From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:52522 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932099AbdC1LdT (ORCPT
        <rfc822;stable@vger.kernel.org>); Tue, 28 Mar 2017 07:33:19 -0400
Subject: Patch "USB: usbtmc: add missing endpoint sanity check" has been added to the 4.4-stable tree
To: johan@kernel.org, gregkh@linuxfoundation.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Tue, 28 Mar 2017 13:32:41 +0200
Message-ID: <1490700761242250@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    USB: usbtmc: add missing endpoint sanity check

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-usbtmc-add-missing-endpoint-sanity-check.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From 687e0687f71ec00e0132a21fef802dee88c2f1ad Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@kernel.org>
Date: Tue, 14 Mar 2017 17:55:45 +0100
Subject: USB: usbtmc: add missing endpoint sanity check

From: Johan Hovold <johan@kernel.org>

commit 687e0687f71ec00e0132a21fef802dee88c2f1ad upstream.

USBTMC devices are required to have a bulk-in and a bulk-out endpoint,
but the driver failed to verify this, something which could lead to the
endpoint addresses being taken from uninitialised memory.

Make sure to zero all private data as part of allocation, and add the
missing endpoint sanity check.

Note that this also addresses a more recently introduced issue, where
the interrupt-in-presence flag would also be uninitialised whenever the
optional interrupt-in endpoint is not present. This in turn could lead
to an interrupt urb being allocated, initialised and submitted based on
uninitialised values.

Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
Fixes: 5b775f672cc9 ("USB: add USB test and measurement class driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
[ johan: backport to v4.4 ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/class/usbtmc.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -1105,7 +1105,7 @@ static int usbtmc_probe(struct usb_inter
 
 	dev_dbg(&intf->dev, "%s called\n", __func__);
 
-	data = kmalloc(sizeof(*data), GFP_KERNEL);
+	data = kzalloc(sizeof(*data), GFP_KERNEL);
 	if (!data)
 		return -ENOMEM;
 
@@ -1163,6 +1163,12 @@ static int usbtmc_probe(struct usb_inter
 		}
 	}
 
+	if (!data->bulk_out || !data->bulk_in) {
+		dev_err(&intf->dev, "bulk endpoints not found\n");
+		retcode = -ENODEV;
+		goto err_put;
+	}
+
 	retcode = get_capabilities(data);
 	if (retcode)
 		dev_err(&intf->dev, "can't read capabilities\n");
@@ -1186,6 +1192,7 @@ static int usbtmc_probe(struct usb_inter
 error_register:
 	sysfs_remove_group(&intf->dev.kobj, &capability_attr_grp);
 	sysfs_remove_group(&intf->dev.kobj, &data_attr_grp);
+err_put:
 	kref_put(&data->kref, usbtmc_delete);
 	return retcode;
 }


Patches currently in stable-queue which might be from johan@kernel.org are

queue-4.4/usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch
queue-4.4/input-ims-pcu-validate-number-of-endpoints-before-using-them.patch
queue-4.4/usb-usbtmc-add-missing-endpoint-sanity-check.patch
queue-4.4/input-cm109-validate-number-of-endpoints-before-using-them.patch
queue-4.4/input-iforce-validate-number-of-endpoints-before-using-them.patch
queue-4.4/mmc-ushc-fix-null-deref-at-probe.patch
queue-4.4/input-kbtab-validate-number-of-endpoints-before-using-them.patch
queue-4.4/input-sur40-validate-number-of-endpoints-before-using-them.patch
queue-4.4/uwb-i1480-dfu-fix-null-deref-at-probe.patch
queue-4.4/input-hanwang-validate-number-of-endpoints-before-using-them.patch
queue-4.4/usb-idmouse-fix-null-deref-at-probe.patch
queue-4.4/uwb-hwa-rc-fix-null-deref-at-probe.patch
queue-4.4/usb-lvtest-fix-null-deref-at-probe.patch
queue-4.4/input-yealink-validate-number-of-endpoints-before-using-them.patch
queue-4.4/usb-serial-qcserial-add-dell-dw5811e.patch
queue-4.4/usb-uss720-fix-null-deref-at-probe.patch
queue-4.4/usb-wusbcore-fix-null-deref-at-probe.patch