1. Patchew
  2. linux
  3. View series

[PATCH] usb: serial: ti_usb_3410_5052: Add NULL check for read_urb in ti_open()

Alexei Safin posted 1 patch 9 months, 3 weeks ago 
drivers/usb/serial/ti_usb_3410_5052.c | 7 +++++++
1 file changed, 7 insertions(+)
[PATCH] usb: serial: ti_usb_3410_5052: Add NULL check for read_urb in ti_open()
Posted by Alexei Safin 9 months, 3 weeks ago 
Avoid dereferencing port->read_urb when it is NULL, which may happen if
usb_alloc_urb() fails or initialization of usb_serial_port is incomplete.

Dereferencing a NULL pointer in ti_open() leads to a kernel crash.
This condition was detected by a static analyzer, but can also occur
in practice if memory allocation fails in probe path or if the driver
is incorrectly initialized by a faulty device descriptor.

Check port->read_urb for NULL before calling usb_clear_halt() to
prevent the crash.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Alexei Safin <a.safin@rosa.ru>
---
 drivers/usb/serial/ti_usb_3410_5052.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
index b99f78224846..8466336714e8 100644
--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -710,6 +710,13 @@ static int ti_open(struct tty_struct *tty, struct usb_serial_port *port)
 	/* reset the data toggle on the bulk endpoints to work around bug in
 	 * host controllers where things get out of sync some times */
 	usb_clear_halt(dev, port->write_urb->pipe);
+
+	if (!port->read_urb) {
+		dev_err(&port->dev, "%s - no read urb\n", __func__);
+		status = -EINVAL;
+		goto unlink_int_urb;
+	}
+
 	usb_clear_halt(dev, port->read_urb->pipe);
 
 	if (tty)
-- 
2.39.5 (Apple Git-154)
Re: [PATCH] usb: serial: ti_usb_3410_5052: Add NULL check for read_urb in ti_open()
Posted by Johan Hovold 9 months, 2 weeks ago 
On Tue, Apr 22, 2025 at 11:51:40PM +0300, Alexei Safin wrote:
> Avoid dereferencing port->read_urb when it is NULL, which may happen if
> usb_alloc_urb() fails or initialization of usb_serial_port is incomplete.
>
> Dereferencing a NULL pointer in ti_open() leads to a kernel crash.
> This condition was detected by a static analyzer, but can also occur
> in practice if memory allocation fails in probe path or if the driver
> is incorrectly initialized by a faulty device descriptor.

No, this can't happen as probe would abort on allocation failures and
the malicious descriptor case was fixed 8 years ago by commit
ef079936d3cd ("USB: serial: ti_usb_3410_5052: fix NULL-deref at open").

Johan

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.