Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1926613pxb; Thu, 16 Sep 2021 20:31:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwzj+o0+QUfDhoKMTFPmCkuhjw82BmzF2Wj/9W/Ij7IzbGwCY47QYNwNcQqeyS61Ft29M0a X-Received: by 2002:a5e:8349:: with SMTP id y9mr6731976iom.34.1631849495206; Thu, 16 Sep 2021 20:31:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631849495; cv=none; d=google.com; s=arc-20160816; b=J0yQ7Z2esUhTY8MK+OdSD7XCkQ9mIUrXPMK8H0sh0C1QFXbFSSf3p8ynFvRth6Pz2d JZpsVVvc2R0bp0gJsn9DlDgQ0ctMgJEu6tdmQmdbz3W15mb5S/WIxHfnUkPLtqMjOJpx qVyaQvNRNYwlUkyFtxnaiBAABkBXZckJrDvHOmZR0Smqg1S6yrNbBBfIeYL26Spx1c6s zqCff83FLGBE0OzMikgMaRqcnaGIYCKxFE18m8LispPccZb+6YzR1AEC+7SunGx2xIo2 6iTrmnGXAiFnrNJ1LI17/Cp8H9NZZ+3QaKJcJ3OH2rk0FoAXJ9MC/yrOxz4LRsaAsP9a Sp2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=lg48aRSUJqtGgSNB3q+HDRpP3vdX/Qbtidnhezdt6w4=; b=P9tyi8rUvRvYujHxDzGHbycR7sra9L5+I9ycaSmXWTX5a1RGRKgtgtl0vpydzOvSUv kU3vaJ5QaRCw6e4HF09f9ALczMCIy4adXDx9weGj1JWJjRGtpHkxIXLhEb/c13R0oxCq py1rxOoJClnNyirazugX4+7NRT8agmbJ+67I78fmSZZ9xFBeX5MeJaos5KZSJouakRdr r9LJHtu/wFAoV6pJ6dyJLgm1GExzSiRK158/0aZJoUJzN1slbqyjeNt9/NviF9eu6fzh 7XAaOC6OwErLF1vHtspmmVrmdREg/zY5pmq3ykOYOo4v5gwbK2XTRzEsHpeNqHX11VxS jlJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MrsBbGKE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h5si5133089iol.44.2021.09.16.20.31.23; Thu, 16 Sep 2021 20:31:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MrsBbGKE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344716AbhIPRgA (ORCPT + 99 others); Thu, 16 Sep 2021 13:36:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:47078 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352262AbhIPR0z (ORCPT ); Thu, 16 Sep 2021 13:26:55 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6B18F61BF4; Thu, 16 Sep 2021 16:45:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631810708; bh=8SccjHQBBdBLX2oYdc8x9YK5U1X7hTEEkIPQP0ZnWro=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MrsBbGKEwzrjkoxV1HFgC/LdpEGiv8KX8XvmzmnOdqyBnHSXZtYVODGt7UyIUpquJ /Y65Rp9RDfbOIcCO4fjcawNMCrugcSz3EDLlcSCm/+gTUuPSvLgUdv6ksfkDYO2NpN sIsSVGDog0m8zbNFRa3MAQmpt9hWXHFxchCwuWYE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Brooke Basile , "Bryan ODonoghue" , Felipe Balbi , Lorenzo Colitti , =?UTF-8?q?Maciej=20=C5=BBenczykowski?= , Sasha Levin Subject: [PATCH 5.14 196/432] usb: gadget: u_ether: fix a potential null pointer dereference Date: Thu, 16 Sep 2021 17:59:05 +0200 Message-Id: <20210916155817.425381480@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210916155810.813340753@linuxfoundation.org> References: <20210916155810.813340753@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Maciej Żenczykowski [ Upstream commit 8ae01239609b29ec2eff55967c8e0fe3650cfa09 ] f_ncm tx timeout can call us with null skb to flush a pending frame. In this case skb is NULL to begin with but ceases to be null after dev->wrap() completes. In such a case in->maxpacket will be read, even though we've failed to check that 'in' is not NULL. Though I've never observed this fail in practice, however the 'flush operation' simply does not make sense with a null usb IN endpoint - there's nowhere to flush to... (note that we're the gadget/device, and IN is from the point of view of the host, so here IN actually means outbound...) Cc: Brooke Basile Cc: "Bryan O'Donoghue" Cc: Felipe Balbi Cc: Greg Kroah-Hartman Cc: Lorenzo Colitti Signed-off-by: Maciej Żenczykowski Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/u_ether.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c index d1d044d9f859..85a3f6d4b5af 100644 --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c @@ -492,8 +492,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb, } spin_unlock_irqrestore(&dev->lock, flags); - if (skb && !in) { - dev_kfree_skb_any(skb); + if (!in) { + if (skb) + dev_kfree_skb_any(skb); return NETDEV_TX_OK; } -- 2.30.2