From: Greg Kroah-Hartman Date: Sat, 29 Sep 2018 23:46:58 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v4.18.12~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a6e7b84ff24ddfdcb23115e2ee23398e471011c9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch serial-cpm_uart-return-immediately-from-console-poll.patch spi-rspi-fix-interrupted-dma-transfers.patch spi-rspi-fix-invalid-spi-use-during-system-suspend.patch spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch spi-tegra20-slink-explicitly-enable-disable-clock.patch usb-fix-error-handling-in-usb_driver_claim_interface.patch usb-handle-null-config-in-usb_find_alt_setting.patch --- diff --git a/queue-4.4/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch b/queue-4.4/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch new file mode 100644 index 00000000000..a3e8157d9f9 --- /dev/null +++ b/queue-4.4/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch @@ -0,0 +1,46 @@ +From 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e Mon Sep 17 00:00:00 2001 +From: Andy Whitcroft +Date: Thu, 20 Sep 2018 09:09:48 -0600 +Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl + +From: Andy Whitcroft + +commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream. + +The final field of a floppy_struct is the field "name", which is a pointer +to a string in kernel memory. The kernel pointer should not be copied to +user memory. The FDGETPRM ioctl copies a floppy_struct to user memory, +including this "name" field. This pointer cannot be used by the user +and it will leak a kernel address to user-space, which will reveal the +location of kernel code and data and undermine KASLR protection. + +Model this code after the compat ioctl which copies the returned data +to a previously cleared temporary structure on the stack (excluding the +name pointer) and copy out to userspace from there. As we already have +an inparam union with an appropriate member and that memory is already +cleared even for read only calls make use of that as a temporary store. + +Based on an initial patch by Brian Belleville. + +CVE-2018-7755 +Signed-off-by: Andy Whitcroft +Broke up long line. +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3459,6 +3459,9 @@ static int fd_locked_ioctl(struct block_ + (struct floppy_struct **)&outparam); + if (ret) + return ret; ++ memcpy(&inparam.g, outparam, ++ offsetof(struct floppy_struct, name)); ++ outparam = &inparam.g; + break; + case FDMSGON: + UDP->flags |= FTD_MSG; diff --git a/queue-4.4/serial-cpm_uart-return-immediately-from-console-poll.patch b/queue-4.4/serial-cpm_uart-return-immediately-from-console-poll.patch new file mode 100644 index 00000000000..00c7cc229b5 --- /dev/null +++ b/queue-4.4/serial-cpm_uart-return-immediately-from-console-poll.patch @@ -0,0 +1,48 @@ +From be28c1e3ca29887e207f0cbcd294cefe5074bab6 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Fri, 14 Sep 2018 10:32:50 +0000 +Subject: serial: cpm_uart: return immediately from console poll + +From: Christophe Leroy + +commit be28c1e3ca29887e207f0cbcd294cefe5074bab6 upstream. + +kgdb expects poll function to return immediately and +returning NO_POLL_CHAR when no character is available. + +Fixes: f5316b4aea024 ("kgdb,8250,pl011: Return immediately from console poll") +Cc: Jason Wessel +Cc: +Signed-off-by: Christophe Leroy +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/cpm_uart/cpm_uart_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c ++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +@@ -1068,8 +1068,8 @@ static int poll_wait_key(char *obuf, str + /* Get the address of the host memory buffer. + */ + bdp = pinfo->rx_cur; +- while (bdp->cbd_sc & BD_SC_EMPTY) +- ; ++ if (bdp->cbd_sc & BD_SC_EMPTY) ++ return NO_POLL_CHAR; + + /* If the buffer address is in the CPM DPRAM, don't + * convert it. +@@ -1104,7 +1104,11 @@ static int cpm_get_poll_char(struct uart + poll_chars = 0; + } + if (poll_chars <= 0) { +- poll_chars = poll_wait_key(poll_buf, pinfo); ++ int ret = poll_wait_key(poll_buf, pinfo); ++ ++ if (ret == NO_POLL_CHAR) ++ return ret; ++ poll_chars = ret; + pollp = poll_buf; + } + poll_chars--; diff --git a/queue-4.4/series b/queue-4.4/series index 923d0cc16b2..07d001eff94 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -41,3 +41,12 @@ asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch module-exclude-shn_undef-symbols-from-kallsyms-api.patch nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch arm-dts-dra7-fix-dcan-node-addresses.patch +floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch +serial-cpm_uart-return-immediately-from-console-poll.patch +spi-tegra20-slink-explicitly-enable-disable-clock.patch +spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch +spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch +spi-rspi-fix-invalid-spi-use-during-system-suspend.patch +spi-rspi-fix-interrupted-dma-transfers.patch +usb-fix-error-handling-in-usb_driver_claim_interface.patch +usb-handle-null-config-in-usb_find_alt_setting.patch diff --git a/queue-4.4/spi-rspi-fix-interrupted-dma-transfers.patch b/queue-4.4/spi-rspi-fix-interrupted-dma-transfers.patch new file mode 100644 index 00000000000..848e77c3ab0 --- /dev/null +++ b/queue-4.4/spi-rspi-fix-interrupted-dma-transfers.patch @@ -0,0 +1,58 @@ +From 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 5 Sep 2018 10:49:39 +0200 +Subject: spi: rspi: Fix interrupted DMA transfers + +From: Geert Uytterhoeven + +commit 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf upstream. + +When interrupted, wait_event_interruptible_timeout() returns +-ERESTARTSYS, and the SPI transfer in progress will fail, as expected: + + m25p80 spi0.0: SPI transfer failed: -512 + spi_master spi0: failed to transfer one message from queue + +However, as the underlying DMA transfers may not have completed, all +subsequent SPI transfers may start to fail: + + spi_master spi0: receive timeout + qspi_transfer_out_in() returned -110 + m25p80 spi0.0: SPI transfer failed: -110 + spi_master spi0: failed to transfer one message from queue + +Fix this by calling dmaengine_terminate_all() not only for timeouts, but +also for errors. + +This can be reproduced on r8a7991/koelsch, using "hd /dev/mtd0" followed +by CTRL-C. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-rspi.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -587,11 +587,13 @@ static int rspi_dma_transfer(struct rspi + + ret = wait_event_interruptible_timeout(rspi->wait, + rspi->dma_callbacked, HZ); +- if (ret > 0 && rspi->dma_callbacked) ++ if (ret > 0 && rspi->dma_callbacked) { + ret = 0; +- else if (!ret) { +- dev_err(&rspi->master->dev, "DMA timeout\n"); +- ret = -ETIMEDOUT; ++ } else { ++ if (!ret) { ++ dev_err(&rspi->master->dev, "DMA timeout\n"); ++ ret = -ETIMEDOUT; ++ } + if (tx) + dmaengine_terminate_all(rspi->master->dma_tx); + if (rx) diff --git a/queue-4.4/spi-rspi-fix-invalid-spi-use-during-system-suspend.patch b/queue-4.4/spi-rspi-fix-invalid-spi-use-during-system-suspend.patch new file mode 100644 index 00000000000..0171425394a --- /dev/null +++ b/queue-4.4/spi-rspi-fix-invalid-spi-use-during-system-suspend.patch @@ -0,0 +1,67 @@ +From c1ca59c22c56930b377a665fdd1b43351887830b Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 5 Sep 2018 10:49:38 +0200 +Subject: spi: rspi: Fix invalid SPI use during system suspend + +From: Geert Uytterhoeven + +commit c1ca59c22c56930b377a665fdd1b43351887830b upstream. + +If the SPI queue is running during system suspend, the system may lock +up. + +Fix this by stopping/restarting the queue during system suspend/resume, +by calling spi_master_suspend()/spi_master_resume() from the PM +callbacks. In-kernel users will receive an -ESHUTDOWN error while +system suspend/resume is in progress. + +Based on a patch for sh-msiof by Gaku Inami. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-rspi.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -1303,12 +1303,36 @@ static const struct platform_device_id s + + MODULE_DEVICE_TABLE(platform, spi_driver_ids); + ++#ifdef CONFIG_PM_SLEEP ++static int rspi_suspend(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct rspi_data *rspi = platform_get_drvdata(pdev); ++ ++ return spi_master_suspend(rspi->master); ++} ++ ++static int rspi_resume(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct rspi_data *rspi = platform_get_drvdata(pdev); ++ ++ return spi_master_resume(rspi->master); ++} ++ ++static SIMPLE_DEV_PM_OPS(rspi_pm_ops, rspi_suspend, rspi_resume); ++#define DEV_PM_OPS &rspi_pm_ops ++#else ++#define DEV_PM_OPS NULL ++#endif /* CONFIG_PM_SLEEP */ ++ + static struct platform_driver rspi_driver = { + .probe = rspi_probe, + .remove = rspi_remove, + .id_table = spi_driver_ids, + .driver = { + .name = "renesas_spi", ++ .pm = DEV_PM_OPS, + .of_match_table = of_match_ptr(rspi_of_match), + }, + }; diff --git a/queue-4.4/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch b/queue-4.4/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch new file mode 100644 index 00000000000..45bacf78380 --- /dev/null +++ b/queue-4.4/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch @@ -0,0 +1,38 @@ +From 31a5fae4c5a009898da6d177901d5328051641ff Mon Sep 17 00:00:00 2001 +From: Hiromitsu Yamasaki +Date: Wed, 5 Sep 2018 10:49:37 +0200 +Subject: spi: sh-msiof: Fix handling of write value for SISTR register + +From: Hiromitsu Yamasaki + +commit 31a5fae4c5a009898da6d177901d5328051641ff upstream. + +This patch changes writing to the SISTR register according to the H/W +user's manual. + +The TDREQ bit and RDREQ bits of SISTR are read-only, and must be written +their initial values of zero. + +Signed-off-by: Hiromitsu Yamasaki +[geert: reword] +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sh-msiof.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -374,7 +374,8 @@ static void sh_msiof_spi_set_mode_regs(s + + static void sh_msiof_reset_str(struct sh_msiof_spi_priv *p) + { +- sh_msiof_write(p, STR, sh_msiof_read(p, STR)); ++ sh_msiof_write(p, STR, ++ sh_msiof_read(p, STR) & ~(STR_TDREQ | STR_RDREQ)); + } + + static void sh_msiof_spi_write_fifo_8(struct sh_msiof_spi_priv *p, diff --git a/queue-4.4/spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch b/queue-4.4/spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch new file mode 100644 index 00000000000..952c09d5a9e --- /dev/null +++ b/queue-4.4/spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch @@ -0,0 +1,69 @@ +From ffa69d6a16f686efe45269342474e421f2aa58b2 Mon Sep 17 00:00:00 2001 +From: Gaku Inami +Date: Wed, 5 Sep 2018 10:49:36 +0200 +Subject: spi: sh-msiof: Fix invalid SPI use during system suspend + +From: Gaku Inami + +commit ffa69d6a16f686efe45269342474e421f2aa58b2 upstream. + +If the SPI queue is running during system suspend, the system may lock +up. + +Fix this by stopping/restarting the queue during system suspend/resume +by calling spi_master_suspend()/spi_master_resume() from the PM +callbacks. In-kernel users will receive an -ESHUTDOWN error while +system suspend/resume is in progress. + +Signed-off-by: Gaku Inami +Signed-off-by: Hiromitsu Yamasaki +[geert: Cleanup, reword] +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sh-msiof.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -1275,12 +1275,37 @@ static const struct platform_device_id s + }; + MODULE_DEVICE_TABLE(platform, spi_driver_ids); + ++#ifdef CONFIG_PM_SLEEP ++static int sh_msiof_spi_suspend(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev); ++ ++ return spi_master_suspend(p->master); ++} ++ ++static int sh_msiof_spi_resume(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev); ++ ++ return spi_master_resume(p->master); ++} ++ ++static SIMPLE_DEV_PM_OPS(sh_msiof_spi_pm_ops, sh_msiof_spi_suspend, ++ sh_msiof_spi_resume); ++#define DEV_PM_OPS &sh_msiof_spi_pm_ops ++#else ++#define DEV_PM_OPS NULL ++#endif /* CONFIG_PM_SLEEP */ ++ + static struct platform_driver sh_msiof_spi_drv = { + .probe = sh_msiof_spi_probe, + .remove = sh_msiof_spi_remove, + .id_table = spi_driver_ids, + .driver = { + .name = "spi_sh_msiof", ++ .pm = DEV_PM_OPS, + .of_match_table = of_match_ptr(sh_msiof_match), + }, + }; diff --git a/queue-4.4/spi-tegra20-slink-explicitly-enable-disable-clock.patch b/queue-4.4/spi-tegra20-slink-explicitly-enable-disable-clock.patch new file mode 100644 index 00000000000..d1773786fc3 --- /dev/null +++ b/queue-4.4/spi-tegra20-slink-explicitly-enable-disable-clock.patch @@ -0,0 +1,84 @@ +From 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 Mon Sep 17 00:00:00 2001 +From: Marcel Ziswiler +Date: Wed, 29 Aug 2018 08:47:57 +0200 +Subject: spi: tegra20-slink: explicitly enable/disable clock + +From: Marcel Ziswiler + +commit 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 upstream. + +Depending on the SPI instance one may get an interrupt storm upon +requesting resp. interrupt unless the clock is explicitly enabled +beforehand. This has been observed trying to bring up instance 4 on +T20. + +Signed-off-by: Marcel Ziswiler +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-tegra20-slink.c | 31 +++++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 8 deletions(-) + +--- a/drivers/spi/spi-tegra20-slink.c ++++ b/drivers/spi/spi-tegra20-slink.c +@@ -1063,6 +1063,24 @@ static int tegra_slink_probe(struct plat + goto exit_free_master; + } + ++ /* disabled clock may cause interrupt storm upon request */ ++ tspi->clk = devm_clk_get(&pdev->dev, NULL); ++ if (IS_ERR(tspi->clk)) { ++ ret = PTR_ERR(tspi->clk); ++ dev_err(&pdev->dev, "Can not get clock %d\n", ret); ++ goto exit_free_master; ++ } ++ ret = clk_prepare(tspi->clk); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "Clock prepare failed %d\n", ret); ++ goto exit_free_master; ++ } ++ ret = clk_enable(tspi->clk); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "Clock enable failed %d\n", ret); ++ goto exit_free_master; ++ } ++ + spi_irq = platform_get_irq(pdev, 0); + tspi->irq = spi_irq; + ret = request_threaded_irq(tspi->irq, tegra_slink_isr, +@@ -1071,14 +1089,7 @@ static int tegra_slink_probe(struct plat + if (ret < 0) { + dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n", + tspi->irq); +- goto exit_free_master; +- } +- +- tspi->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(tspi->clk)) { +- dev_err(&pdev->dev, "can not get clock\n"); +- ret = PTR_ERR(tspi->clk); +- goto exit_free_irq; ++ goto exit_clk_disable; + } + + tspi->rst = devm_reset_control_get(&pdev->dev, "spi"); +@@ -1138,6 +1149,8 @@ exit_rx_dma_free: + tegra_slink_deinit_dma_param(tspi, true); + exit_free_irq: + free_irq(spi_irq, tspi); ++exit_clk_disable: ++ clk_disable(tspi->clk); + exit_free_master: + spi_master_put(master); + return ret; +@@ -1150,6 +1163,8 @@ static int tegra_slink_remove(struct pla + + free_irq(tspi->irq, tspi); + ++ clk_disable(tspi->clk); ++ + if (tspi->tx_dma_chan) + tegra_slink_deinit_dma_param(tspi, false); + diff --git a/queue-4.4/usb-fix-error-handling-in-usb_driver_claim_interface.patch b/queue-4.4/usb-fix-error-handling-in-usb_driver_claim_interface.patch new file mode 100644 index 00000000000..3856f7ef0c0 --- /dev/null +++ b/queue-4.4/usb-fix-error-handling-in-usb_driver_claim_interface.patch @@ -0,0 +1,58 @@ +From bd729f9d67aa9a303d8925bb8c4f06af25f407d1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 10 Sep 2018 13:59:59 -0400 +Subject: USB: fix error handling in usb_driver_claim_interface() + +From: Alan Stern + +commit bd729f9d67aa9a303d8925bb8c4f06af25f407d1 upstream. + +The syzbot fuzzing project found a use-after-free bug in the USB +core. The bug was caused by usbfs not unbinding from an interface +when the USB device file was closed, which led another process to +attempt the unbind later on, after the private data structure had been +deallocated. + +The reason usbfs did not unbind the interface at the appropriate time +was because it thought the interface had never been claimed in the +first place. This was caused by the fact that +usb_driver_claim_interface() does not clean up properly when +device_bind_driver() returns an error. Although the error code gets +passed back to the caller, the iface->dev.driver pointer remains set +and iface->condition remains equal to USB_INTERFACE_BOUND. + +This patch adds proper error handling to usb_driver_claim_interface(). + +Signed-off-by: Alan Stern +Reported-by: syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com +CC: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/driver.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -562,6 +562,21 @@ int usb_driver_claim_interface(struct us + if (!lpm_disable_error) + usb_unlocked_enable_lpm(udev); + ++ if (retval) { ++ dev->driver = NULL; ++ usb_set_intfdata(iface, NULL); ++ iface->needs_remote_wakeup = 0; ++ iface->condition = USB_INTERFACE_UNBOUND; ++ ++ /* ++ * Unbound interfaces are always runtime-PM-disabled ++ * and runtime-PM-suspended ++ */ ++ if (driver->supports_autosuspend) ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ } ++ + return retval; + } + EXPORT_SYMBOL_GPL(usb_driver_claim_interface); diff --git a/queue-4.4/usb-handle-null-config-in-usb_find_alt_setting.patch b/queue-4.4/usb-handle-null-config-in-usb_find_alt_setting.patch new file mode 100644 index 00000000000..12d0b77a80a --- /dev/null +++ b/queue-4.4/usb-handle-null-config-in-usb_find_alt_setting.patch @@ -0,0 +1,38 @@ +From c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 10 Sep 2018 14:00:53 -0400 +Subject: USB: handle NULL config in usb_find_alt_setting() + +From: Alan Stern + +commit c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 upstream. + +usb_find_alt_setting() takes a pointer to a struct usb_host_config as +an argument; it searches for an interface with specified interface and +alternate setting numbers in that config. However, it crashes if the +usb_host_config pointer argument is NULL. + +Since this is a general-purpose routine, available for use in many +places, we want to to be more robust. This patch makes it return NULL +whenever the config argument is NULL. + +Signed-off-by: Alan Stern +Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com +CC: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -95,6 +95,8 @@ struct usb_host_interface *usb_find_alt_ + struct usb_interface_cache *intf_cache = NULL; + int i; + ++ if (!config) ++ return NULL; + for (i = 0; i < config->desc.bNumInterfaces; i++) { + if (config->intf_cache[i]->altsetting[0].desc.bInterfaceNumber + == iface_num) {