Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1693189pxb; Thu, 16 Sep 2021 13:09:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzkKbvjkIhgm37EAQHWJ51bq/6Yk8s/jqzSINwcJ+AMrsRkdEju0amSq4wC8ujdD6QXseph X-Received: by 2002:a05:6402:1241:: with SMTP id l1mr8347525edw.123.1631822939917; Thu, 16 Sep 2021 13:08:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631822939; cv=none; d=google.com; s=arc-20160816; b=BydaitLXCXFekiXJ/qoe32d5bIU5zsVUSTcjFzT+YlBOrP0DaUrYqA3zBDUABTPE2M vxCfsMkEUclo0tqemliOt1P+VjRs9hxr/sH4HiFv1wWPve3ddJtqNl+Fb1T6ZunG9xbX PwIPDjGf1dU5Ak3+9cRTypF7bHS0/S3VUlUZlSwYMLRfAe35OLaNsel9jXsmSMEbojOB OzGxi0vyxseqJiUduwZePfft7Y5Gkt3wyiBSbuZJ6sa7avaKam+0My2KPg0DshBlmT+M 6pHeIWfUegLdVwXGVr659kfTSDLmlEnmU9h5nbqYYhS3pQzdeLl+DPb/+MVpQcvsII9P 0tZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=wlzDD+jEExJBXBAhKW7WX4Y0hLH2Ff4I+ZAeGMeIM5E=; b=O2m0IQ6aCIIyd2rWjGnwMxb5+kAMcnvD5u8e1h61ghivIq+UTRy7tJsAR5/N9GvnkZ uERsX96z3H8kHzF40ZUlebaxT3c9aPnBiI8p6o7dvEOmDIHPCcfPT1Ny3K3M0VuQZ9h8 LnG2+uZdxY3K24x2PU7FxW/29s0Ia43pZSgSQlrB+6jlBz8moDq1Ns8qtfTD/EtnY2S2 EbGAj68F86m2ZdENgqcIbZZ7j7SzU9NDTImcOck/G41FxWOidEN1ycHCXq1ywFJnnOT9 AEv4SDOsbhLGMw6L1cL59DvmcIbADrmYwGSGnEJOnk8anzqsVQyd9yXYkqcIr2OLxdlN RqRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rfKQ78v4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c24si4479596edn.26.2021.09.16.13.08.11; Thu, 16 Sep 2021 13:08:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rfKQ78v4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239784AbhIPQVF (ORCPT + 99 others); Thu, 16 Sep 2021 12:21:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:49186 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232885AbhIPQMC (ORCPT ); Thu, 16 Sep 2021 12:12:02 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id BDE0161357; Thu, 16 Sep 2021 16:09:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631808557; bh=qvQw3czIoSzqsNb0fcpfM4nAqg3/+tvIWVs+0JqcKCI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rfKQ78v4fEOFZwnPxjuWWWtiCI5WpEHyfbo/tG7Umhp2gLLu3AkjTliA0nf+IPCw9 cLLRfypKkZl3vEL+KHKHF6wbwXiI68k6GFaDFwtA6AkGZnh/yLdKyPPcxxQW4Tp0EU 2tBGa5/RLqrXIrooi2gisdsRpxhH2W5eEW/Q4tP4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Brooke Basile , "Bryan ODonoghue" , Felipe Balbi , Lorenzo Colitti , =?UTF-8?q?Maciej=20=C5=BBenczykowski?= , Sasha Levin Subject: [PATCH 5.10 134/306] usb: gadget: u_ether: fix a potential null pointer dereference Date: Thu, 16 Sep 2021 17:57:59 +0200 Message-Id: <20210916155758.616987541@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210916155753.903069397@linuxfoundation.org> References: <20210916155753.903069397@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Maciej Żenczykowski [ Upstream commit 8ae01239609b29ec2eff55967c8e0fe3650cfa09 ] f_ncm tx timeout can call us with null skb to flush a pending frame. In this case skb is NULL to begin with but ceases to be null after dev->wrap() completes. In such a case in->maxpacket will be read, even though we've failed to check that 'in' is not NULL. Though I've never observed this fail in practice, however the 'flush operation' simply does not make sense with a null usb IN endpoint - there's nowhere to flush to... (note that we're the gadget/device, and IN is from the point of view of the host, so here IN actually means outbound...) Cc: Brooke Basile Cc: "Bryan O'Donoghue" Cc: Felipe Balbi Cc: Greg Kroah-Hartman Cc: Lorenzo Colitti Signed-off-by: Maciej Żenczykowski Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/u_ether.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c index c019f2b0c0af..a9cb647bac6f 100644 --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c @@ -491,8 +491,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb, } spin_unlock_irqrestore(&dev->lock, flags); - if (skb && !in) { - dev_kfree_skb_any(skb); + if (!in) { + if (skb) + dev_kfree_skb_any(skb); return NETDEV_TX_OK; } -- 2.30.2