Commit 1c02040a authored by Johan Hovold's avatar Johan Hovold Committed by Jiri Slaby

USB: usbtmc: add missing endpoint sanity check

commit 687e0687 upstream.

USBTMC devices are required to have a bulk-in and a bulk-out endpoint,
but the driver failed to verify this, something which could lead to the
endpoint addresses being taken from uninitialised memory.

Make sure to zero all private data as part of allocation, and add the
missing endpoint sanity check.

Note that this also addresses a more recently introduced issue, where
the interrupt-in-presence flag would also be uninitialised whenever the
optional interrupt-in endpoint is not present. This in turn could lead
to an interrupt urb being allocated, initialised and submitted based on
uninitialised values.

Fixes: dbf3e7f6 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
Fixes: 5b775f67 ("USB: add USB test and measurement class driver")
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
[ johan: backport to v4.4 ]
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
parent a7756258
...@@ -1102,7 +1102,7 @@ static int usbtmc_probe(struct usb_interface *intf, ...@@ -1102,7 +1102,7 @@ static int usbtmc_probe(struct usb_interface *intf,
dev_dbg(&intf->dev, "%s called\n", __func__); dev_dbg(&intf->dev, "%s called\n", __func__);
data = kmalloc(sizeof(*data), GFP_KERNEL); data = kzalloc(sizeof(*data), GFP_KERNEL);
if (!data) { if (!data) {
dev_err(&intf->dev, "Unable to allocate kernel memory\n"); dev_err(&intf->dev, "Unable to allocate kernel memory\n");
return -ENOMEM; return -ENOMEM;
...@@ -1162,6 +1162,12 @@ static int usbtmc_probe(struct usb_interface *intf, ...@@ -1162,6 +1162,12 @@ static int usbtmc_probe(struct usb_interface *intf,
} }
} }
if (!data->bulk_out || !data->bulk_in) {
dev_err(&intf->dev, "bulk endpoints not found\n");
retcode = -ENODEV;
goto err_put;
}
retcode = get_capabilities(data); retcode = get_capabilities(data);
if (retcode) if (retcode)
dev_err(&intf->dev, "can't read capabilities\n"); dev_err(&intf->dev, "can't read capabilities\n");
...@@ -1185,6 +1191,7 @@ static int usbtmc_probe(struct usb_interface *intf, ...@@ -1185,6 +1191,7 @@ static int usbtmc_probe(struct usb_interface *intf,
error_register: error_register:
sysfs_remove_group(&intf->dev.kobj, &capability_attr_grp); sysfs_remove_group(&intf->dev.kobj, &capability_attr_grp);
sysfs_remove_group(&intf->dev.kobj, &data_attr_grp); sysfs_remove_group(&intf->dev.kobj, &data_attr_grp);
err_put:
kref_put(&data->kref, usbtmc_delete); kref_put(&data->kref, usbtmc_delete);
return retcode; return retcode;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment