Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2319531pxb; Mon, 20 Sep 2021 18:42:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwEdijtoAky2LgQe4uZV19nP0hX9+45T5WcrDXA82edJJNu6vNAYJzqyhnCC5bgsxg61zaP X-Received: by 2002:a02:6043:: with SMTP id d3mr20314962jaf.127.1632188562898; Mon, 20 Sep 2021 18:42:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632188562; cv=none; d=google.com; s=arc-20160816; b=c57j++tj+TFXnTBRPcEFI4op0Roksj2Dc5EpiaFUHN5ZlDko6runfCniSYvyNf/hrz CsXUmK8RGCgyw5nUBqGB7YAIIa7fcp4LPx05usJoAZK+B8OqHHE5Ni6T2Ss4cYHp7ptA kb5cuRx0zooU01/m4fwC7IXm+7Yrx65sDuWHzr+oBZQnt0rci6i0iiohRh4j8wxQXK+f /o6CmOIV/Gl01wzP/4JNI2OxXdeewxPOE4TluY3JXGhS0y7kb6E3aIXJuIZM9rL4p+R/ 6Usahjb7A2BSu/B+dAsAyGVFXMlHPsHsNgxtH6VGnEK5jLg/VdJcBDELOXPNhANxlZFW Xl8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1gkoHTLw3V/V22jTgZZZ2QeNX9jyXKEv+FdqMQlh35E=; b=P9MN1mCqhrGZ3C2pz0UyF5vzpbG0vyC33wpFNLct8JV/Vd5dssumiFKejRPNfyukDl q6q7vndGr4seeefcBdxwHkXVfzx8PQX9C+tPSY46QkrfNTRXLFjUKGSDUByoQVMeSBq1 j2iLSpJzjoHJ22WRhyRpY12VFmLn8KLpdcdxYaDqZ9xBAH14RwoSbOzz7oCWlkGYD+SM rPxs+ESRhWPUGhxmZYmO/5jMkrVHUvHAzn6pssREYZRxB/TakHRDoCRsCETVleeaGESr ZK6m0TONJ+8avahxn46soneV1Jy70FIy/bjn40CKe2kj81znll7BGeDGT/6Kg1s00DSC Ch7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=k+iuHvsA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s11si18232094ilu.95.2021.09.20.18.42.31; Mon, 20 Sep 2021 18:42:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=k+iuHvsA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242236AbhITQz0 (ORCPT + 99 others); Mon, 20 Sep 2021 12:55:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:38506 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244776AbhITQvQ (ORCPT ); Mon, 20 Sep 2021 12:51:16 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3348061252; Mon, 20 Sep 2021 16:49:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632156569; bh=sjCbB48lyOSm12lMdVov5xle5CKJmy894Ol1fWAUADQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=k+iuHvsAPtckj3/H2eXP9K1Dbe2SM0BCspacMZ9itdcV5riSzS62PTDpYJhMjXtHk HZCmYdcbtA2PcyShKsSoCy3i1hFCA9AW572FoBfu6EDm69nuBF8CH8TfazwBt5gsj6 I169v/d866Q8PeW/UJ9jmLZLjlddfCFnjZNy5q8A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Brooke Basile , "Bryan ODonoghue" , Felipe Balbi , Lorenzo Colitti , =?UTF-8?q?Maciej=20=C5=BBenczykowski?= , Sasha Levin Subject: [PATCH 4.4 092/133] usb: gadget: u_ether: fix a potential null pointer dereference Date: Mon, 20 Sep 2021 18:42:50 +0200 Message-Id: <20210920163915.651219302@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163912.603434365@linuxfoundation.org> References: <20210920163912.603434365@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Maciej Żenczykowski [ Upstream commit 8ae01239609b29ec2eff55967c8e0fe3650cfa09 ] f_ncm tx timeout can call us with null skb to flush a pending frame. In this case skb is NULL to begin with but ceases to be null after dev->wrap() completes. In such a case in->maxpacket will be read, even though we've failed to check that 'in' is not NULL. Though I've never observed this fail in practice, however the 'flush operation' simply does not make sense with a null usb IN endpoint - there's nowhere to flush to... (note that we're the gadget/device, and IN is from the point of view of the host, so here IN actually means outbound...) Cc: Brooke Basile Cc: "Bryan O'Donoghue" Cc: Felipe Balbi Cc: Greg Kroah-Hartman Cc: Lorenzo Colitti Signed-off-by: Maciej Żenczykowski Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/u_ether.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c index 46c50135ef9f..4bc95ac3d448 100644 --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c @@ -507,8 +507,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb, } spin_unlock_irqrestore(&dev->lock, flags); - if (skb && !in) { - dev_kfree_skb_any(skb); + if (!in) { + if (skb) + dev_kfree_skb_any(skb); return NETDEV_TX_OK; } -- 2.30.2