CVE-2025-21916

In the Linux kernel, the following vulnerability has been resolved:

usb: atm: cxacru: fix a flaw in existing endpoint checks

Syzbot once again identified a flaw in usb endpoint checking, see [1]. This time the issue stems from a commit authored by me (2eabb655a968 ("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")).

While using usbfindcommon_endpoints() may usually be enough to discard devices with wrong endpoints, in this case one needs more than just finding and identifying the sufficient number of endpoints of correct types - one needs to check the endpoint's address as well.

Since cxacrubind() fills URBs with CXACRUEPCMD address in mind, switch the endpoint verification approach to usbcheckXXXendpoints() instead to fix incomplete ep testing.

[1] Syzbot report: usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usbsubmiturb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... RIP: 0010:usbsubmiturb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> cxacrucm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649 cxacrucardstatus drivers/usb/atm/cxacru.c:760 [inline] cxacrubind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223 usbatmusbprobe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058 cxacruusbprobe+0x184/0x220 drivers/usb/atm/cxacru.c:1377 usbprobeinterface+0x641/0xbb0 drivers/usb/core/driver.c:396 reallyprobe+0x2b9/0xad0 drivers/base/dd.c:658 _driverprobedevice+0x1a2/0x390 drivers/base/dd.c:800 driverprobedevice+0x50/0x430 drivers/base/dd.c:830 ...