From patchwork Fri Jul 18 09:29:41 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Luis Henriques X-Patchwork-Id: 371387 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 8670414012C; Fri, 18 Jul 2014 19:30:00 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1X84UI-0001O3-7d; Fri, 18 Jul 2014 09:29:58 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1X84U2-0001HO-Tf for kernel-team@lists.ubuntu.com; Fri, 18 Jul 2014 09:29:42 +0000 Received: from bl15-101-232.dsl.telepac.pt ([188.80.101.232] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1X84U2-0006Hu-FT; Fri, 18 Jul 2014 09:29:42 +0000 From: Luis Henriques To: Michal Nazarewicz Subject: [3.11.y.z extended stable] Patch "usb: gadget: f_fs: fix NULL pointer dereference when there are no strings" has been added to staging queue Date: Fri, 18 Jul 2014 10:29:41 +0100 Message-Id: <1405675781-14081-1-git-send-email-luis.henriques@canonical.com> X-Mailer: git-send-email 1.9.1 X-Extended-Stable: 3.11 MIME-Version: 1.0 Cc: kernel-team@lists.ubuntu.com, Felipe Balbi X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled usb: gadget: f_fs: fix NULL pointer dereference when there are no strings to the linux-3.11.y-queue branch of the 3.11.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.11.y-queue If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.11.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Luis ------ From ad4204b65ecf6ecd2f736fffb30a33f9d9065651 Mon Sep 17 00:00:00 2001 From: Michal Nazarewicz Date: Tue, 17 Jun 2014 17:47:41 +0200 Subject: usb: gadget: f_fs: fix NULL pointer dereference when there are no strings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit f0688c8b81d2ea239c3fb0b848f623b579238d99 upstream. If the descriptors do not need any strings and user space sends empty set of strings, the ffs->stringtabs field remains NULL. Thus *ffs->stringtabs in functionfs_bind leads to a NULL pointer dereferenece. The bug was introduced by commit [fd7c9a007f: “use usb_string_ids_n()”]. While at it, remove double initialisation of lang local variable in that function. ffs->strings_count does not need to be checked in any way since in the above scenario it will remain zero and usb_string_ids_n() is a no-operation when colled with 0 argument. Signed-off-by: Michal Nazarewicz Signed-off-by: Felipe Balbi Signed-off-by: Luis Henriques --- drivers/usb/gadget/f_fs.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) -- 1.9.1 diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c index b6e9d917221e..84219f656051 100644 --- a/drivers/usb/gadget/f_fs.c +++ b/drivers/usb/gadget/f_fs.c @@ -1389,11 +1389,13 @@ static int functionfs_bind(struct ffs_data *ffs, struct usb_composite_dev *cdev) ffs->ep0req->context = ffs; lang = ffs->stringtabs; - for (lang = ffs->stringtabs; *lang; ++lang) { - struct usb_string *str = (*lang)->strings; - int id = first_id; - for (; str->s; ++id, ++str) - str->id = id; + if (lang) { + for (; *lang; ++lang) { + struct usb_string *str = (*lang)->strings; + int id = first_id; + for (; str->s; ++id, ++str) + str->id = id; + } } ffs->gadget = cdev->gadget;