Received: by 2002:a05:6520:4d:b0:139:a872:a4c9 with SMTP id i13csp2564402lkm; Mon, 20 Sep 2021 18:50:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzWK7WMPswkt35a8TZh78T1NPKKKQANb17RdiDrZ18QW/eIBoUOBvOa6ZjPwF+Zks9myuIG X-Received: by 2002:a6b:b4d3:: with SMTP id d202mr21029270iof.8.1632189013338; Mon, 20 Sep 2021 18:50:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632189013; cv=none; d=google.com; s=arc-20160816; b=LW7u9np8FiHrGqXGZk07CitJuf63ym4f6FrTJRQ/7EGaEG7Mb0XdAinHwnEFBmDRUL kDqXErXEzKxnNygFbdqlYtMPavvROknIagxFse8EUqWtDHcSWONG67JhxNdlcI2tJD3O 1Qd9WAaozwb2TMCm8EsWW2h+BUwdkAIIf3LA4arwQhXm3gMjQFBIT8rzWKsVGE8euRyf XmXEr0Op7CXBKnWFQFtS7rm5UNuyRwVf5BElJcaT7ocXBiKLAc9F5R2iBniZ7VicYvdL xumwawkHLvB5QTaAzeqVr9RPHPzGmTmINqPdz4AgyndUHK6WqqZ3x8340Wsxkaw9qz5H +tgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=oGV0CcRdj5GWfCBsbKYLSnlNKtZ6HiTFSbIerILROXE=; b=gAFaAyLNrUS+hu8TCxv6DqrsyJDWGmkaKLlGfEVyW49lr029MxKELnI/VDtM62ghEb 3WTv+WgcXuSsWCFXAxzL0OzEJ3aJmrDoVKpNCI86p7LUrcdbBk735cMxWbattqJF3VW1 pfgL9JP54rtaqFe8Y2EA9PCo6NMsfkRY5jTJawUX5L7MJ/cbBHYcUzvygzc9GmpJPvGa KHkzi0ssl7vMp/U0IdGYMiMlwUcfKK9sZ33rm6Dv/Jv2h/rt/mUHWRSQGTV5xf7LfiRO X6EoEYAUVNyilEMxTMtsmsl00LPjNNiB6fuBVyHCkNzWBOYXTjTRyz3b0Tq9do7IV+M9 Z9LQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Bk5zdBWU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k17si17661544jav.64.2021.09.20.18.50.02; Mon, 20 Sep 2021 18:50:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Bk5zdBWU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349999AbhITRxb (ORCPT + 99 others); Mon, 20 Sep 2021 13:53:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:53088 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353844AbhITRrW (ORCPT ); Mon, 20 Sep 2021 13:47:22 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id CDE2861B98; Mon, 20 Sep 2021 17:10:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632157855; bh=7ogRByi+HrVU9OAaW3OXKVjyZ76yXdlPY3Ky+LKYRHY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Bk5zdBWUosetAUQIGVJBfWtEFOjv1IAvkTlpwFwobFbW4HStWi3BbWBuuzA36mLSb WBIteP1Zn8WoiURoBEZEIYo8rt1f8hsus2ghPMQTn4vkl+fdtsc67jHcj1vE9ehWRS ePIUBMkpuBzpdpCeUM54DZlP+mQF6M4/qLRXP/48= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Brooke Basile , "Bryan ODonoghue" , Felipe Balbi , Lorenzo Colitti , =?UTF-8?q?Maciej=20=C5=BBenczykowski?= , Sasha Levin Subject: [PATCH 4.19 183/293] usb: gadget: u_ether: fix a potential null pointer dereference Date: Mon, 20 Sep 2021 18:42:25 +0200 Message-Id: <20210920163939.538394252@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163933.258815435@linuxfoundation.org> References: <20210920163933.258815435@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Maciej Żenczykowski [ Upstream commit 8ae01239609b29ec2eff55967c8e0fe3650cfa09 ] f_ncm tx timeout can call us with null skb to flush a pending frame. In this case skb is NULL to begin with but ceases to be null after dev->wrap() completes. In such a case in->maxpacket will be read, even though we've failed to check that 'in' is not NULL. Though I've never observed this fail in practice, however the 'flush operation' simply does not make sense with a null usb IN endpoint - there's nowhere to flush to... (note that we're the gadget/device, and IN is from the point of view of the host, so here IN actually means outbound...) Cc: Brooke Basile Cc: "Bryan O'Donoghue" Cc: Felipe Balbi Cc: Greg Kroah-Hartman Cc: Lorenzo Colitti Signed-off-by: Maciej Żenczykowski Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/u_ether.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c index 156651df6b4d..d7a12161e553 100644 --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c @@ -491,8 +491,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb, } spin_unlock_irqrestore(&dev->lock, flags); - if (skb && !in) { - dev_kfree_skb_any(skb); + if (!in) { + if (skb) + dev_kfree_skb_any(skb); return NETDEV_TX_OK; } -- 2.30.2