Received: by 2002:a4a:301c:0:0:0:0:0 with SMTP id q28-v6csp1009236oof;
        Tue, 25 Sep 2018 07:15:02 -0700 (PDT)
X-Google-Smtp-Source: ACcGV62T93BGAwfiubT2mC1lO5+tFlu02aKJkYKXmw8mn/hACX4uZX0KtA76BlBgXMHH54dPrGl+
X-Received: by 2002:a63:3dc6:: with SMTP id k189-v6mr1283939pga.191.1537884902008;
        Tue, 25 Sep 2018 07:15:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1537884901; cv=none;
        d=google.com; s=arc-20160816;
        b=kmPInFx/Pgnxr7DoUuF4PV0TXJgda9oQPw65DmzadCu8pOTaUR6IcNGsrzcvdVk9Ra
         LEGzhLGvg1PE/1u1Jo+PZkvnK0ZKEEOlqnIhX+g4inpK6+H+ZEDZnq6wWHjzrRea9W40
         zoTFgWHltMHBwXkbmV42bjQvO+6ocj5rLz7QJdLXPommIBd/H0LFIkubt6BmPM+8Hdsb
         xlqWKynHZxSkXpQDT2AWW+GxxuPsSblphEcSaEe8yUgepRTa7H8IMSAqrVPYbuAlyOt1
         /deaLXvX4OZv9M/J2sJqVRZNma/RK+06b2TiyivBFjV1EkaN6uG3zZNbxh6wFLqeY/4K
         F2rg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:in-reply-to
         :subject:cc:to:from:date;
        bh=DZmIGZbknp53THZGNIDelBaNwrBHKeWADSUeZK72IPU=;
        b=sgYPHMVxY/Ojw3YMcp2We0/hz8Miz8zhbcgq/M/KB/ANH5mNEtnKoHOTBfqE7lMYTj
         mJDmb8Cy3b5+JFmaS8Ecqx2L/szAQFFOunPk5ToxuFd+DaShPJoVS9FLL6gwnm3m5q1W
         kgVd20EW0HSBX4ljtKOx4G5dLy7YpmhOTrFDkOQ8lPQDSgCWTFPc62R9hA1sVK+VzpW5
         ii9xL3dqprX/LkJ+WwM7ZoUhKI2mwoJwqqTq6qTu3O1ebdmq5z14nzoS68jJ/hqmGbOe
         m5eHvZBjUe+sGLk2/ribu4fXt1iXzfXEFXUajCj9ujnp0XmQxnkurV1i9gkykXPDjLyS
         NXUQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a21-v6si2335432pls.372.2018.09.25.07.14.45;
        Tue, 25 Sep 2018 07:15:01 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729368AbeIYUWP (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Tue, 25 Sep 2018 16:22:15 -0400
Received: from iolanthe.rowland.org ([192.131.102.54]:38608 "HELO
        iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1729313AbeIYUWP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 25 Sep 2018 16:22:15 -0400
Received: (qmail 2203 invoked by uid 2102); 25 Sep 2018 10:14:31 -0400
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 25 Sep 2018 10:14:31 -0400
Date:   Tue, 25 Sep 2018 10:14:31 -0400 (EDT)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@iolanthe.rowland.org
To:     Vladis Dronov <vdronov@redhat.com>
cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Oliver Neukum <oneukum@suse.com>,
        Hans de Goede <hdegoede@redhat.com>,
        <syzkaller@googlegroups.com>, <linux-usb@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>, stable <stable@vger.kernel.org>
Subject: Re: [PATCH] usb: usbfs: fix crash in check_ctrlrecip()->usb_find_alt_setting()
In-Reply-To: <20180925122242.10950-1-vdronov@redhat.com>
Message-ID: <Pine.LNX.4.44L0.1809251012040.1517-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 25 Sep 2018, Vladis Dronov wrote:

> ps->dev->actconfig can be NULL and cause NULL-deref in usb_find_alt_setting()
> before c9a4cb204e9e. fix this anyway by checking that ps->dev->actconfig is not
> NULL, so usb_find_alt_setting() is not called with a known-bad argument.

What reason is there for having two different fixes for the same bug?  
This one isn't going to get into any mainline trees that don't already 
have c9a4cb204e9e.

Alan Stern

> Signed-off-by: Vladis Dronov <vdronov@redhat.com>
> Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com
> ---
>  drivers/usb/core/devio.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
> index 6ce77b33da61..26047620b003 100644
> --- a/drivers/usb/core/devio.c
> +++ b/drivers/usb/core/devio.c
> @@ -824,7 +824,7 @@ static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
>  	 * class specification, which we always want to allow as it is used
>  	 * to query things like ink level, etc.
>  	 */
> -	if (requesttype == 0xa1 && request == 0) {
> +	if (requesttype == 0xa1 && request == 0 && ps->dev->actconfig) {
>  		alt_setting = usb_find_alt_setting(ps->dev->actconfig,
>  						   index >> 8, index & 0xff);
>  		if (alt_setting