From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E02AF2D8364; Mon, 13 Apr 2026 16:43:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776098616; cv=none; b=mJvjEvJYDoCMSvaLp2KG5g7LnvacW3WZ0/z/rWM6voTWBXRSWEBVDsqwSY4o4SIhCZl8yKeJd3OUbfXUsh/g72qfDTK1b1RhsQVk6DtFF75SSqqY48a4kVr6CZKljUXNauJpmO/gAicP1P6mvCsxkhPm/RfPrOUKMmFmXAwhego= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776098616; c=relaxed/simple; bh=zwAykZRv3PnTkeveVaEFKNXcObHGuu0qu7RqWNDg2Jo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nYY5QVzHcnpHstawzXFPDIxlV/7Rk5epLz02H3in39qdLHdF/yvKy019tmNzzdK77n20hUQ3ba+/wuerevMfPv7T0OyIjWz3sMyosGBy9deKDG2AL8x1bVGo9wHaKC7kVma8pMY6RFyUgG7QNy5SEaABPVg8NRg9BeT1//C0XXk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Fx2bun/p; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Fx2bun/p" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76502C2BCAF; Mon, 13 Apr 2026 16:43:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1776098616; bh=zwAykZRv3PnTkeveVaEFKNXcObHGuu0qu7RqWNDg2Jo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Fx2bun/p/AsCI7AXde+I5Ckr+jA9BRGUmOHXnSFckBrvfFufvudJ/r0JRtbFlRCtk gxfWJjlcwc0Pn6x4JJNWzDIJWmKrzz4oYRtD5Rd3o7mMuJqCxVzcP3y8EumRv9ygxL CQ33WEwgmt0L1/JqikO8hej97pQ/pWOyJrBCDXwo= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, stable , Simon Horman , Jakub Kicinski Subject: [PATCH 5.10 022/491] net: usb: kalmia: validate USB endpoints Date: Mon, 13 Apr 2026 17:54:27 +0200 Message-ID: <20260413155819.884406533@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413155819.042779211@linuxfoundation.org> References: <20260413155819.042779211@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Greg Kroah-Hartman commit c58b6c29a4c9b8125e8ad3bca0637e00b71e2693 upstream. The kalmia driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints. Cc: stable Signed-off-by: Greg Kroah-Hartman Reviewed-by: Simon Horman Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730") Link: https://patch.msgid.link/2026022326-shack-headstone-ef6f@gregkh Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- drivers/net/usb/kalmia.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/drivers/net/usb/kalmia.c +++ b/drivers/net/usb/kalmia.c @@ -132,11 +132,18 @@ kalmia_bind(struct usbnet *dev, struct u { int status; u8 ethernet_addr[ETH_ALEN]; + static const u8 ep_addr[] = { + 1 | USB_DIR_IN, + 2 | USB_DIR_OUT, + 0}; /* Don't bind to AT command interface */ if (intf->cur_altsetting->desc.bInterfaceClass != USB_CLASS_VENDOR_SPEC) return -EINVAL; + if (!usb_check_bulk_endpoints(intf, ep_addr)) + return -ENODEV; + dev->in = usb_rcvbulkpipe(dev->udev, 0x81 & USB_ENDPOINT_NUMBER_MASK); dev->out = usb_sndbulkpipe(dev->udev, 0x02 & USB_ENDPOINT_NUMBER_MASK); dev->status = NULL;