From horst@schirmeier.com Thu Mar  9 05:10:56 2006
Date: Thu, 9 Mar 2006 14:10:49 +0100
From: Horst Schirmeier <horst@schirmeier.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Greg KH <greg@kroah.com>
Subject: USB: usbcore: usb_set_configuration oops (NULL ptr dereference)
Message-ID: <20060309131048.GL22994@quickstop.soohrt.org>
Content-Disposition: inline

When trying to deconfigure a device via usb_set_configuration(dev, 0),
2.6.16-rc kernels after 55c527187c9d78f840b284d596a0b298bc1493af oops
with "Unable to handle NULL pointer dereference at...". This is due to
an unchecked dereference of cp in the power budget part.

Signed-off-by: Horst Schirmeier <horst@schirmeier.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/usb/core/message.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- gregkh-2.6.orig/drivers/usb/core/message.c
+++ gregkh-2.6/drivers/usb/core/message.c
@@ -1388,11 +1388,13 @@ free_interfaces:
 	if (dev->state != USB_STATE_ADDRESS)
 		usb_disable_device (dev, 1);	// Skip ep0
 
-	i = dev->bus_mA - cp->desc.bMaxPower * 2;
-	if (i < 0)
-		dev_warn(&dev->dev, "new config #%d exceeds power "
-				"limit by %dmA\n",
-				configuration, -i);
+	if (cp) {
+		i = dev->bus_mA - cp->desc.bMaxPower * 2;
+		if (i < 0)
+			dev_warn(&dev->dev, "new config #%d exceeds power "
+					"limit by %dmA\n",
+					configuration, -i);
+	}
 
 	if ((ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
 			USB_REQ_SET_CONFIGURATION, 0, configuration, 0,