In some usb gadget driver, for example usb audio class device, the high
byte of w_index is the entity id and low byte is the interface number.
If we use the 2 bytes of w_index as the array number, we will get a
wrong pointer or NULL pointer.
This patch fixes this issue.
Signed-off-by: Bryan Wu <cooloney@kernel.org>
Acked-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
struct usb_request *req = cdev->req;
int value = -EOPNOTSUPP;
u16 w_index = le16_to_cpu(ctrl->wIndex);
struct usb_request *req = cdev->req;
int value = -EOPNOTSUPP;
u16 w_index = le16_to_cpu(ctrl->wIndex);
+ u8 intf = w_index & 0xFF;
u16 w_value = le16_to_cpu(ctrl->wValue);
u16 w_length = le16_to_cpu(ctrl->wLength);
struct usb_function *f = NULL;
u16 w_value = le16_to_cpu(ctrl->wValue);
u16 w_length = le16_to_cpu(ctrl->wLength);
struct usb_function *f = NULL;
goto unknown;
if (!cdev->config || w_index >= MAX_CONFIG_INTERFACES)
break;
goto unknown;
if (!cdev->config || w_index >= MAX_CONFIG_INTERFACES)
break;
- f = cdev->config->interface[w_index];
+ f = cdev->config->interface[intf];
if (!f)
break;
if (w_value && !f->set_alt)
if (!f)
break;
if (w_value && !f->set_alt)
goto unknown;
if (!cdev->config || w_index >= MAX_CONFIG_INTERFACES)
break;
goto unknown;
if (!cdev->config || w_index >= MAX_CONFIG_INTERFACES)
break;
- f = cdev->config->interface[w_index];
+ f = cdev->config->interface[intf];
if (!f)
break;
/* lots of interfaces only need altsetting zero... */
if (!f)
break;
/* lots of interfaces only need altsetting zero... */
*/
if ((ctrl->bRequestType & USB_RECIP_MASK)
== USB_RECIP_INTERFACE) {
*/
if ((ctrl->bRequestType & USB_RECIP_MASK)
== USB_RECIP_INTERFACE) {
- f = cdev->config->interface[w_index];
+ f = cdev->config->interface[intf];
if (f && f->setup)
value = f->setup(f, ctrl);
else
if (f && f->setup)
value = f->setup(f, ctrl);
else