Commit a495fd19 authored Sep 30, 2019 by Johan Hovold Committed by Greg Kroah-Hartman Oct 07, 2019

hso: fix NULL-deref on tty open



[ Upstream commit 8353da9fa69722b54cba82b2ec740afd3d438748 ]

Fix NULL-pointer dereference on tty open due to a failure to handle a
missing interrupt-in endpoint when probing modem ports:

	BUG: kernel NULL pointer dereference, address: 0000000000000006
	...
	RIP: 0010:tiocmget_submit_urb+0x1c/0xe0 [hso]
	...
	Call Trace:
	hso_start_serial_device+0xdc/0x140 [hso]
	hso_serial_open+0x118/0x1b0 [hso]
	tty_open+0xf1/0x490

Fixes: 542f5482 ("tty: Modem functions for the HSO driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 7f30c44b

drivers/net/usb/hso.c

+8 −4

Original line number	Diff line number	Diff line
		@@ -2634,14 +2634,18 @@ static struct hso_device *hso_create_bulk_serial_device(
		*/
		if (serial->tiocmget) {
		tiocmget = serial->tiocmget;
		tiocmget->endp = hso_get_ep(interface,
		USB_ENDPOINT_XFER_INT,
		USB_DIR_IN);
		if (!tiocmget->endp) {
		dev_err(&interface->dev, "Failed to find INT IN ep\n");
		goto exit;
		}

		tiocmget->urb = usb_alloc_urb(0, GFP_KERNEL);
		if (tiocmget->urb) {
		mutex_init(&tiocmget->mutex);
		init_waitqueue_head(&tiocmget->waitq);
		tiocmget->endp = hso_get_ep(
		interface,
		USB_ENDPOINT_XFER_INT,
		USB_DIR_IN);
		} else
		hso_free_tiomget(serial);
		}