From: Sudip Mukherjee <sudipm.mukherjee@xxxxxxxxx>
The port number is checked and it just prints an error message but it
still continues to use the invalid port. And as a result it accesses
memory which is not its resulting in BUG report from KASAN.
Reported-by: syzbot+600b03e0cf1b73bb23c4@xxxxxxxxxxxxxxxxxxxxxxxxx
Cc: stable <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@xxxxxxxxx>
---
drivers/usb/usbip/vhci_hcd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index d11f3f8dad40..71883aa788ac 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -334,8 +334,10 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
usbip_dbg_vhci_rh("typeReq %x wValue %x wIndex %x\n", typeReq, wValue,
wIndex);
- if (wIndex > VHCI_HC_PORTS)
+ if (wIndex > VHCI_HC_PORTS) {
pr_err("invalid port number %d\n", wIndex);
+ return -ENODEV;
+ }
rhport = wIndex - 1;
vhci_hcd = hcd_to_vhci_hcd(hcd);
--
2.11.0
