| From: Shuah Khan <shuahkh@osg.samsung.com> |
| Date: Thu, 5 Apr 2018 16:31:49 -0600 |
| Subject: usbip: vhci_hcd: check rhport before using in vhci_hub_control() |
| |
| commit 5b22f676118ff25049382041da0db8012e57c9e8 upstream. |
| |
| Validate !rhport < 0 before using it to access port_status array. |
| |
| Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| [bwh: Backported to 3.16: |
| - Drop changes to the SetPortFeature |
| USB_PORT_FEAT_{SUSPEND,POWER,BH_PORT_RESET} cases |
| - Add the "error" label |
| - Adjust filename, context] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| --- a/drivers/staging/usbip/vhci_hcd.c |
| +++ b/drivers/staging/usbip/vhci_hcd.c |
| @@ -266,6 +266,8 @@ static int vhci_hub_control(struct usb_h |
| usbip_dbg_vhci_rh(" ClearHubFeature\n"); |
| break; |
| case ClearPortFeature: |
| + if (rhport < 0) |
| + goto error; |
| switch (wValue) { |
| case USB_PORT_FEAT_SUSPEND: |
| if (dum->port_status[rhport] & USB_PORT_STAT_SUSPEND) { |
| @@ -370,6 +372,8 @@ static int vhci_hub_control(struct usb_h |
| case USB_PORT_FEAT_RESET: |
| usbip_dbg_vhci_rh( |
| " SetPortFeature: USB_PORT_FEAT_RESET\n"); |
| + if (rhport < 0) |
| + goto error; |
| /* if it's already running, disconnect first */ |
| if (dum->port_status[rhport] & USB_PORT_STAT_ENABLE) { |
| dum->port_status[rhport] &= |
| @@ -385,6 +389,8 @@ static int vhci_hub_control(struct usb_h |
| default: |
| usbip_dbg_vhci_rh(" SetPortFeature: default %d\n", |
| wValue); |
| + if (rhport < 0) |
| + goto error; |
| dum->port_status[rhport] |= (1 << wValue); |
| break; |
| } |
| @@ -392,7 +398,7 @@ static int vhci_hub_control(struct usb_h |
| |
| default: |
| pr_err("default: no such request\n"); |
| - |
| +error: |
| /* "protocol stall" on error */ |
| retval = -EPIPE; |
| } |
