[PATCH 1/2] usb: fix cleanup after failure in hub_configure()

Krzysztof Mazur <krzysiek@xxxxxxxxxxxx> · Tue, 20 Aug 2013 19:24:35 +0200

If the hub_configure() fails after setting the hdev->maxchild
the hub->ports might be NULL or point to uninitialized kzallocated
memory causing NULL pointer dereference in hub_quiesce() during cleanup.

Now after such error the hdev->maxchild is set to 0 to avoid cleanup
of uninitialized ports.

Suggested-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Krzysztof Mazur <krzysiek@xxxxxxxxxxxx>
---
 drivers/usb/core/hub.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 558313d..588c3a3 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1339,7 +1339,7 @@ static int hub_configure(struct usb_hub *hub,
 			     GFP_KERNEL);
 	if (!hub->ports) {
 		ret = -ENOMEM;
-		goto fail;
+		goto fail_maxchild;
 	}
 
 	wHubCharacteristics = le16_to_cpu(hub->descriptor->wHubCharacteristics);
@@ -1466,7 +1466,7 @@ static int hub_configure(struct usb_hub *hub,
 	ret = usb_get_status(hdev, USB_RECIP_DEVICE, 0, &hubstatus);
 	if (ret < 2) {
 		message = "can't get hub status";
-		goto fail;
+		goto fail_maxchild;
 	}
 	le16_to_cpus(&hubstatus);
 	hcd = bus_to_hcd(hdev->bus);
@@ -1512,14 +1512,14 @@ static int hub_configure(struct usb_hub *hub,
 				&hub->tt, GFP_KERNEL);
 		if (ret < 0) {
 			message = "can't update HCD hub info";
-			goto fail;
+			goto fail_maxchild;
 		}
 	}
 
 	ret = hub_hub_status(hub, &hubstatus, &hubchange);
 	if (ret < 0) {
 		message = "can't get hub status";
-		goto fail;
+		goto fail_maxchild;
 	}
 
 	/* local power status reports aren't always correct */
@@ -1547,7 +1547,7 @@ static int hub_configure(struct usb_hub *hub,
 	hub->urb = usb_alloc_urb(0, GFP_KERNEL);
 	if (!hub->urb) {
 		ret = -ENOMEM;
-		goto fail;
+		goto fail_maxchild;
 	}
 
 	usb_fill_int_urb(hub->urb, hdev, pipe, *hub->buffer, maxp, hub_irq,
@@ -1567,6 +1567,8 @@ static int hub_configure(struct usb_hub *hub,
 	hub_activate(hub, HUB_INIT);
 	return 0;
 
+fail_maxchild:
+	hdev->maxchild = 0;
 fail:
 	dev_err (hub_dev, "config failed, %s (err %d)\n",
 			message, ret);
-- 
1.8.4.rc1.409.gbd48715

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html







