From nobody Tue Feb 10 11:56:12 2026
Received: from mail-qv1-f44.google.com (mail-qv1-f44.google.com
 [209.85.219.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A43329B795
	for <linux-kernel@vger.kernel.org>; Tue, 10 Feb 2026 03:59:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770695975; cv=none;
 b=hSh7ZklYtw4+eKSwrqGjifvJI7h0+M0I7Hr8GqTVbVcepYK11SeZfQhPGHjba+khj5WDprUdpQuEz+SWqvpwW1+BdKmdy/URR3WXGCxYOqsqSQesaga+kA94/vEe4UFMnfCqvQhsimhdysD+rnhYE7CIVv46RKPtYEI+vyj32ug=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770695975; c=relaxed/simple;
	bh=CaLRQGDtoDAMVEGVQgSbj/4K3469J4TgDR0REJBVcu8=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=MT1jSVLAGV9CuT81Rc349KCg2GRGTsCk8TA8yMLv6uj3/CaLiBeafnbhwiET2yqjNvbF9wNRF3145W1IjUjupgZS43rbhxwcR16q2ohs96+WcVjH+fpCWpDqNxDR2rTk37qpi+AeE5GFf6pNYKvTQIXXsAzYyOG63+ok0YSplLM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=u.northwestern.edu;
 spf=pass smtp.mailfrom=u.northwestern.edu;
 dkim=pass (2048-bit key) header.d=u-northwestern-edu.20230601.gappssmtp.com
 header.i=@u-northwestern-edu.20230601.gappssmtp.com header.b=rAAsRLm9;
 arc=none smtp.client-ip=209.85.219.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=u.northwestern.edu
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=u.northwestern.edu
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=u-northwestern-edu.20230601.gappssmtp.com
 header.i=@u-northwestern-edu.20230601.gappssmtp.com header.b="rAAsRLm9"
Received: by mail-qv1-f44.google.com with SMTP id
 6a1803df08f44-896f6d4b6c1so27852066d6.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 09 Feb 2026 19:59:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=u-northwestern-edu.20230601.gappssmtp.com; s=20230601; t=1770695972;
 x=1771300772; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=wpf1MFkXf0A2Zb5z4XixNkuKeokSbhH8docqD8c0D1o=;
        b=rAAsRLm9jd5zGuxE7IRxpY70+FzVNB7fzAwXmJyuZcklTlOeGSEygv/rzywjGSNxlB
         HZfh21kfHFqykDw9irRR+lOBO5uvwxvMT9IZOij/wE0/g+D8Onpd/J4l8ksM+LAPrNtJ
         dyIK9TXawJsdIWrElX3GXUz9gE5Va2UNHOCbwsusv3cAYEBKYdIAkdAgu+zViUPeS+Gv
         DazsxJ91zm04fa88dC75BbwOJpyPIniuQIpFNsUh0sdl2U2EHA52w68t1HWJqAA2a8gx
         DakNlIpb20h4gXRLkajS6OozZZEHlkgVYK5pPsJpOHdF/HLBkYo4wqO9xDqfofkOxwNC
         Ng0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770695972; x=1771300772;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=wpf1MFkXf0A2Zb5z4XixNkuKeokSbhH8docqD8c0D1o=;
        b=SlWtVLv0PChGQxkEFI3xsWSngwtLTLcdOGc5DkxqYGAZFa0TClr1l7e73+h7zUtqwb
         Yorf6Jqu4r7Dnc/L77vj3dHLyq4z9q0N0qH/eLDB0lYtxjH+xQFQbsO22vKEihU53Kd4
         A+rEJILkBzwhRLIdouYqsxEklfFrqCPzEeBaHyXGlU+fd/kzweaJg9k8wz0crBsbOHVd
         sYWXMBsMVmJTg2a9dtEaYRfUpkU5zTkvxifbe5iDg+6zgA0B29s7uSSgvDZL+4W3BKeG
         a5qcKJ1zcwP2JhyykicoempsvuBQ4d/r+TwFNQEVqeBLKRliIAcWWFom2i1sAbWLMpK5
         5Kow==
X-Forwarded-Encrypted: i=1;
 AJvYcCUV49bJdPtndCekV7YgHG+nIVcKLK+MI/xhc0fwz+RNXfBBs1YZivDker6alrIAWCL0KFVPo+8zLlKyfWA=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywa1pEzUBCroq2uguSnLCtAeS35KQDLZJYEjyTY4kv38BkhEbGX
	fI5v/El7+LfyfBvgXSGxTrXI449SpLQbVvKhlVEa+Evi+y/8O6T/8r9Hg9QzfUReg3c=
X-Gm-Gg: AZuq6aIrH6Io/71UCoBPoYep9gkQIuEBkMJuY496j1A82tCeC4K7vAcJa0CYaFiYWWn
	jfruRr0Th+Zd0oNAsu8zNlj13IAKnFGyNb7XDZjfgqiaVseXppJKsbwat41PYkpdzoMsveDXNd1
	v3gghAl1vXSC/5kC9TGlTbYJh9cMFKV7eoNrPCErY3KF/WXhHUH1qvsnWPc0Cc97/4+ARtDamLS
	GZZxDB8gFaHR+9c3gEXM3vqZ4rb70QmzNXjQZ722r5E9q2v3bjKHtfA3RyVAYoBoCM95K1l2a6+
	Wn3du6vgRh7d6affW06DqNAHxqK91R+GaNVsMjpbAMt5G4gMVHk23OESM/2tRSs63kVdghIRwsi
	qxmrawaWtYBzw36kRe//Xfk0rCWmhwX9ZOOLWeMmNd+1Y9UTkU3R2xKswyuvnenRu4sqkr4xVg/
	i4IOb7yOnwncpid1fWdFdKlVm090dNdCC9FlvnEnqMYHSM31Ttyrnc+v1MfxSqRYuqM0mtHkStK
	9T6ldOZzXolk/PclQvFIrdcmmiqmr7ZLVmgrtCO+Dkrr7ma0lXO3A==
X-Received: by 2002:ad4:574b:0:b0:88a:43bf:b279 with SMTP id
 6a1803df08f44-8970e515d3dmr9855216d6.33.1770695972160;
        Mon, 09 Feb 2026 19:59:32 -0800 (PST)
Received: from security.cs.northwestern.edu (security.cs.northwestern.edu.
 [165.124.184.136])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-8caf9a16558sm939193785a.27.2026.02.09.19.59.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 09 Feb 2026 19:59:31 -0800 (PST)
From: Ziyi Guo <n7l8m4@u.northwestern.edu>
To: Frank Jungclaus <frank.jungclaus@esd.eu>,
	Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Vincent Mailhol <mailhol@kernel.org>,
	socketcan@esd.eu,
	"David S . Miller" <davem@davemloft.net>,
	Wolfgang Grandegger <wg@grandegger.com>,
	linux-can@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Ziyi Guo <n7l8m4@u.northwestern.edu>
Subject: [PATCH] can: esd_usb: add endpoint type validation
Date: Tue, 10 Feb 2026 03:59:29 +0000
Message-Id: <20260210035929.3490155-1-n7l8m4@u.northwestern.edu>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

esd_usb_probe() constructs bulk pipes for two endpoints without
verifying their transfer types:

  - usb_rcvbulkpipe(dev->udev, 1) for RX (version reply, async RX data)
  - usb_sndbulkpipe(dev->udev, 2) for TX (version query, CAN frames)

A malformed USB device can present these endpoints with transfer types
that differ from what the driver assumes, triggering the WARNING in
usb_submit_urb().

Add usb_check_bulk_endpoints() before the first bulk transfer to verify
endpoint types, rejecting devices with mismatched descriptors at probe
time.

Similar to
- commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking")
  which established the usb_check_bulk_endpoints() validation pattern.

Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device")
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
---
 drivers/net/can/usb/esd_usb.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/net/can/usb/esd_usb.c b/drivers/net/can/usb/esd_usb.c
index 8cc924c47042..054ded490eb3 100644
--- a/drivers/net/can/usb/esd_usb.c
+++ b/drivers/net/can/usb/esd_usb.c
@@ -1301,6 +1301,10 @@ static int esd_usb_probe(struct usb_interface *intf,
 	struct esd_usb *dev;
 	union esd_usb_msg *msg;
 	int i, err;
+	static const u8 bulk_ep_addr[] =3D {
+		USB_DIR_IN | 1,		/* EP 1 IN  (RX) */
+		USB_DIR_OUT | 2,	/* EP 2 OUT (TX) */
+		0};
=20
 	dev =3D kzalloc(sizeof(*dev), GFP_KERNEL);
 	if (!dev) {
@@ -1320,6 +1324,13 @@ static int esd_usb_probe(struct usb_interface *intf,
 		goto free_msg;
 	}
=20
+	/* Verify that the required bulk endpoints are present */
+	if (!usb_check_bulk_endpoints(intf, bulk_ep_addr)) {
+		dev_err(&intf->dev, "Missing or invalid bulk endpoints\n");
+		err =3D -ENODEV;
+		goto free_msg;
+	}
+
 	/* query number of CAN interfaces (nets) */
 	msg->hdr.cmd =3D ESD_USB_CMD_VERSION;
 	msg->hdr.len =3D sizeof(struct esd_usb_version_msg) / sizeof(u32); /* # o=
f 32bit words */
--=20
2.34.1