Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2340539ybz; Thu, 23 Apr 2020 16:20:32 -0700 (PDT) X-Google-Smtp-Source: APiQypLuUfra6+xYWJnpu+mSg3QHp8dyW2xztSQooX3VYo5GvGy4PjIYam4sncVwWvAKM6xl9oa4 X-Received: by 2002:a50:9dc4:: with SMTP id l4mr5055205edk.234.1587684032019; Thu, 23 Apr 2020 16:20:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587684032; cv=none; d=google.com; s=arc-20160816; b=Nxai3rseCL3gWMnaMFe0BAd1GCvnolW2Hgazw3xDCr3Cq3PYIRhxQ95q9qQLHQc67I MMnHcWohgNrDAAYpnXMMQq8tQZOvEkg+RRgEq5PcHXcoQ4QHalyuHAwi+iftd5Mjfcj4 gPYEL+crR0FGFjFvPgsqYqqDwzPW3Txogb2bMGVw/suxFHgKYnMaVP4ZzyigbcdZGK6G rdNCSe7psJgx4YVvEFubzloTk03Yas9nEyyKhA8RXu5YgBmR0/+XL/V7ii0TyCw50pKh YDjt7opa05y1ISox2/7KBkByfoy7CaWPafe/fhhwwDznajDa+Omo3ePRaRTQ8YOal7jB NWLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=28wjMRYpIm5OLjJqZhfolVvhd52C6iTcjjKd0nwP/AY=; b=wx7azv+iZzdisenuQUuhOtxo1NjVN3znGEwC3GXTB+1hNSvQPlzBpaAYijhLd7rQ+S M+ZxUIgjQEmFqZ5nxsbs6RfnXJB+Gmz+imBL//2PgZ2ft0DNu/JqvzsD0WnkMz39DEZl 1m8upMQS9JZX28SrSf7Ps9So7qECDUthBhEcI7HF9zi7Z4w3l2BJgBdivE9p5KYrUlBp Aks5Dl9Rev3HGZSSyjc1Z2nkCU70bfG4PprtENYFjuYdorJicfiB2SmGTYjWkL9VNyLc A+vBDQb9iJfN18C7iwHItgjGz4q2vGPaoyKvaUBuIoOhccCXdjmmG/lF6RXcAlF8i+DG JwyQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l20si2001929ejr.179.2020.04.23.16.20.08; Thu, 23 Apr 2020 16:20:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729766AbgDWXS2 (ORCPT + 99 others); Thu, 23 Apr 2020 19:18:28 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:49038 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728281AbgDWXGi (ORCPT ); Thu, 23 Apr 2020 19:06:38 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jRkvP-0004fU-Kr; Fri, 24 Apr 2020 00:06:31 +0100 Received: from ben by deadeye with local (Exim 4.93) (envelope-from ) id 1jRkvN-00E6mB-SS; Fri, 24 Apr 2020 00:06:29 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "Greg Kroah-Hartman" , "Johan Hovold" Date: Fri, 24 Apr 2020 00:05:16 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 089/245] USB: atm: ueagle-atm: add missing endpoint check In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.83-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Johan Hovold commit 09068c1ad53fb077bdac288869dec2435420bdc4 upstream. Make sure that the interrupt interface has an endpoint before trying to access its endpoint descriptors to avoid dereferencing a NULL pointer. The driver binds to the interrupt interface with interface number 0, but must not assume that this interface or its current alternate setting are the first entries in the corresponding configuration arrays. Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver") Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20191210112601.3561-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/usb/atm/ueagle-atm.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) --- a/drivers/usb/atm/ueagle-atm.c +++ b/drivers/usb/atm/ueagle-atm.c @@ -2167,10 +2167,11 @@ resubmit: /* * Start the modem : init the data and start kernel thread */ -static int uea_boot(struct uea_softc *sc) +static int uea_boot(struct uea_softc *sc, struct usb_interface *intf) { - int ret, size; struct intr_pkt *intr; + int ret = -ENOMEM; + int size; uea_enters(INS_TO_USBDEV(sc)); @@ -2195,6 +2196,11 @@ static int uea_boot(struct uea_softc *sc if (UEA_CHIP_VERSION(sc) == ADI930) load_XILINX_firmware(sc); + if (intf->cur_altsetting->desc.bNumEndpoints < 1) { + ret = -ENODEV; + goto err0; + } + intr = kmalloc(size, GFP_KERNEL); if (!intr) { uea_err(INS_TO_USBDEV(sc), @@ -2211,8 +2217,7 @@ static int uea_boot(struct uea_softc *sc usb_fill_int_urb(sc->urb_int, sc->usb_dev, usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE), intr, size, uea_intr, sc, - sc->usb_dev->actconfig->interface[0]->altsetting[0]. - endpoint[0].desc.bInterval); + intf->cur_altsetting->endpoint[0].desc.bInterval); ret = usb_submit_urb(sc->urb_int, GFP_KERNEL); if (ret < 0) { @@ -2227,6 +2232,7 @@ static int uea_boot(struct uea_softc *sc sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm"); if (IS_ERR(sc->kthread)) { uea_err(INS_TO_USBDEV(sc), "failed to create thread\n"); + ret = PTR_ERR(sc->kthread); goto err2; } @@ -2241,7 +2247,7 @@ err1: kfree(intr); err0: uea_leaves(INS_TO_USBDEV(sc)); - return -ENOMEM; + return ret; } /* @@ -2604,7 +2610,7 @@ static int uea_bind(struct usbatm_data * if (ret < 0) goto error; - ret = uea_boot(sc); + ret = uea_boot(sc, intf); if (ret < 0) goto error_rm_grp;