From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>, Andrey Konovalov <andreyknvl@google.com>, Felipe Balbi <felipe.balbi@linux.intel.com>, Ben Hutchings <ben.hutchings@codethink.co.uk> Subject: [PATCH 4.4 04/28] usb: usbtest: fix NULL pointer dereference Date: Thu, 16 Nov 2017 18:42:22 +0100 Message-ID: <20171116174138.888159602@linuxfoundation.org> (raw) In-Reply-To: <20171116174138.714641106@linuxfoundation.org> 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Alan Stern <stern@rowland.harvard.edu> commit 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 upstream. If the usbtest driver encounters a device with an IN bulk endpoint but no OUT bulk endpoint, it will try to dereference a NULL pointer (out->desc.bEndpointAddress). The problem can be solved by adding a missing test. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Cc: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/usb/misc/usbtest.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/drivers/usb/misc/usbtest.c +++ b/drivers/usb/misc/usbtest.c @@ -185,12 +185,13 @@ found: return tmp; } - if (in) { + if (in) dev->in_pipe = usb_rcvbulkpipe(udev, in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); + if (out) dev->out_pipe = usb_sndbulkpipe(udev, out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); - } + if (iso_in) { dev->iso_in = &iso_in->desc; dev->in_iso_pipe = usb_rcvisocpipe(udev,
next prev parent reply index Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-11-16 17:42 [PATCH 4.4 00/28] 4.4.99-stable review Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 01/28] mac80211: accept key reinstall without changing anything Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 02/28] mac80211: use constant time comparison with keys Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 03/28] mac80211: dont compare TKIP TX MIC key in reinstall prevention Greg Kroah-Hartman 2017-11-16 17:42 ` Greg Kroah-Hartman [this message] 2017-11-16 17:42 ` [PATCH 4.4 05/28] Input: ims-psu - check if CDC union descriptor is sane Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 06/28] ALSA: seq: Cancel pending autoload work at unbinding device Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 07/28] tun/tap: sanitize TUNSETSNDBUF input Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 08/28] tcp: fix tcp_mtu_probe() vs highest_sack Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 09/28] l2tp: check ps->sock before running pppol2tp_session_ioctl() Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 10/28] tun: call dev_get_valid_name() before register_netdevice() Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 11/28] sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 12/28] packet: avoid panic in packet_getsockopt() Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 13/28] ipv6: flowlabel: do not leave opt->tot_len with garbage Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 14/28] net/unix: dont show information about sockets from other namespaces Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 15/28] ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 16/28] tun: allow positive return values on dev_get_valid_name() call Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 17/28] sctp: reset owner sk for data chunks on out queues when migrating a sock Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 18/28] ppp: fix race in ppp device destruction Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 19/28] ipip: only increase err_count for some certain type icmp in ipip_err Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 20/28] tcp/dccp: fix ireq->opt races Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 21/28] tcp/dccp: fix lockdep splat in inet_csk_route_req() Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 23/28] security/keys: add CONFIG_KEYS_COMPAT to Kconfig Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 24/28] tipc: fix link attribute propagation bug Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 25/28] brcmfmac: remove setting IBSS mode when stopping AP Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 26/28] target/iscsi: Fix iSCSI task reassignment handling Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 27/28] target: Fix node_acl demo-mode + uncached dynamic shutdown regression Greg Kroah-Hartman 2017-11-16 17:42 ` [PATCH 4.4 28/28] misc: panel: properly restore atomic counter on error path Greg Kroah-Hartman 2017-11-16 22:44 ` [PATCH 4.4 00/28] 4.4.99-stable review Shuah Khan 2017-11-17 2:01 ` Guenter Roeck 2017-11-17 8:16 ` natechancellor 2017-11-17 8:26 ` Naresh Kamboju 2017-11-17 8:44 ` Greg Kroah-Hartman 2017-11-17 8:30 ` Greg Kroah-Hartman
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20171116174138.888159602@linuxfoundation.org \ --to=gregkh@linuxfoundation.org \ --cc=andreyknvl@google.com \ --cc=ben.hutchings@codethink.co.uk \ --cc=felipe.balbi@linux.intel.com \ --cc=linux-kernel@vger.kernel.org \ --cc=stable@vger.kernel.org \ --cc=stern@rowland.harvard.edu \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
LKML Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git git clone --mirror https://lore.kernel.org/lkml/8 lkml/git/8.git git clone --mirror https://lore.kernel.org/lkml/9 lkml/git/9.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \ linux-kernel@vger.kernel.org public-inbox-index lkml Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel AGPL code for this site: git clone https://public-inbox.org/public-inbox.git