From 5b22f676118ff25049382041da0db8012e57c9e8 Mon Sep 17 00:00:00 2001
From: Shuah Khan <shuahkh@osg.samsung.com>
Date: Thu, 5 Apr 2018 16:31:49 -0600
Subject: [PATCH] usbip: vhci_hcd: check rhport before using in
vhci_hub_control()
Git-commit: 5b22f676118ff25049382041da0db8012e57c9e8
Patch-mainline: v4.17
References: bsc#1090888
Validate !rhport < 0 before using it to access port_status array.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/usb/usbip/vhci_hcd.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -288,6 +288,8 @@ static int vhci_hub_control(struct usb_h
usbip_dbg_vhci_rh(" ClearHubFeature\n");
break;
case ClearPortFeature:
+ if (rhport < 0)
+ goto error;
switch (wValue) {
case USB_PORT_FEAT_SUSPEND:
if (dum->port_status[rhport] & USB_PORT_STAT_SUSPEND) {
@@ -341,6 +343,9 @@ static int vhci_hub_control(struct usb_h
retval = -EPIPE;
}
+ if (rhport < 0)
+ goto error;
+
/* we do not care about resume. */
/* whoever resets or resumes must GetPortStatus to
@@ -385,6 +390,10 @@ static int vhci_hub_control(struct usb_h
retval = -EPIPE;
break;
case SetPortFeature:
+
+ if (rhport < 0)
+ goto error;
+
switch (wValue) {
case USB_PORT_FEAT_SUSPEND:
usbip_dbg_vhci_rh(
@@ -416,6 +425,7 @@ static int vhci_hub_control(struct usb_h
default:
pr_err("default: no such request\n");
+error:
/* "protocol stall" on error */
retval = -EPIPE;
}