mirror of https://github.com/torvalds/linux.git
1633682053
Using KASAN, Dmitry found a bug in the rh_call_control() routine: If buffer allocation fails, the routine returns immediately without unlinking its URB from the control endpoint, eventually leading to linked-list corruption. This patch fixes the problem by jumping to the end of the routine (where the URB is unlinked) when an allocation failure occurs. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com> CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| buffer.c | ||
| config.c | ||
| devices.c | ||
| devio.c | ||
| driver.c | ||
| endpoint.c | ||
| file.c | ||
| generic.c | ||
| hcd-pci.c | ||
| hcd.c | ||
| hub.c | ||
| hub.h | ||
| ledtrig-usbport.c | ||
| message.c | ||
| notify.c | ||
| of.c | ||
| otg_whitelist.h | ||
| port.c | ||
| quirks.c | ||
| sysfs.c | ||
| urb.c | ||
| usb-acpi.c | ||
| usb.c | ||
| usb.h | ||