Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1083339imu;
        Wed, 23 Jan 2019 10:27:08 -0800 (PST)
X-Google-Smtp-Source: ALg8bN6yxxCVfOsZ+c4BJ1iVZcWEIm2Y1Yex0Mohr4qQYn2IjR+FDYJ7aSjcQ+oVbuRGLUFgUJjw
X-Received: by 2002:a17:902:5588:: with SMTP id g8mr3348403pli.22.1548268028326;
        Wed, 23 Jan 2019 10:27:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1548268028; cv=none;
        d=google.com; s=arc-20160816;
        b=ExPaWnCM+PdxWIVwQlkhVDPNLOUa486DxBJ7T3+A6IdcdqGHL1bqY7SaSoB4kyOA64
         zAVUtW0BxdGhSk7UqF3e5MTSdN/8RYbqthEL5Dix5Ofpq3jC0xo78tAHcqNT8iEVndnB
         aQ4+UuP6MmJEcxKsx7zvjV0jrRy5je6SUigMpS0dHTKysrhZZmUPvI+pYwPUmQlilIHw
         uUh1M4ZBjLWhPCHnAeqGneQDvo4ZGJ76M7eUMGr6CPI/iCNmm61QNLAAed7r4rQViSE5
         rplbhfO1bE0O4kOokkaPaPMAoU4Byx3ww6aUhAfaq1itBEP+7nXHZX+PslhVqDPRz5qL
         Fa0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from;
        bh=iT7ejasrnn1YFwI7fGoNBKNZr8sWphYxBnkmXl71Yok=;
        b=WE4TOqUze5Kk26FdmKRP3lkDhbKPlDdCxFYxGa4oAVg33h1U6v/nZfsXo6kshcn/lK
         LLnBCJOY55vJQLu9pfBC4q5508vqV7R0U0eoroFnErG1BqwWmxdcaNPnofyGHF+bBu5H
         SVYfEsg3MVElOGMHnVsuAxBnw9fi48+e1ri/JfUqXFQENJg/jTzaP6KZlJZQV0dPmd/F
         P/5G256EjkLSeW3TiJq2V9Nacjy1cGM6GCPxDHBHsZLpnTxkXfi5WpoM0Bim8GB1bUDm
         LCRXx+4sFbF/NjPjMVKBWcjZRqIRME/36J5dTeZKpjiVcqqXBX2O/pk7zCB2T6vhoXVz
         eL1w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v6si17903495pfb.178.2019.01.23.10.26.53;
        Wed, 23 Jan 2019 10:27:08 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726398AbfAWS0p (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Wed, 23 Jan 2019 13:26:45 -0500
Received: from lnfm1.sai.msu.ru ([93.180.26.255]:55965 "EHLO lnfm1.sai.msu.ru"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725996AbfAWS0n (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 23 Jan 2019 13:26:43 -0500
X-Greylist: delayed 2054 seconds by postgrey-1.27 at vger.kernel.org; Wed, 23 Jan 2019 13:26:41 EST
Received: from dragon.sai.msu.ru (dragon.sai.msu.ru [93.180.26.172])
        by lnfm1.sai.msu.ru (8.14.1/8.12.8) with ESMTP id x0NHq34E026792;
        Wed, 23 Jan 2019 20:52:08 +0300
Received: from localhost.localdomain (unknown [213.87.135.174])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (Client did not present a certificate)
        by dragon.sai.msu.ru (Postfix) with ESMTPSA id 2DB247AAA;
        Wed, 23 Jan 2019 20:52:04 +0300 (MSK)
From:   "Matwey V. Kornilov" <matwey@sai.msu.ru>
To:     Bin Liu <b-liu@ti.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     matwey.kornilov@gmail.com,
        "Matwey V. Kornilov" <matwey@sai.msu.ru>,
        linux-usb@vger.kernel.org (open list:MUSB MULTIPOINT HIGH SPEED
        DUAL-ROLE CONTROLLER), linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] usb: musb: Fix potential NULL dereference
Date:   Wed, 23 Jan 2019 20:51:42 +0300
Message-Id: <20190123175142.12604-1-matwey@sai.msu.ru>
X-Mailer: git-send-email 2.16.4
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

We assign "urb->hcpriv = qh;" a few lines down. The valid qh for the urb is
hep->hcpriv in this code path.

Fixes: 714bc5ef3eda ("musb: potential use after free")
Signed-off-by: Matwey V. Kornilov <matwey@sai.msu.ru>
---
 drivers/usb/musb/musb_host.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c
index c6118a962d37..6f267716768e 100644
--- a/drivers/usb/musb/musb_host.c
+++ b/drivers/usb/musb/musb_host.c
@@ -2336,7 +2336,7 @@ static int musb_urb_enqueue(
 		 * odd, rare, error prone, but legal.
 		 */
 		kfree(qh);
-		qh = NULL;
+		qh = hep->hcpriv;
 		ret = 0;
 	} else
 		ret = musb_schedule(musb, qh,
-- 
2.16.4