USB: composite: Fix bug: low byte of w_index is the usb interface number not the...
authorBryan Wu <cooloney@kernel.org>
Wed, 7 Jan 2009 16:21:19 +0000 (00:21 +0800)
committerGreg Kroah-Hartman <gregkh@kvm.kroah.org>
Wed, 28 Jan 2009 00:15:35 +0000 (16:15 -0800)
In some usb gadget driver, for example usb audio class device, the high
byte of w_index is the entity id and low byte is the interface number.
If we use the 2 bytes of w_index as the array number, we will get a
wrong pointer or NULL pointer.

This patch fixes this issue.

Signed-off-by: Bryan Wu <cooloney@kernel.org>
Acked-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/usb/gadget/composite.c

index 363951e..5d11c29 100644 (file)
@@ -683,6 +683,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
        struct usb_request              *req = cdev->req;
        int                             value = -EOPNOTSUPP;
        u16                             w_index = le16_to_cpu(ctrl->wIndex);
+       u8                              intf = w_index & 0xFF;
        u16                             w_value = le16_to_cpu(ctrl->wValue);
        u16                             w_length = le16_to_cpu(ctrl->wLength);
        struct usb_function             *f = NULL;
@@ -769,7 +770,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
                        goto unknown;
                if (!cdev->config || w_index >= MAX_CONFIG_INTERFACES)
                        break;
-               f = cdev->config->interface[w_index];
+               f = cdev->config->interface[intf];
                if (!f)
                        break;
                if (w_value && !f->set_alt)
@@ -781,7 +782,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
                        goto unknown;
                if (!cdev->config || w_index >= MAX_CONFIG_INTERFACES)
                        break;
-               f = cdev->config->interface[w_index];
+               f = cdev->config->interface[intf];
                if (!f)
                        break;
                /* lots of interfaces only need altsetting zero... */
@@ -808,7 +809,7 @@ unknown:
                 */
                if ((ctrl->bRequestType & USB_RECIP_MASK)
                                == USB_RECIP_INTERFACE) {
-                       f = cdev->config->interface[w_index];
+                       f = cdev->config->interface[intf];
                        if (f && f->setup)
                                value = f->setup(f, ctrl);
                        else