From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DC9E01A0712; Thu, 12 Mar 2026 20:20:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773346813; cv=none; b=bZ0iNBeoFeFsxTx+SrSp5vc2FE5XYdNQIvknBu6HMnG2WB3p0ZZnTsbsGnCD4Oq0LDDtlKnP41SVAQTqJtlJ+d7Wf0MGjWxtxbQi1BplyJnzKoKwep7rSiRj+9D6jXswWIjyPfVdtyVBNRBqlKeUke04CSfiOGBN8sOKzIjV5EE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773346813; c=relaxed/simple; bh=ox+n2Wn5uanUnG89yTDfvJCwWoOq6qEzamvd4xNLcpM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TdalXgAe/xKaJ1mywlARh32bgEA8NfwwBkwrr82TlQ//rUwaCVyzoqbFzcwjTBrZbdMQlNZmxZBCRqaRTeBLCMv42XkRc85TXyxqXk6pfRnGcEKLh0TUYSC/UGwDoc8tkGIT3XOgDfUwr8OLfovl4BhOw4gUBLb6rdmrRmkV2FE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=IXjFixR1; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="IXjFixR1" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6B3E4C4CEF7; Thu, 12 Mar 2026 20:20:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1773346813; bh=ox+n2Wn5uanUnG89yTDfvJCwWoOq6qEzamvd4xNLcpM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IXjFixR12flW9wQ644wsZiWoQGw5A0sJPSovdxosZ4jqJOsllKd1b7+OcMFus3vuW RDkwzKJsJ8qta369Is1jIyg6rrJY3aEzcmaC5y5TAqN5Eyj4nZgpmvqMie8kjWm4sS hDmWXiTp0g40xVKJNOsGPTuGOJtFqX58OiiN6g/Q= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, stable , Simon Horman , Jakub Kicinski Subject: [PATCH 6.12 131/265] net: usb: kalmia: validate USB endpoints Date: Thu, 12 Mar 2026 21:08:38 +0100 Message-ID: <20260312201022.982981769@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260312201018.128816016@linuxfoundation.org> References: <20260312201018.128816016@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Greg Kroah-Hartman commit c58b6c29a4c9b8125e8ad3bca0637e00b71e2693 upstream. The kalmia driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints. Cc: stable Signed-off-by: Greg Kroah-Hartman Reviewed-by: Simon Horman Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730") Link: https://patch.msgid.link/2026022326-shack-headstone-ef6f@gregkh Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- drivers/net/usb/kalmia.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/drivers/net/usb/kalmia.c +++ b/drivers/net/usb/kalmia.c @@ -132,11 +132,18 @@ kalmia_bind(struct usbnet *dev, struct u { int status; u8 ethernet_addr[ETH_ALEN]; + static const u8 ep_addr[] = { + 1 | USB_DIR_IN, + 2 | USB_DIR_OUT, + 0}; /* Don't bind to AT command interface */ if (intf->cur_altsetting->desc.bInterfaceClass != USB_CLASS_VENDOR_SPEC) return -EINVAL; + if (!usb_check_bulk_endpoints(intf, ep_addr)) + return -ENODEV; + dev->in = usb_rcvbulkpipe(dev->udev, 0x81 & USB_ENDPOINT_NUMBER_MASK); dev->out = usb_sndbulkpipe(dev->udev, 0x02 & USB_ENDPOINT_NUMBER_MASK); dev->status = NULL;