In some usb gadget driver, for example usb audio class device, the high byte of w_index is the entity id and low byte is the interface number. If we use the 2 bytes of w_index as the array number, we will get a wrong pointer or NULL pointer. This patch fixes this issue. Signed-off-by: Bryan Wu <cooloney@xxxxxxxxxx> --- drivers/usb/gadget/composite.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index 363951e..5d11c29 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -683,6 +683,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) struct usb_request *req = cdev->req; int value = -EOPNOTSUPP; u16 w_index = le16_to_cpu(ctrl->wIndex); + u8 intf = w_index & 0xFF; u16 w_value = le16_to_cpu(ctrl->wValue); u16 w_length = le16_to_cpu(ctrl->wLength); struct usb_function *f = NULL; @@ -769,7 +770,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) goto unknown; if (!cdev->config || w_index >= MAX_CONFIG_INTERFACES) break; - f = cdev->config->interface[w_index]; + f = cdev->config->interface[intf]; if (!f) break; if (w_value && !f->set_alt) @@ -781,7 +782,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) goto unknown; if (!cdev->config || w_index >= MAX_CONFIG_INTERFACES) break; - f = cdev->config->interface[w_index]; + f = cdev->config->interface[intf]; if (!f) break; /* lots of interfaces only need altsetting zero... */ @@ -808,7 +809,7 @@ unknown: */ if ((ctrl->bRequestType & USB_RECIP_MASK) == USB_RECIP_INTERFACE) { - f = cdev->config->interface[w_index]; + f = cdev->config->interface[intf]; if (f && f->setup) value = f->setup(f, ctrl); else -- 1.5.6 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html