| From 09068c1ad53fb077bdac288869dec2435420bdc4 Mon Sep 17 00:00:00 2001 |
| From: Johan Hovold <johan@kernel.org> |
| Date: Tue, 10 Dec 2019 12:25:58 +0100 |
| Subject: USB: atm: ueagle-atm: add missing endpoint check |
| |
| From: Johan Hovold <johan@kernel.org> |
| |
| commit 09068c1ad53fb077bdac288869dec2435420bdc4 upstream. |
| |
| Make sure that the interrupt interface has an endpoint before trying to |
| access its endpoint descriptors to avoid dereferencing a NULL pointer. |
| |
| The driver binds to the interrupt interface with interface number 0, but |
| must not assume that this interface or its current alternate setting are |
| the first entries in the corresponding configuration arrays. |
| |
| Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver") |
| Cc: stable <stable@vger.kernel.org> # 2.6.16 |
| Signed-off-by: Johan Hovold <johan@kernel.org> |
| Link: https://lore.kernel.org/r/20191210112601.3561-2-johan@kernel.org |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/usb/atm/ueagle-atm.c | 18 ++++++++++++------ |
| 1 file changed, 12 insertions(+), 6 deletions(-) |
| |
| --- a/drivers/usb/atm/ueagle-atm.c |
| +++ b/drivers/usb/atm/ueagle-atm.c |
| @@ -2167,10 +2167,11 @@ resubmit: |
| /* |
| * Start the modem : init the data and start kernel thread |
| */ |
| -static int uea_boot(struct uea_softc *sc) |
| +static int uea_boot(struct uea_softc *sc, struct usb_interface *intf) |
| { |
| - int ret, size; |
| struct intr_pkt *intr; |
| + int ret = -ENOMEM; |
| + int size; |
| |
| uea_enters(INS_TO_USBDEV(sc)); |
| |
| @@ -2195,6 +2196,11 @@ static int uea_boot(struct uea_softc *sc |
| if (UEA_CHIP_VERSION(sc) == ADI930) |
| load_XILINX_firmware(sc); |
| |
| + if (intf->cur_altsetting->desc.bNumEndpoints < 1) { |
| + ret = -ENODEV; |
| + goto err0; |
| + } |
| + |
| intr = kmalloc(size, GFP_KERNEL); |
| if (!intr) { |
| uea_err(INS_TO_USBDEV(sc), |
| @@ -2211,8 +2217,7 @@ static int uea_boot(struct uea_softc *sc |
| usb_fill_int_urb(sc->urb_int, sc->usb_dev, |
| usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE), |
| intr, size, uea_intr, sc, |
| - sc->usb_dev->actconfig->interface[0]->altsetting[0]. |
| - endpoint[0].desc.bInterval); |
| + intf->cur_altsetting->endpoint[0].desc.bInterval); |
| |
| ret = usb_submit_urb(sc->urb_int, GFP_KERNEL); |
| if (ret < 0) { |
| @@ -2227,6 +2232,7 @@ static int uea_boot(struct uea_softc *sc |
| sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm"); |
| if (IS_ERR(sc->kthread)) { |
| uea_err(INS_TO_USBDEV(sc), "failed to create thread\n"); |
| + ret = PTR_ERR(sc->kthread); |
| goto err2; |
| } |
| |
| @@ -2241,7 +2247,7 @@ err1: |
| kfree(intr); |
| err0: |
| uea_leaves(INS_TO_USBDEV(sc)); |
| - return -ENOMEM; |
| + return ret; |
| } |
| |
| /* |
| @@ -2604,7 +2610,7 @@ static int uea_bind(struct usbatm_data * |
| if (ret < 0) |
| goto error; |
| |
| - ret = uea_boot(sc); |
| + ret = uea_boot(sc, intf); |
| if (ret < 0) |
| goto error_rm_grp; |
| |