[thirdparty/kernel/stable-queue.git] / releases / 4.19.54 / usb-xhci-fix-a-potential-null-pointer-dereference-in.patch

From f9076059b547b93821b13682bcb4294ed13c5d4d Mon Sep 17 00:00:00 2001
From: Jia-Ju Bai <baijiaju1990@gmail.com>
Date: Wed, 22 May 2019 14:33:58 +0300
Subject: usb: xhci: Fix a potential null pointer dereference in
 xhci_debugfs_create_endpoint()

[ Upstream commit 5bce256f0b528624a34fe907db385133bb7be33e ]

In xhci_debugfs_create_slot(), kzalloc() can fail and
dev->debugfs_private will be NULL.
In xhci_debugfs_create_endpoint(), dev->debugfs_private is used without
any null-pointer check, and can cause a null pointer dereference.

To fix this bug, a null-pointer check is added in
xhci_debugfs_create_endpoint().

This bug is found by a runtime fuzzing tool named FIZZER written by us.

[subjet line change change, add potential -Mathais]
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/host/xhci-debugfs.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/host/xhci-debugfs.c b/drivers/usb/host/xhci-debugfs.c
index cadc01336bf8..7ba6afc7ef23 100644
--- a/drivers/usb/host/xhci-debugfs.c
+++ b/drivers/usb/host/xhci-debugfs.c
@@ -440,6 +440,9 @@ void xhci_debugfs_create_endpoint(struct xhci_hcd *xhci,
 	struct xhci_ep_priv	*epriv;
 	struct xhci_slot_priv	*spriv = dev->debugfs_private;
 
+	if (!spriv)
+		return;
+
 	if (spriv->eps[ep_index])
 		return;
 
-- 
2.20.1
Commit	Line	Data
a15a8890 SL	1	From f9076059b547b93821b13682bcb4294ed13c5d4d Mon Sep 17 00:00:00 2001
	2	From: Jia-Ju Bai <baijiaju1990@gmail.com>
	3	Date: Wed, 22 May 2019 14:33:58 +0300
	4	Subject: usb: xhci: Fix a potential null pointer dereference in
	5	xhci_debugfs_create_endpoint()
	6
	7	[ Upstream commit 5bce256f0b528624a34fe907db385133bb7be33e ]
	8
	9	In xhci_debugfs_create_slot(), kzalloc() can fail and
	10	dev->debugfs_private will be NULL.
	11	In xhci_debugfs_create_endpoint(), dev->debugfs_private is used without
	12	any null-pointer check, and can cause a null pointer dereference.
	13
	14	To fix this bug, a null-pointer check is added in
	15	xhci_debugfs_create_endpoint().
	16
	17	This bug is found by a runtime fuzzing tool named FIZZER written by us.
	18
	19	[subjet line change change, add potential -Mathais]
	20	Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
	21	Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	22	Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
	23	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	24	Signed-off-by: Sasha Levin <sashal@kernel.org>
	25	---
	26	drivers/usb/host/xhci-debugfs.c \| 3 +++
	27	1 file changed, 3 insertions(+)
	28
	29	diff --git a/drivers/usb/host/xhci-debugfs.c b/drivers/usb/host/xhci-debugfs.c
	30	index cadc01336bf8..7ba6afc7ef23 100644
	31	--- a/drivers/usb/host/xhci-debugfs.c
	32	+++ b/drivers/usb/host/xhci-debugfs.c
	33	@@ -440,6 +440,9 @@ void xhci_debugfs_create_endpoint(struct xhci_hcd *xhci,
	34	struct xhci_ep_priv *epriv;
	35	struct xhci_slot_priv *spriv = dev->debugfs_private;
	36
	37	+ if (!spriv)
	38	+ return;
	39	+
	40	if (spriv->eps[ep_index])
	41	return;
	42
	43	--
	44	2.20.1
	45