From patchwork Fri Jan 17 09:50:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11338643 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CA23C14B7 for ; Fri, 17 Jan 2020 09:51:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9ECF220842 for ; Fri, 17 Jan 2020 09:51:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579254669; bh=5y6HJX2eht/VVKikIsCj/Am8LSqYARIKImQenugko/w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=o+0ls0oYiknKuvsmwAsqMLnsO97o1DTmIjlbnbYYjI3UPDbAqgKXsfz5KSEPYRQBq XebAJm85xk7w0rRcqYH2A8Jyo9UtmPapM2ASHEXagDUht5ew0h6dBiM2fx2JNXjjos tV4csuAwFQ26QBERXO5G1x5MhjNJiFDZy6Hz06ak= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728665AbgAQJvI (ORCPT ); Fri, 17 Jan 2020 04:51:08 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:42925 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726957AbgAQJvH (ORCPT ); Fri, 17 Jan 2020 04:51:07 -0500 Received: by mail-lf1-f66.google.com with SMTP id y19so17859926lfl.9; Fri, 17 Jan 2020 01:51:06 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WWRBcoPU/m+0XaWultvQ07QvHcKAXmUxIDJo5eqommk=; b=H5DQbh4XuLzTa9WojmbJK+AwDFEyrgLskyIwKG2lc+10h7VVG9DEUoVx4NVbfaRUlk Zau0l9W5ntaSbWxLPax4wpqPRg3NA12xxcI1TrZzq8wFoYaIhBjeBCrO6yb+7nEbzcNe qBDWytWjYIwVTb/xSV/cxQfYYQ88z0oaTVzsFR7ReIeU763oLTkce1wHJ9XrHuDMpUQG r9fFWhwgKQZLqGDAAp1wAUgP5MOjOZZ3RNt9n9O+telIvVklImA12GMGCDLSy825Ere3 tRexyq8auL0wyfOwr+RyjBsv+AR/FRbtHDh60AKpZ6n1ZZU4ijVTzXA1VFb6z2PdsNHT H7yw== X-Gm-Message-State: APjAAAUN061Xk8g002HOv55uH0dg8Ld1rfsFsaW5xD6GAGvJ4HGJkQV8 1NCjneGjTCD431adVEURx3c= X-Google-Smtp-Source: APXvYqynKW/PNFLWTOw0LQJFVZgqN2uYrZXoh/DJ6cN/NFm7y/WAwXN6BVLGOvZLzOwt6s7fhxlkSw== X-Received: by 2002:ac2:599c:: with SMTP id w28mr4921754lfn.78.1579254665397; Fri, 17 Jan 2020 01:51:05 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id b20sm11995092ljp.20.2020.01.17.01.51.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Jan 2020 01:51:04 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1isOHQ-0007DC-8o; Fri, 17 Jan 2020 10:51:04 +0100 From: Johan Hovold To: Johan Hovold Cc: linux-usb@vger.kernel.org, stable Subject: [PATCH 1/5] USB: ch341: handle unbound port at reset_resume Date: Fri, 17 Jan 2020 10:50:22 +0100 Message-Id: <20200117095026.27655-2-johan@kernel.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200117095026.27655-1-johan@kernel.org> References: <20200117095026.27655-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Check for NULL port data in reset_resume() to avoid dereferencing a NULL pointer in case the port device isn't bound to a driver (e.g. after a failed control request at port probe). Fixes: 1ded7ea47b88 ("USB: ch341 serial: fix port number changed after resume") Cc: stable # 2.6.30 Signed-off-by: Johan Hovold --- drivers/usb/serial/ch341.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c index df582fe855f0..d3f420f3a083 100644 --- a/drivers/usb/serial/ch341.c +++ b/drivers/usb/serial/ch341.c @@ -642,9 +642,13 @@ static int ch341_tiocmget(struct tty_struct *tty) static int ch341_reset_resume(struct usb_serial *serial) { struct usb_serial_port *port = serial->port[0]; - struct ch341_private *priv = usb_get_serial_port_data(port); + struct ch341_private *priv; int ret; + priv = usb_get_serial_port_data(port); + if (!priv) + return 0; + /* reconfigure ch341 serial port after bus-reset */ ch341_configure(serial->dev, priv); From patchwork Fri Jan 17 09:50:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11338647 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8A3AF14B7 for ; Fri, 17 Jan 2020 09:51:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6970520842 for ; Fri, 17 Jan 2020 09:51:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579254672; bh=n7+LhhJx6hydbX2mGcHVqiW+HMs+IseExMRfz/MtW0c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=BhvguSK/409T/NyWy6ldKONnXXqx8l4kkPMLL2sonZb5g6YzPlIdHk9NVlzM9EHKn f/9FHiOZ5RZt5ve03TfqR7uzTcPIsIH48aPuYS610A1GO9acBI/Ik9t6b3KsmHdw7V CvjCytur5TNZwgKcDVcHg8ym789SopnKTQiPiWmE= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728765AbgAQJvL (ORCPT ); Fri, 17 Jan 2020 04:51:11 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:41491 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728682AbgAQJvI (ORCPT ); Fri, 17 Jan 2020 04:51:08 -0500 Received: by mail-lf1-f66.google.com with SMTP id m30so17830279lfp.8; Fri, 17 Jan 2020 01:51:06 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=H3I1kDXP2xB9zKvHqrsjSq/pe+FbsHs1Q5j6rerVmVA=; b=OffkbDWbSuQGyoztGrnUYfn/O5J/0JBqbc5mlXPFfEkpg4K1Z5/TLo3vNonW4l3bmj s2exYesIYlpBSzWw++PDqBbdAaYa8AFHaPQn22ZvwzfDJNpxMB/6aZPdWx/GIskdhPyA H/dfN7ls0AWpw/Eu/mmtQoyKXTdjtT0d2NxPuzFGCygmxPeQ4Y3yIIzX9SkaS03vOmVj v0sJlMH4rnfnsTmqD3ExcPWLjA+1e0zjXIgc4WIXYFknDTI+7ZIMPHggDY0XcFTLP0KT abuIcuTP3c7Hapye649LUDWzZiAOUEEqKRJWNcd7isvoIyx57s5BszBzunO833UfpbG+ OTGg== X-Gm-Message-State: APjAAAXc7kmwDGAqF3J4OdHiMRLSRl0VwAx5hz4JYznimgh0Rwj8PBUH p+/rTot2nTdLF8RoH7HGrOQ= X-Google-Smtp-Source: APXvYqzL1YqNykHjbGyNujGD35RjAUICgs4j8lRqbv5BUNv2V26CbH2oXR9EhhhRCF/a7y6AMSnYYQ== X-Received: by 2002:a19:5057:: with SMTP id z23mr4886317lfj.132.1579254666248; Fri, 17 Jan 2020 01:51:06 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id h19sm12075512ljl.57.2020.01.17.01.51.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Jan 2020 01:51:04 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1isOHQ-0007DI-C8; Fri, 17 Jan 2020 10:51:04 +0100 From: Johan Hovold To: Johan Hovold Cc: linux-usb@vger.kernel.org, stable Subject: [PATCH 2/5] USB: serial: io_edgeport: handle unbound ports on URB completion Date: Fri, 17 Jan 2020 10:50:23 +0100 Message-Id: <20200117095026.27655-3-johan@kernel.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200117095026.27655-1-johan@kernel.org> References: <20200117095026.27655-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Check for NULL port data in the shared interrupt and bulk completion callbacks to avoid dereferencing a NULL pointer in case a device sends data for a port device which isn't bound to a driver (e.g. due to a malicious device having unexpected endpoints or after an allocation failure on port probe). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable Signed-off-by: Johan Hovold --- drivers/usb/serial/io_edgeport.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 9690a5f4b9d6..0582d78bdb1d 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c @@ -716,7 +716,7 @@ static void edge_interrupt_callback(struct urb *urb) if (txCredits) { port = edge_serial->serial->port[portNumber]; edge_port = usb_get_serial_port_data(port); - if (edge_port->open) { + if (edge_port && edge_port->open) { spin_lock_irqsave(&edge_port->ep_lock, flags); edge_port->txCredits += txCredits; @@ -1825,7 +1825,7 @@ static void process_rcvd_data(struct edgeport_serial *edge_serial, port = edge_serial->serial->port[ edge_serial->rxPort]; edge_port = usb_get_serial_port_data(port); - if (edge_port->open) { + if (edge_port && edge_port->open) { dev_dbg(dev, "%s - Sending %d bytes to TTY for port %d\n", __func__, rxLen, edge_serial->rxPort); From patchwork Fri Jan 17 09:50:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11338649 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0E433139A for ; Fri, 17 Jan 2020 09:51:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E14E82087E for ; Fri, 17 Jan 2020 09:51:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579254673; bh=VqZ8sLL8zIp47ibFvMXIkm1AhIjua/qKsLXSKmRTiaQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=wKI3KdDAR7RRdmIGDr1fjOaqcRDqVGA2HPKwI3Jg5n/rRv2PPZDXXis9yF0E49ONa 21keHDygCotw4iJQ6c5WjG664RDQrQ9DEVKraAfqaoczT45WqflRYCwd/1AdvsjVMG V8/m8/RbW4s/QOZMEGrOvUDEHFfgvkdE5/ZqQtxU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728731AbgAQJvK (ORCPT ); Fri, 17 Jan 2020 04:51:10 -0500 Received: from mail-lj1-f196.google.com ([209.85.208.196]:35245 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726903AbgAQJvJ (ORCPT ); Fri, 17 Jan 2020 04:51:09 -0500 Received: by mail-lj1-f196.google.com with SMTP id j1so25790821lja.2; Fri, 17 Jan 2020 01:51:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lItgM4AuMa7NuLq3vvovEJzVKMKt6bwUYNd3Nm8lyCg=; b=lbULAYYnLgDLU0gVvJNO7JanSkg1M4PeMI8AloL29z/doYFLVkoitD79QJVh9OiZlC xeIwVDMwRgRWUB4SVcxHJ26ddt6t2VB78SUFjIPDEar2JeLhVpBNLRVj4NzokkJKWbjt lfVH9FUZ842ZptuKG79dGoqNsIAlUn5kRXt2QOI/7yRvUbT1l6SD6GjP7K5LSVaTzUH0 NMgUkpPp3/eJPVgixJsUxco4kT7hjpPHeaNzQlOV9EZ1XuHFLlqsdbhEnd7V2jPOvqwa WNhdrROlHcJY1ZIJrfqJB6DllnFEMQCX6hXkoc4qr3bWygCEDTlZ3SiJl3fpaRJWctA0 LfuA== X-Gm-Message-State: APjAAAWeLgYNIzACMsJ3970rWrhrydSwVIEfaA0bB6oG/zOZrL7AvyoU Q6yG7LrOx0a8nYkc+4mijEGs2Xeb X-Google-Smtp-Source: APXvYqw8i7Z0U5J3jxJDNmJmWEUyKXwPWelWP1Q3u/ZOlydygzFADALS9eLeipGW4YvsAJ8T4DaffQ== X-Received: by 2002:a2e:7a07:: with SMTP id v7mr5276698ljc.271.1579254666628; Fri, 17 Jan 2020 01:51:06 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id s9sm14012695ljh.90.2020.01.17.01.51.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Jan 2020 01:51:04 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1isOHQ-0007DO-FJ; Fri, 17 Jan 2020 10:51:04 +0100 From: Johan Hovold To: Johan Hovold Cc: linux-usb@vger.kernel.org, stable Subject: [PATCH 3/5] USB: serial: io_edgeport: add missing active-port sanity check Date: Fri, 17 Jan 2020 10:50:24 +0100 Message-Id: <20200117095026.27655-4-johan@kernel.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200117095026.27655-1-johan@kernel.org> References: <20200117095026.27655-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver receives the active port number from the device, but never made sure that the port number was valid. This could lead to a NULL-pointer dereference or memory corruption in case a device sends data for an invalid port. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable Signed-off-by: Johan Hovold --- drivers/usb/serial/io_edgeport.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 0582d78bdb1d..5737add6a2a4 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c @@ -1725,7 +1725,8 @@ static void edge_break(struct tty_struct *tty, int break_state) static void process_rcvd_data(struct edgeport_serial *edge_serial, unsigned char *buffer, __u16 bufferLength) { - struct device *dev = &edge_serial->serial->dev->dev; + struct usb_serial *serial = edge_serial->serial; + struct device *dev = &serial->dev->dev; struct usb_serial_port *port; struct edgeport_port *edge_port; __u16 lastBufferLength; @@ -1821,9 +1822,8 @@ static void process_rcvd_data(struct edgeport_serial *edge_serial, /* spit this data back into the tty driver if this port is open */ - if (rxLen) { - port = edge_serial->serial->port[ - edge_serial->rxPort]; + if (rxLen && edge_serial->rxPort < serial->num_ports) { + port = serial->port[edge_serial->rxPort]; edge_port = usb_get_serial_port_data(port); if (edge_port && edge_port->open) { dev_dbg(dev, "%s - Sending %d bytes to TTY for port %d\n", @@ -1833,8 +1833,8 @@ static void process_rcvd_data(struct edgeport_serial *edge_serial, rxLen); edge_port->port->icount.rx += rxLen; } - buffer += rxLen; } + buffer += rxLen; break; case EXPECT_HDR3: /* Expect 3rd byte of status header */ @@ -1869,6 +1869,8 @@ static void process_rcvd_status(struct edgeport_serial *edge_serial, __u8 code = edge_serial->rxStatusCode; /* switch the port pointer to the one being currently talked about */ + if (edge_serial->rxPort >= edge_serial->serial->num_ports) + return; port = edge_serial->serial->port[edge_serial->rxPort]; edge_port = usb_get_serial_port_data(port); if (edge_port == NULL) { From patchwork Fri Jan 17 09:50:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11338645 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0AA4413A0 for ; Fri, 17 Jan 2020 09:51:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id DB5BE2087E for ; Fri, 17 Jan 2020 09:51:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579254671; bh=3jDV1Rl7d8RgSucP31HtcTOCH0pLQrACTrWMmz8Bsfg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=PohtSOiNyrja4YuTx4Ux2myMI3RTQzaKbVJxnRy69fBHr6hNPJnQYbKF0Z0u/pG/f O4uZ3Foxp2bgeOIb91jaG3QoDUY5DG3TuJPQb4vYnf1jcHOCJ7KDRJzIRR1S/2ob4i YAbv8L3v6rVQnoK1SEOziSxo5NWr6nmP5hk0OBY8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728760AbgAQJvK (ORCPT ); Fri, 17 Jan 2020 04:51:10 -0500 Received: from mail-lf1-f67.google.com ([209.85.167.67]:33415 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726409AbgAQJvJ (ORCPT ); Fri, 17 Jan 2020 04:51:09 -0500 Received: by mail-lf1-f67.google.com with SMTP id n25so17894371lfl.0; Fri, 17 Jan 2020 01:51:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=TZLTb3Fb9pbA200scuV5oYNRLcZ/MmVWd9YnnmqWfKk=; b=YEpydZeehGlQfVUO+fKl5HUhtwhqTgDecPWi+H7kEtZPoOasMlSeHOcvrqHj/vCRln 7USc+lJBrqvOwuRW+2ez+qei1xLIw9h5xDISsR8SsXndSSMmjRGTsE0a98LMwwKMTywc SesmDCgpJI1ERqXfCnUUfaDWxCoLRsRC3XkA/+9Lv2sfDlSoEU9peUtWjivltRh43cXQ xavEjZsRDvTSTJ+/K8GZ1aiWuYLL82Q8ZHAzUfRc5bsaeMPhCX1o8Wp+xfW24bN9G/Gc RLQuTu18cxrpI4MgnrarzCS5XuAW3t4m1nSVKTAjeBpkQk+t3eZnRXxyPGrzHcWVcMqO BPWQ== X-Gm-Message-State: APjAAAUzxvKJQPRZpF5VD8eI3yHjSSYLzTS9BsIfTiEygFJ3AQyUOERQ N5QgWmvMeerwg6eD/u7hiPV0vdFu X-Google-Smtp-Source: APXvYqxN8VxWk3JnF0fI1FuDo1faYKDT5SpJhv7ZzgzVguahzEDpbdwLi9GmHdNDfHcCss2VBO3elQ== X-Received: by 2002:ac2:489b:: with SMTP id x27mr4984189lfc.130.1579254667340; Fri, 17 Jan 2020 01:51:07 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id w20sm12080240ljo.33.2020.01.17.01.51.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Jan 2020 01:51:06 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1isOHQ-0007DS-Hp; Fri, 17 Jan 2020 10:51:04 +0100 From: Johan Hovold To: Johan Hovold Cc: linux-usb@vger.kernel.org, stable Subject: [PATCH 4/5] USB: serial: keyspan: handle unbound ports Date: Fri, 17 Jan 2020 10:50:25 +0100 Message-Id: <20200117095026.27655-5-johan@kernel.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200117095026.27655-1-johan@kernel.org> References: <20200117095026.27655-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Check for NULL port data in the control URB completion handlers to avoid dereferencing a NULL pointer in the unlikely case where a port device isn't bound to a driver (e.g. after an allocation failure on port probe()). Fixes: 0ca1268e109a ("USB Serial Keyspan: add support for USA-49WG & USA-28XG") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable Signed-off-by: Johan Hovold --- drivers/usb/serial/keyspan.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c index e66a59ef43a1..aa3dbce22cfb 100644 --- a/drivers/usb/serial/keyspan.c +++ b/drivers/usb/serial/keyspan.c @@ -1058,6 +1058,8 @@ static void usa49_glocont_callback(struct urb *urb) for (i = 0; i < serial->num_ports; ++i) { port = serial->port[i]; p_priv = usb_get_serial_port_data(port); + if (!p_priv) + continue; if (p_priv->resend_cont) { dev_dbg(&port->dev, "%s - sending setup\n", __func__); @@ -1459,6 +1461,8 @@ static void usa67_glocont_callback(struct urb *urb) for (i = 0; i < serial->num_ports; ++i) { port = serial->port[i]; p_priv = usb_get_serial_port_data(port); + if (!p_priv) + continue; if (p_priv->resend_cont) { dev_dbg(&port->dev, "%s - sending setup\n", __func__); From patchwork Fri Jan 17 09:50:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11338651 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7D75B14B7 for ; Fri, 17 Jan 2020 09:51:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5AA832083E for ; Fri, 17 Jan 2020 09:51:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579254673; bh=44jEVXbCE3tV3NxxNZHH2NI6a5l3CAJfnqlRnbx6oys=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=wpej6hOynqiZR2gMX8bApQzP87EPOiCZkatiaxoemQCafANpH+YULB2drfEafrsrI ZgrZT4t5iPwqxXqj8fMQfVI4LDd9wYToPKh7gk3wHJClrwj10Ky0aaBW+aHSKV0sAh V5RIumM3jin2W2RQ3AMe/oveYqyatLacSvhjCzcg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728773AbgAQJvM (ORCPT ); Fri, 17 Jan 2020 04:51:12 -0500 Received: from mail-lj1-f196.google.com ([209.85.208.196]:42458 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728733AbgAQJvK (ORCPT ); Fri, 17 Jan 2020 04:51:10 -0500 Received: by mail-lj1-f196.google.com with SMTP id y4so25806701ljj.9; Fri, 17 Jan 2020 01:51:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=40JSScTYyOWPofT3nlZNpI9vXYe97j1JnSkOaEKoYOo=; b=IcH3jEwiTz8EjUV82Ni3vQbgHgvGlPleQPVNNPrOyWH/8Kux8m8wk35Yq9qixSeYOn 6TXyexiWAgCv5tMUxp8CrNWEl9A6JrjWepdvaAunxUlAs0FN53QznzIx5e7TiFKa6bz7 9oP+3tGg9762C/R0bDsWD5o2SZXgjFURLQgg4qdMpsIHxQNKlzSzSWM+pwHnFd8V/YUt 2WlgdSJEPSKfkZTdp/VNaxmoWLVOtTmEbaOgiMAKObho2hvygWOQRFrql2Kiw2rTM/xB v5g+hp032qECNNQ6JipnciCZvuks/HwJd113T4vjjAEM+0y2YmsezTDSiZq0Devg8DA/ 7b1g== X-Gm-Message-State: APjAAAUzJEzHjsyMksQHuYd7xO2NoficxwCLjfZcRc9s/2vORfMO8I2n XNTvMCuejDfMwjCfm5R8d6g= X-Google-Smtp-Source: APXvYqwjbimfxL+ouk5jb1yXFuN5jRAjSxk677pM16ltU2pIWlmSmTQAOx3qvjwZlNopkCXf20uKBA== X-Received: by 2002:a05:651c:1129:: with SMTP id e9mr4943525ljo.239.1579254667686; Fri, 17 Jan 2020 01:51:07 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id y29sm11974808ljd.88.2020.01.17.01.51.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Jan 2020 01:51:06 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1isOHQ-0007DX-Kz; Fri, 17 Jan 2020 10:51:04 +0100 From: Johan Hovold To: Johan Hovold Cc: linux-usb@vger.kernel.org, stable Subject: [PATCH 5/5] USB: serial: quatech2: handle unbound ports Date: Fri, 17 Jan 2020 10:50:26 +0100 Message-Id: <20200117095026.27655-6-johan@kernel.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200117095026.27655-1-johan@kernel.org> References: <20200117095026.27655-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Check for NULL port data in the event handlers to avoid dereferencing a NULL pointer in the unlikely case where a port device isn't bound to a driver (e.g. after an allocation failure on port probe). Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver") Cc: stable # 3.5 Signed-off-by: Johan Hovold --- drivers/usb/serial/quatech2.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/drivers/usb/serial/quatech2.c b/drivers/usb/serial/quatech2.c index a62981ca7a73..c76a2c0c32ff 100644 --- a/drivers/usb/serial/quatech2.c +++ b/drivers/usb/serial/quatech2.c @@ -470,6 +470,13 @@ static int get_serial_info(struct tty_struct *tty, static void qt2_process_status(struct usb_serial_port *port, unsigned char *ch) { + struct qt2_port_private *port_priv; + + /* May be called from qt2_process_read_urb() for an unbound port. */ + port_priv = usb_get_serial_port_data(port); + if (!port_priv) + return; + switch (*ch) { case QT2_LINE_STATUS: qt2_update_lsr(port, ch + 1); @@ -484,14 +491,27 @@ static void qt2_process_status(struct usb_serial_port *port, unsigned char *ch) static void qt2_process_xmit_empty(struct usb_serial_port *port, unsigned char *ch) { + struct qt2_port_private *port_priv; int bytes_written; + /* May be called from qt2_process_read_urb() for an unbound port. */ + port_priv = usb_get_serial_port_data(port); + if (!port_priv) + return; + bytes_written = (int)(*ch) + (int)(*(ch + 1) << 4); } /* not needed, kept to document functionality */ static void qt2_process_flush(struct usb_serial_port *port, unsigned char *ch) { + struct qt2_port_private *port_priv; + + /* May be called from qt2_process_read_urb() for an unbound port. */ + port_priv = usb_get_serial_port_data(port); + if (!port_priv) + return; + return; }