usbip: fix possibility of dereference by NULLL pointer in vhci_hcd.c

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This patch fixes possibility of dereference by NULLL pointer in "[PATCH
v5 1/3] usbip: vhci extension: modifications to vhci driver" which has
been merged to 4.9-rc1. It occurs when a URB with pointer to invalid
USB/IP device is enqueued in race condition against detach operation.

A pointer was passed to vdev_to_vhci() before NULL check.
In vdev_to_vhci(), there's a dereference by the pointer.

This patch moves vdev_to_vhci() after NULL check of the pointer.

Signed-off-by: Nobuo Iwata <nobuo.iwata@fujixerox.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Nobuo Iwata and committed by

Greg Kroah-Hartman 9 years ago d79cda04 220c61b6

+2 -1

1 changed file

expand all

drivers

usb

usbip

vhci_hcd.c

+2 -1

drivers/usb/usbip/vhci_hcd.c

··· 460 460 { 461 461 struct vhci_device *vdev = get_vdev(urb->dev); 462 462 struct vhci_priv *priv; 463 - struct vhci_hcd *vhci = vdev_to_vhci(vdev); 463 + struct vhci_hcd *vhci; 464 464 unsigned long flags; 465 465 466 466 if (!vdev) { 467 467 pr_err("could not get virtual device"); 468 468 return; 469 469 } 470 + vhci = vdev_to_vhci(vdev); 470 471 471 472 priv = kzalloc(sizeof(struct vhci_priv), GFP_ATOMIC); 472 473 if (!priv) {