releases/4.14.28/usbip-vudc-fix-null-pointer-dereference-on-udc-lock.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From df3334c223a033f562645712e832ca4cbb326bbf Mon Sep 17 00:00:00 2001
 From: Colin Ian King <colin.king@canonical.com>
 Date: Thu, 22 Feb 2018 17:39:17 +0000
 Subject: usbip: vudc: fix null pointer dereference on udc->lock

 From: Colin Ian King <colin.king@canonical.com>

 commit df3334c223a033f562645712e832ca4cbb326bbf upstream.

 Currently the driver attempts to spin lock on udc->lock before a NULL
 pointer check is performed on udc, hence there is a potential null
 pointer dereference on udc->lock.  Fix this by moving the null check
 on udc before the lock occurs.

 Fixes: ea6873a45a22 ("usbip: vudc: Add SysFS infrastructure for VUDC")
 Signed-off-by: Colin Ian King <colin.king@canonical.com>
 Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
 Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com>
 Cc: stable <stable@vger.kernel.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/usb/usbip/vudc_sysfs.c |    8 ++++++--
  1 file changed, 6 insertions(+), 2 deletions(-)

 --- a/drivers/usb/usbip/vudc_sysfs.c
 +++ b/drivers/usb/usbip/vudc_sysfs.c
 @@ -117,10 +117,14 @@ static ssize_t store_sockfd(struct devic
  	if (rv != 0)
  		return -EINVAL;

 +	if (!udc) {
 +		dev_err(dev, "no device");
 +		return -ENODEV;
 +	}
  	spin_lock_irqsave(&udc->lock, flags);
  	/* Don't export what we don't have */
 -	if (!udc || !udc->driver || !udc->pullup) {
 -		dev_err(dev, "no device or gadget not bound");
 +	if (!udc->driver || !udc->pullup) {
 +		dev_err(dev, "gadget not bound");
  		ret = -ENODEV;
  		goto unlock;
  	}
	From df3334c223a033f562645712e832ca4cbb326bbf Mon Sep 17 00:00:00 2001
	From: Colin Ian King <colin.king@canonical.com>
	Date: Thu, 22 Feb 2018 17:39:17 +0000
	Subject: usbip: vudc: fix null pointer dereference on udc->lock

	From: Colin Ian King <colin.king@canonical.com>

	commit df3334c223a033f562645712e832ca4cbb326bbf upstream.

	Currently the driver attempts to spin lock on udc->lock before a NULL
	pointer check is performed on udc, hence there is a potential null
	pointer dereference on udc->lock. Fix this by moving the null check
	on udc before the lock occurs.

	Fixes: ea6873a45a22 ("usbip: vudc: Add SysFS infrastructure for VUDC")
	Signed-off-by: Colin Ian King <colin.king@canonical.com>
	Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
	Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com>
	Cc: stable <stable@vger.kernel.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/usb/usbip/vudc_sysfs.c \| 8 ++++++--
	1 file changed, 6 insertions(+), 2 deletions(-)

	--- a/drivers/usb/usbip/vudc_sysfs.c
	+++ b/drivers/usb/usbip/vudc_sysfs.c
	@@ -117,10 +117,14 @@ static ssize_t store_sockfd(struct devic
	if (rv != 0)
	return -EINVAL;

	+ if (!udc) {
	+ dev_err(dev, "no device");
	+ return -ENODEV;
	+ }
	spin_lock_irqsave(&udc->lock, flags);
	/* Don't export what we don't have */
	- if (!udc \|\| !udc->driver \|\| !udc->pullup) {
	- dev_err(dev, "no device or gadget not bound");
	+ if (!udc->driver \|\| !udc->pullup) {
	+ dev_err(dev, "gadget not bound");
	ret = -ENODEV;
	goto unlock;
	}