From: Sudip Mukherjee sudipm.mukherjee@gmail.com
The port number is checked and it just prints an error message but it still continues to use the invalid port. And as a result it accesses memory which is not its resulting in BUG report from KASAN.
Reported-by: syzbot+600b03e0cf1b73bb23c4@syzkaller.appspotmail.com Cc: stable stable@vger.kernel.org Signed-off-by: Sudip Mukherjee sudipm.mukherjee@gmail.com --- drivers/usb/usbip/vhci_hcd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c index d11f3f8dad40..71883aa788ac 100644 --- a/drivers/usb/usbip/vhci_hcd.c +++ b/drivers/usb/usbip/vhci_hcd.c @@ -334,8 +334,10 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, usbip_dbg_vhci_rh("typeReq %x wValue %x wIndex %x\n", typeReq, wValue, wIndex);
- if (wIndex > VHCI_HC_PORTS) + if (wIndex > VHCI_HC_PORTS) { pr_err("invalid port number %d\n", wIndex); + return -ENODEV; + } rhport = wIndex - 1;
vhci_hcd = hcd_to_vhci_hcd(hcd);