This is a note to let you know that I've just added the patch titled USB: usbtmc: fix probe error path to the 4.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: usb-usbtmc-fix-probe-error-path.patch and it can be found in the queue-4.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 2e47c53503eb9faff42b3cfa144a833344dd1f89 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan@xxxxxxxxxx> Date: Tue, 14 Mar 2017 17:55:46 +0100 Subject: USB: usbtmc: fix probe error path From: Johan Hovold <johan@xxxxxxxxxx> commit 2e47c53503eb9faff42b3cfa144a833344dd1f89 upstream. Make sure to initialise the return value to avoid having allocation failures going unnoticed when allocating interrupt-endpoint resources. This prevents use-after-free or worse when the device is later unbound. Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.") Cc: Dave Penkler <dpenkler@xxxxxxxxx> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/usb/class/usbtmc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/drivers/usb/class/usbtmc.c +++ b/drivers/usb/class/usbtmc.c @@ -1476,8 +1476,10 @@ static int usbtmc_probe(struct usb_inter if (data->iin_ep_present) { /* allocate int urb */ data->iin_urb = usb_alloc_urb(0, GFP_KERNEL); - if (!data->iin_urb) + if (!data->iin_urb) { + retcode = -ENOMEM; goto error_register; + } /* Protect interrupt in endpoint data until iin_urb is freed */ kref_get(&data->kref); @@ -1485,8 +1487,10 @@ static int usbtmc_probe(struct usb_inter /* allocate buffer for interrupt in */ data->iin_buffer = kmalloc(data->iin_wMaxPacketSize, GFP_KERNEL); - if (!data->iin_buffer) + if (!data->iin_buffer) { + retcode = -ENOMEM; goto error_register; + } /* fill interrupt urb */ usb_fill_int_urb(data->iin_urb, data->usb_dev, Patches currently in stable-queue which might be from johan@xxxxxxxxxx are queue-4.10/usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch queue-4.10/input-ims-pcu-validate-number-of-endpoints-before-using-them.patch queue-4.10/usb-usbtmc-add-missing-endpoint-sanity-check.patch queue-4.10/input-cm109-validate-number-of-endpoints-before-using-them.patch queue-4.10/input-iforce-validate-number-of-endpoints-before-using-them.patch queue-4.10/mmc-ushc-fix-null-deref-at-probe.patch queue-4.10/input-kbtab-validate-number-of-endpoints-before-using-them.patch queue-4.10/usb-usbtmc-fix-probe-error-path.patch queue-4.10/input-sur40-validate-number-of-endpoints-before-using-them.patch queue-4.10/uwb-i1480-dfu-fix-null-deref-at-probe.patch queue-4.10/input-hanwang-validate-number-of-endpoints-before-using-them.patch queue-4.10/usb-idmouse-fix-null-deref-at-probe.patch queue-4.10/uwb-hwa-rc-fix-null-deref-at-probe.patch queue-4.10/usb-lvtest-fix-null-deref-at-probe.patch queue-4.10/input-yealink-validate-number-of-endpoints-before-using-them.patch queue-4.10/usb-serial-qcserial-add-dell-dw5811e.patch queue-4.10/usb-uss720-fix-null-deref-at-probe.patch queue-4.10/usb-wusbcore-fix-null-deref-at-probe.patch