[lvc-project] [PATCH] usb: serial: ti_usb_3410_5052: Add NULL check for read_urb in ti_open()

[Alexei Safin]

Avoid dereferencing port->read_urb when it is NULL, which may happen if
usb_alloc_urb() fails or initialization of usb_serial_port is incomplete.

Dereferencing a NULL pointer in ti_open() leads to a kernel crash.
This condition was detected by a static analyzer, but can also occur
in practice if memory allocation fails in probe path or if the driver
is incorrectly initialized by a faulty device descriptor.

Check port->read_urb for NULL before calling usb_clear_halt() to
prevent the crash.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Alexei Safin <a.safin at rosa.ru>
---
 drivers/usb/serial/ti_usb_3410_5052.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
index b99f78224846..8466336714e8 100644
--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -710,6 +710,13 @@ static int ti_open(struct tty_struct *tty, struct usb_serial_port *port)
 	/* reset the data toggle on the bulk endpoints to work around bug in
 	 * host controllers where things get out of sync some times */
 	usb_clear_halt(dev, port->write_urb->pipe);
+
+	if (!port->read_urb) {
+		dev_err(&port->dev, "%s - no read urb\n", __func__);
+		status = -EINVAL;
+		goto unlink_int_urb;
+	}
+
 	usb_clear_halt(dev, port->read_urb->pipe);
 
 	if (tty)
-- 
2.39.5 (Apple Git-154)