Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1476598ybb;
        Thu, 26 Mar 2020 01:15:19 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vuG+MqNH8DNPuvZbuMUmUjOEWVKNTaRXiMP4UXG1W9XUTL52TKjzDjxswDIlYvVheQVBA1Z
X-Received: by 2002:aca:450a:: with SMTP id s10mr976027oia.25.1585210519292;
        Thu, 26 Mar 2020 01:15:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585210519; cv=none;
        d=google.com; s=arc-20160816;
        b=zd6wv4GnwwUOvvB0EClGcx/jmBRY28zmqW5HfN2L9AZUCnIGrlOGngaN0rISOyu/kX
         QbNJS3MOfjmM2ukk0avkv/5rVM6+JiZ7MwE3/lScmFpSiveHAHHZkiepD2gu4r2YxN/f
         k/ZobvIOn0WXpfz36FeTvQ9qnhA0vU5Zvtig6nsB25sfxo1QWZiPFpe3C3vP7CBnM4JE
         i3oHCgoECz+b3nP2E6VqZzyPdKB2Wp1zXcYRgNq1iD7AsICG13JvW8D1z8jhPHNuBrMv
         r1HTy47+JI4AxtcX8qCviBDJZ1ZrEfzaI3mOErcEUWq+aQYi9xxHITTYBt9rKiHgWgiu
         CkTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=LiF7bvWYkdau9jM6rL14CkJMgxhoju/RvYJ/Ke1eQIg=;
        b=dXv0cznBEvA6h3h0MewEu2LvoXfZWqKmDT42JrT8WaH3qVH1bLhM6wgbXaIsaCJ+XT
         f212jp4N9wk+hO9N+Qmh4bFmwEnNko/8uF/b4V3cakjCweA3ieOSNxCpPRluRbuKA8m0
         ppBTUzmuh7wUDN7mSxFey26g4OdgGcCha/1MWaNI2WJMUFPro6LcYdmJ8dOv9RNDW8vj
         DzKOp0+eT2FbSAVAKCF0CfQkK/W7b051BSGXAeIXcirouh859Dy8/DXSp0AVIG1cmG9B
         51Wcu02m7jqYiWMfbioFyyDiprO/QPzHn826Sy6dmp8rca8CQJCkkkNT6npgy3Ch9O5p
         hYfA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=y9+4WRWn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c20si109514otf.37.2020.03.26.01.15.05;
        Thu, 26 Mar 2020 01:15:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=y9+4WRWn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727689AbgCZIOg (ORCPT <rfc822;kerneldev.sdk@gmail.com>
        + 99 others); Thu, 26 Mar 2020 04:14:36 -0400
Received: from mail.kernel.org ([198.145.29.99]:38196 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726298AbgCZIOg (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 26 Mar 2020 04:14:36 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 9CAC82070A;
        Thu, 26 Mar 2020 08:14:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1585210476;
        bh=elz3UD004qynkZxjoJv1nYmnugnX1dCGwgJS0d8+k4Y=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=y9+4WRWnBTZ4ra47yUm7mmra9bmFqu1h7f7HB6RjbmAhL43j7Iy3niG05rhzaD0K/
         5mJRdJl3Ts07KRxp/f70IXq0X6fH5jxc54OvzoLILi+2i4aZ8lcxOgc22fZz5AELx+
         jxdQL6+7di777t5ZsUpmXbMy7tcWBnPvZZV/XEI8=
Date:   Thu, 26 Mar 2020 09:14:33 +0100
From:   Greg KH <gregkh@linuxfoundation.org>
To:     Qiujun Huang <hqjagain@gmail.com>
Cc:     johan@kernel.org, linux-usb@vger.kernel.org,
        linux-kernel@vger.kernel.org, anenbupt@gmail.com
Subject: Re: [PATCH] USB: io_edgeport: fix  slab-out-of-bounds Read in
 edge_interrupt_callback
Message-ID: <20200326081433.GA979574@kroah.com>
References: <1585122757-4528-1-git-send-email-hqjagain@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1585122757-4528-1-git-send-email-hqjagain@gmail.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Mar 25, 2020 at 03:52:37PM +0800, Qiujun Huang wrote:
> The boundary condition should be (length - 1) as we access data[position+1].
> 
> Reported-and-tested-by: syzbot+37ba33391ad5f3935bbd@syzkaller.appspotmail.com
> Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
> ---
>  drivers/usb/serial/io_edgeport.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
> index 5737add..4cca0b8 100644
> --- a/drivers/usb/serial/io_edgeport.c
> +++ b/drivers/usb/serial/io_edgeport.c
> @@ -710,7 +710,7 @@ static void edge_interrupt_callback(struct urb *urb)
>  		/* grab the txcredits for the ports if available */
>  		position = 2;
>  		portNumber = 0;
> -		while ((position < length) &&
> +		while ((position < length - 1) &&
>  				(portNumber < edge_serial->serial->num_ports)) {
>  			txCredits = data[position] | (data[position+1] << 8);
>  			if (txCredits) {
> -- 
> 1.8.3.1
> 

Johan, any objection from me taking this in my tree now?

thanks,

greg k-h