ps->dev->actconfig can be NULL and cause NULL-deref in usb_find_alt_setting() before c9a4cb204e9e. fix this anyway by checking that ps->dev->actconfig is not NULL, so usb_find_alt_setting() is not called with a known-bad argument.
Signed-off-by: Vladis Dronov vdronov@redhat.com Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com --- drivers/usb/core/devio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index 6ce77b33da61..26047620b003 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -824,7 +824,7 @@ static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype, * class specification, which we always want to allow as it is used * to query things like ink level, etc. */ - if (requesttype == 0xa1 && request == 0) { + if (requesttype == 0xa1 && request == 0 && ps->dev->actconfig) { alt_setting = usb_find_alt_setting(ps->dev->actconfig, index >> 8, index & 0xff); if (alt_setting