From: Philippe Retornaz <couriousous@mandriva.org>

See http://bugzilla.kernel.org/show_bug.cgi?id=6617.

This function dereference a __user pointer.

(akpm: this code is deeply fishy.  Are the types correct?)

Signed-off-by: Philippe Retornaz <couriousous@mandriva.org>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 drivers/usb/core/devio.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff -puN drivers/usb/core/devio.c~drivers-usb-core-devioc-dereference-userspace-pointer drivers/usb/core/devio.c
--- devel/drivers/usb/core/devio.c~drivers-usb-core-devioc-dereference-userspace-pointer	2006-05-29 21:16:28.000000000 -0700
+++ devel-akpm/drivers/usb/core/devio.c	2006-05-29 21:31:49.000000000 -0700
@@ -1078,7 +1078,9 @@ static int proc_submiturb(struct dev_sta
 	if (copy_from_user(&uurb, arg, sizeof(uurb)))
 		return -EFAULT;
 
-	return proc_do_submiturb(ps, &uurb, (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), arg);
+	return proc_do_submiturb(ps, &uurb,
+		(struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc,
+		arg);
 }
 
 static int proc_unlinkurb(struct dev_state *ps, void __user *arg)
_