From 5b22f676118ff25049382041da0db8012e57c9e8 Mon Sep 17 00:00:00 2001
From: Shuah Khan <shuahkh@osg.samsung.com>
Date: Thu, 5 Apr 2018 16:31:49 -0600
Subject: [PATCH] usbip: vhci_hcd: check rhport before using in
 vhci_hub_control()
Git-commit: 5b22f676118ff25049382041da0db8012e57c9e8
Patch-mainline: v4.17
References: bsc#1090888

Validate !rhport < 0 before using it to access port_status array.

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/usb/usbip/vhci_hcd.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -288,6 +288,8 @@ static int vhci_hub_control(struct usb_h
 		usbip_dbg_vhci_rh(" ClearHubFeature\n");
 		break;
 	case ClearPortFeature:
+		if (rhport < 0)
+			goto error;
 		switch (wValue) {
 		case USB_PORT_FEAT_SUSPEND:
 			if (dum->port_status[rhport] & USB_PORT_STAT_SUSPEND) {
@@ -341,6 +343,9 @@ static int vhci_hub_control(struct usb_h
 			retval = -EPIPE;
 		}
 
+		if (rhport < 0)
+			goto error;
+
 		/* we do not care about resume. */
 
 		/* whoever resets or resumes must GetPortStatus to
@@ -385,6 +390,10 @@ static int vhci_hub_control(struct usb_h
 		retval = -EPIPE;
 		break;
 	case SetPortFeature:
+
+		if (rhport < 0)
+			goto error;
+
 		switch (wValue) {
 		case USB_PORT_FEAT_SUSPEND:
 			usbip_dbg_vhci_rh(
@@ -416,6 +425,7 @@ static int vhci_hub_control(struct usb_h
 	default:
 		pr_err("default: no such request\n");
 
+error:
 		/* "protocol stall" on error */
 		retval = -EPIPE;
 	}