Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1797026pxb; Thu, 16 Sep 2021 16:09:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxifHSM1gTOKiVLP/W1nEg05IZasH6SQCCJ/7/BEfJDqr2prXxgY/QAkxK5uCExVA3IGEnJ X-Received: by 2002:a92:d8cc:: with SMTP id l12mr5790221ilo.166.1631833786501; Thu, 16 Sep 2021 16:09:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631833786; cv=none; d=google.com; s=arc-20160816; b=ZBhwwFIR4XxytbHwzWJTnNq5K7x196thW0dGULcUmHSLiFjxfTZHavZ5lJqsL3THII B5ZvFga0C+ON8VtBBEezmnyKTO1qW7xaDFA8jLxJ1KewBZPIvQsNb3huaxpKJP+sS39v TcZ8ovu/7j7hl1dcqFIsXoDbl60tC5mlpZl9SSyNybPFKd/uPuebA2exaKQlPo3gznos tBQWNEF8wyQ3ViZfAUAXnf3+kc/3z1Og3V5t/o0UVcMAnLGL0D28WpnQ9djNtd8QsURx TkIooU9RlEvWhioPoQxKjSHupKdyxHl/1Ym0zJN9RoehnbCVxTt+4CxzJZ+jj28iOHnR 7r7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=lg48aRSUJqtGgSNB3q+HDRpP3vdX/Qbtidnhezdt6w4=; b=h+YBekfrvN6yHOyLAbcGri5z2BX+i/UsLbKK8DIILHIvXM088cPY6PeQo3LOcGPcEk XpwuCBi/gXU+FZEtFHyptpnbotEnKFx/HpFSMxVLyUTwQ9RbGYdHT+Uscl2JIDWh93eK CWh9Mml0bnvJnIBBSN3M+qh4wfPSLA480J63R2eWKIPNQN3gyzDete1wqZsbUHVUDMkr tikvpwb7e9B4MPKeExotdykcurUPS21zcGyUqxISshh9RmeBR8MzZh4q+vvEOqknTbWO UjyS+mcLJATeluNKBnkVFsuwbUukEqqOTKe8tygL+lzzVtaxbzvRRjqweQXeNrEYVg3e 7HsA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VLVTyNXN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s5si3777541ilv.155.2021.09.16.16.09.35; Thu, 16 Sep 2021 16:09:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VLVTyNXN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245087AbhIPQsF (ORCPT + 99 others); Thu, 16 Sep 2021 12:48:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:57528 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343593AbhIPQmf (ORCPT ); Thu, 16 Sep 2021 12:42:35 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8BC6961A3D; Thu, 16 Sep 2021 16:24:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631809491; bh=8SccjHQBBdBLX2oYdc8x9YK5U1X7hTEEkIPQP0ZnWro=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VLVTyNXNM5yL33U497oTUc4f7uMvijrseuKOJkiatmX4p6O9Z2Mom8Kj032nkUVNj /U5C+hrCW5aOZl/Z+22XrNL7bZzFIA+Xge1VoD1ufwkSwX1ne7d5oikvy9gocyzc8+ Vr1pNOSA2HpFv2VR+3aAx3abNb+dFUFXQEc/guKw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Brooke Basile , "Bryan ODonoghue" , Felipe Balbi , Lorenzo Colitti , =?UTF-8?q?Maciej=20=C5=BBenczykowski?= , Sasha Levin Subject: [PATCH 5.13 172/380] usb: gadget: u_ether: fix a potential null pointer dereference Date: Thu, 16 Sep 2021 17:58:49 +0200 Message-Id: <20210916155809.927051509@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210916155803.966362085@linuxfoundation.org> References: <20210916155803.966362085@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Maciej Żenczykowski [ Upstream commit 8ae01239609b29ec2eff55967c8e0fe3650cfa09 ] f_ncm tx timeout can call us with null skb to flush a pending frame. In this case skb is NULL to begin with but ceases to be null after dev->wrap() completes. In such a case in->maxpacket will be read, even though we've failed to check that 'in' is not NULL. Though I've never observed this fail in practice, however the 'flush operation' simply does not make sense with a null usb IN endpoint - there's nowhere to flush to... (note that we're the gadget/device, and IN is from the point of view of the host, so here IN actually means outbound...) Cc: Brooke Basile Cc: "Bryan O'Donoghue" Cc: Felipe Balbi Cc: Greg Kroah-Hartman Cc: Lorenzo Colitti Signed-off-by: Maciej Żenczykowski Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/u_ether.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c index d1d044d9f859..85a3f6d4b5af 100644 --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c @@ -492,8 +492,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb, } spin_unlock_irqrestore(&dev->lock, flags); - if (skb && !in) { - dev_kfree_skb_any(skb); + if (!in) { + if (skb) + dev_kfree_skb_any(skb); return NETDEV_TX_OK; } -- 2.30.2