Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp518151pxb; Thu, 9 Sep 2021 06:17:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJysERIH4MvrMnoZ50RyxcU61MHgpqGBg4jC+kT54dY/eESwXUvr71JQ/PpaM5OCiSxioJyd X-Received: by 2002:a05:6e02:1bab:: with SMTP id n11mr2412943ili.85.1631193473464; Thu, 09 Sep 2021 06:17:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631193473; cv=none; d=google.com; s=arc-20160816; b=VLB8heHxQpi8POU7qCHVfNmmBRs5akLTg07vYwYycCTnKdExTOwsfBiHwdDCLnQelH 9+2mHftDVV3KMfjZFzx6/lAszWMw7G4h7gzWiHp7axkJVZEreLB8gRaJdhEHu+T8ct+K FACbsTtJH4cxWylgxh8hn+E/xEvO47b6mqs3gR2dLLSw3vHbr3krdjZqb2UIQN2zHwl4 LiYEA0xgsxUrIT+2qceA+bOz4QXkhxJnZYNsn/vvAh0CS4aFe/uV7ylJMnkeiLxBBhWN e9rX4O7eDez7BxM0XmNMDG8z2jA8HIJz6FPbwZKDjgXk0uoZbzH/rhR7L386kXnzKN80 Zv8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=zcMW+oCKTIW8EnTq8xQdKkVXlhAuh54yZsSZmsU8BtQ=; b=AoBje2JAN/pIIfdWy8PncNRrBr2ENLSJxjWQP6FMJYTxmYBLQIv/q1oFjc5GUXm9Rp +X3s3/NmpSAfmY5lNzZjXQqTndQrLNgoQ3Pw1LUzgzzK9ySr0mgtjNtYxEX6InkKWbcm 5r8UoWXCbhdQxWyTrHZokmNy0BKc2BVxTYC3QqQwvBUjq5ieOpBkWUqdHd6EmOntX61+ +NUCQsmP4FYsxyh9b9s8A/EhSoJB8Q8kW0Ky2slsSr+Nl6RrU6S8riADQf+0WxqonDJ5 xuWDcVcI/yyxuZt7Dfo4ZJjTxxtZmsUSyZYwHKdDATOg0DO3CNzS67e32QnHJK0b1HK1 5eOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mnptjKC8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 8si1518909jay.69.2021.09.09.06.17.39; Thu, 09 Sep 2021 06:17:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mnptjKC8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354225AbhIINRH (ORCPT + 99 others); Thu, 9 Sep 2021 09:17:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:46258 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357492AbhIINBD (ORCPT ); Thu, 9 Sep 2021 09:01:03 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 1F87C6327A; Thu, 9 Sep 2021 11:59:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1631188755; bh=K89+PjeYf+JmyFRph+y/P6rffIMvMSbu4Zh+Ou+QUiU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mnptjKC8tWfEnf06LT5YU/XNW7T7y5Yz1ylQLx6BBWROlYUbYKmzLA+cjrIYHYbef uZ8EiMGvhKgHUFwoP8/0ltFnwvrvctIrMPwplvoFZN3TxO75bDeKSVazjC9ge4E1bh ADYSWosgLFLwuQqbEStTsgaz5ASKoC9tQ26nxEPHgvJMxcMvcqnrQ9uMQHnY5UH3yn IMbcQpUaR0AyPMr4Os7t7oI0z/VT/sLWG9O148VW0hFMART/iC7b4AIya4VYzNtk1J fxBuwfMCaiHPyRDhmaNQ9/DlycoQe0DFJ/CNsuSxLBtPzK/yj6UvL+V1pRhIoFg0m1 3yMg/F/DnF6mA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= , Brooke Basile , "Bryan O'Donoghue" , Felipe Balbi , Greg Kroah-Hartman , Lorenzo Colitti , Sasha Levin , linux-usb@vger.kernel.org Subject: [PATCH AUTOSEL 4.14 11/59] usb: gadget: u_ether: fix a potential null pointer dereference Date: Thu, 9 Sep 2021 07:58:12 -0400 Message-Id: <20210909115900.149795-11-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210909115900.149795-1-sashal@kernel.org> References: <20210909115900.149795-1-sashal@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Maciej Żenczykowski [ Upstream commit 8ae01239609b29ec2eff55967c8e0fe3650cfa09 ] f_ncm tx timeout can call us with null skb to flush a pending frame. In this case skb is NULL to begin with but ceases to be null after dev->wrap() completes. In such a case in->maxpacket will be read, even though we've failed to check that 'in' is not NULL. Though I've never observed this fail in practice, however the 'flush operation' simply does not make sense with a null usb IN endpoint - there's nowhere to flush to... (note that we're the gadget/device, and IN is from the point of view of the host, so here IN actually means outbound...) Cc: Brooke Basile Cc: "Bryan O'Donoghue" Cc: Felipe Balbi Cc: Greg Kroah-Hartman Cc: Lorenzo Colitti Signed-off-by: Maciej Żenczykowski Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/u_ether.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c index 989682cc8686..38a35f57b22c 100644 --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c @@ -495,8 +495,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb, } spin_unlock_irqrestore(&dev->lock, flags); - if (skb && !in) { - dev_kfree_skb_any(skb); + if (!in) { + if (skb) + dev_kfree_skb_any(skb); return NETDEV_TX_OK; } -- 2.30.2