Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp445745pxb; Thu, 9 Sep 2021 04:46:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzQkHymqV0sqEbkNZYUBoE+LmWZdVfMOtqeAd2QRL5VJnYzjxNrjlLHy2r93ElbmDCcZN+x X-Received: by 2002:a92:cb12:: with SMTP id s18mr1898583ilo.32.1631188009812; Thu, 09 Sep 2021 04:46:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631188009; cv=none; d=google.com; s=arc-20160816; b=wYTORSr/Z5ykJjPM0zdXbUzJo9JQEg746y3Vijd4H4AUbcc7QSKy+R6zAT3l1bBQgj MR6EcpWHt7726iC8KJcv0Z++yLmTDVICBz32CEJW7KmYF3GEkiiihwHVVepLUOE8YI+J d8NO1HzaBBfH9AgwHuEeiO3nk/oklrK/oUEZKp57S8Am2JH0W9W6tcrKWKjQIZ+LQIRC BUhtFejP2Ue7qEDhjEjMcoDt8VnBSXoctOOe/7dUNPq8grTdKo5Y+Aa9H+D31rigkDv/ V55MPUSwlftSW6foXVMUXDAu7tTLh8unensTmYpAdRXeeqm8IOp4+R9iWTsiUzHZd2AZ ASQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=lg48aRSUJqtGgSNB3q+HDRpP3vdX/Qbtidnhezdt6w4=; b=fKawMt7/l48vTFwNEeaJoznBYGnNfI0IUNxtUVOIx5De56Ph+uHhgzsbr2gONPDsph EYWgCy6iEToClJSzfM/MH8swuuyK1qT6XKRoDQ93Mmkftr//R93ffLh8ncek78wJZIpH VkUTF4rBx3ZeTURWw9QDYRQH3x3DSPnrdHtbLSSxj9dNat+vOrZb+htuMMA0PPOt1tHJ VUaYb20nzfh2EiH6jHfkRxe7pI7CgShpAsr7qrvIL/0qOpHDw+wZuf+0v3mHQuW4uwEt u4D8seTs1H6h1427BacbdMpJVUXR5SP9GOztYZ3QmlQirM/qg8jQW7L18pXBCOHdzBt/ hhDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XSCmCDzT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b7si1392156ilm.138.2021.09.09.04.46.38; Thu, 09 Sep 2021 04:46:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XSCmCDzT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236805AbhIILq7 (ORCPT + 99 others); Thu, 9 Sep 2021 07:46:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:46342 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237872AbhIILnV (ORCPT ); Thu, 9 Sep 2021 07:43:21 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C071C61207; Thu, 9 Sep 2021 11:41:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1631187719; bh=8SccjHQBBdBLX2oYdc8x9YK5U1X7hTEEkIPQP0ZnWro=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XSCmCDzTaXN+WXC4LlVOf4mivD88GK8e5t6uRIH5sEvQmZh4SwwAt1PhGEuPXhJDW 7A5KRNyXy0vUIXtHUwSwY4FVVF87W3fk+jVHmvazTQ6JGAlP74Nr7MFAmwkh64mY49 Twywp6Vc7W6mRf726wn6xjhlrRpAts8gPVQ5iyHdVKrwNnzcZQQNGQnhfBUO1tnIv1 oeIHYiA/9HwpmV4QX6BxMZ+OQOO2zZ7uldBFFF9J0dNyaUrkcbFklrXpKtjtxXaYEo R8mT/xwr703eO1HoCIiLt7620j4vIE0TQq0sT2EYWHbp5ssPEeOhuZGRabKKfDXtE4 dafBYK+ly9wQQ== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= , Brooke Basile , "Bryan O'Donoghue" , Felipe Balbi , Greg Kroah-Hartman , Lorenzo Colitti , Sasha Levin , linux-usb@vger.kernel.org Subject: [PATCH AUTOSEL 5.14 041/252] usb: gadget: u_ether: fix a potential null pointer dereference Date: Thu, 9 Sep 2021 07:37:35 -0400 Message-Id: <20210909114106.141462-41-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210909114106.141462-1-sashal@kernel.org> References: <20210909114106.141462-1-sashal@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Maciej Żenczykowski [ Upstream commit 8ae01239609b29ec2eff55967c8e0fe3650cfa09 ] f_ncm tx timeout can call us with null skb to flush a pending frame. In this case skb is NULL to begin with but ceases to be null after dev->wrap() completes. In such a case in->maxpacket will be read, even though we've failed to check that 'in' is not NULL. Though I've never observed this fail in practice, however the 'flush operation' simply does not make sense with a null usb IN endpoint - there's nowhere to flush to... (note that we're the gadget/device, and IN is from the point of view of the host, so here IN actually means outbound...) Cc: Brooke Basile Cc: "Bryan O'Donoghue" Cc: Felipe Balbi Cc: Greg Kroah-Hartman Cc: Lorenzo Colitti Signed-off-by: Maciej Żenczykowski Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/u_ether.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c index d1d044d9f859..85a3f6d4b5af 100644 --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c @@ -492,8 +492,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb, } spin_unlock_irqrestore(&dev->lock, flags); - if (skb && !in) { - dev_kfree_skb_any(skb); + if (!in) { + if (skb) + dev_kfree_skb_any(skb); return NETDEV_TX_OK; } -- 2.30.2