <20191219183213.335021056@linuxfoundation.org>
X-Mailer: git-send-email 2.24.1
In-Reply-To: <20191219183150.477687052@linuxfoundation.org>
References: <20191219183150.477687052@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Johan Hovold <johan@kernel.org>

commit 09068c1ad53fb077bdac288869dec2435420bdc4 upstream.

Make sure that the interrupt interface has an endpoint before trying to
access its endpoint descriptors to avoid dereferencing a NULL pointer.

The driver binds to the interrupt interface with interface number 0, but
must not assume that this interface or its current alternate setting are
the first entries in the corresponding configuration arrays.

Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver")
Cc: stable <stable@vger.kernel.org>     # 2.6.16
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191210112601.3561-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/atm/ueagle-atm.c |   18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

--- a/drivers/usb/atm/ueagle-atm.c
+++ b/drivers/usb/atm/ueagle-atm.c
@@ -2167,10 +2167,11 @@ resubmit:
 /*
  * Start the modem : init the data and start kernel thread
  */
-static int uea_boot(struct uea_softc *sc)
+static int uea_boot(struct uea_softc *sc, struct usb_interface *intf)
 {
-	int ret, size;
 	struct intr_pkt *intr;
+	int ret = -ENOMEM;
+	int size;
 
 	uea_enters(INS_TO_USBDEV(sc));
 
@@ -2195,6 +2196,11 @@ static int uea_boot(struct uea_softc *sc
 	if (UEA_CHIP_VERSION(sc) == ADI930)
 		load_XILINX_firmware(sc);
 
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
+		ret = -ENODEV;
+		goto err0;
+	}
+
 	intr = kmalloc(size, GFP_KERNEL);
 	if (!intr) {
 		uea_err(INS_TO_USBDEV(sc),
@@ -2211,8 +2217,7 @@ static int uea_boot(struct uea_softc *sc
 	usb_fill_int_urb(sc->urb_int, sc->usb_dev,
 			 usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE),
 			 intr, size, uea_intr, sc,
-			 sc->usb_dev->actconfig->interface[0]->altsetting[0].
-			 endpoint[0].desc.bInterval);
+			 intf->cur_altsetting->endpoint[0].desc.bInterval);
 
 	ret = usb_submit_urb(sc->urb_int, GFP_KERNEL);
 	if (ret < 0) {
@@ -2227,6 +2232,7 @@ static int uea_boot(struct uea_softc *sc
 	sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm");
 	if (IS_ERR(sc->kthread)) {
 		uea_err(INS_TO_USBDEV(sc), "failed to create thread\n");
+		ret = PTR_ERR(sc->kthread);
 		goto err2;
 	}
 
@@ -2241,7 +2247,7 @@ err1:
 	kfree(intr);
 err0:
 	uea_leaves(INS_TO_USBDEV(sc));
-	return -ENOMEM;
+	return ret;
 }
 
 /*
@@ -2604,7 +2610,7 @@ static int uea_bind(struct usbatm_data *
 	if (ret < 0)
 		goto error;
 
-	ret = uea_boot(sc);
+	ret = uea_boot(sc, intf);
 	if (ret < 0)
 		goto error_rm_grp;