https://bugzilla.kernel.org/show_bug.cgi?id=207125 Bug ID: 207125 Summary: Possible null pointer dereference in ohci_restart() Product: Drivers Version: 2.5 Kernel Version: Linux 4.17 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: USB Assignee: drivers_usb@xxxxxxxxxxxxxxxxxxxxxx Reporter: zhandy@xxxxxxxxxx Regression: No In Linux 4.17, ohci_restart() in /drivers/usb/host/ohci-hcd.c does not handle the failure of ohci_init(), causing ohci->hcca could be a null pointer. After that, writting to this ohci->hcca->int_table [i] field could cause a null pointer dereference bug. Url of ohci_restart() https://elixir.bootlin.com/linux/v4.10.17/source/drivers/usb/host/ohci-hcd.c#L1000 int ohci_restart(struct ohci_hcd *ohci) { ... ohci_init(ohci); //does not handle the failure ... for (i = 0; i < NUM_INTS; i++) ohci->hcca->int_table [i] = 0; //null pointer dereference ... } Url of ohci_init() https://elixir.bootlin.com/linux/v4.10.17/source/drivers/usb/host/ohci-hcd.c#L441 static int ohci_init (struct ohci_hcd *ohci) { ... ohci->hcca = dma_alloc_coherent (hcd->self.controller, sizeof(*ohci->hcca), &ohci->hcca_dma, GFP_KERNEL); if (!ohci->hcca) return -ENOMEM; // ohci->hcca can be a null pointer ... } -- You are receiving this mail because: You are watching the assignee of the bug.
