Received: by 2002:a05:6520:4d:b0:139:a872:a4c9 with SMTP id i13csp2567660lkm; Mon, 20 Sep 2021 18:55:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx12G4FOZmHbn55Iq1o1g7w3Q3Gb/wRZJe6rYayF03r0s0OkgB/Soq6EL+PMpq2XgptwoDN X-Received: by 2002:a02:9f12:: with SMTP id z18mr6107847jal.89.1632188868291; Mon, 20 Sep 2021 18:47:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632188868; cv=none; d=google.com; s=arc-20160816; b=Z9fvOf9CPcIUrdXZ0NXLB5rQL02owDsfGTsH4etuT1+27K283IAbSvul9rEHG1+yKF hy84lsrsDXnD4/3Z0S5G709Q+FnC2Vf3jBTve3xqPgTUAlkbd5FYU3049NK/I776/iGh mwH9JQ7rPcEiDpDxEPI5v1MxvZZZ14eWENYjU+4vUIqR3vN8nK9jYLMLO8U6+fb3e+9S Jwyj9NHOIjrpEWgyQ358FS2huPEVUbR8MgywlmHoIfsXSVq2DjUK22vssPoSnq95ExGe cpfEx5VKP+wE3+2Qxgm8wQYuKDaXdQ+CqAgkwjtJ7u0qGHvrTzgeda0ZeT4SycsLchKe k5SA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=zcMW+oCKTIW8EnTq8xQdKkVXlhAuh54yZsSZmsU8BtQ=; b=LT3MkBMGyiBpgbxwaykPXeVSJNPA9OjiWt1SyuWUiHpAZz8ZCqDVE/eKkDq8rhYkI/ tNt+UHdxb+ZRnTxflE5IfBH3huaRMqNjakYNS8s5JVenPnm9yuWftw1sM9l6MJxghRaM 9EK6+ybBmQ0HzSYygfrTQTaBeggsev3SwKQQHDtdJsEZ+ObgmeP7C2U/5J2yeBxluOzW ObuPsIlV1ffvBt+xcqNER15GzHoSCBeO28WwO2NtfCf9heWEyYIG0cl5MlGZT1AOgzhL F4urc6G3NayvSIpuuBYdZxjaOjlnL0VMq2tScWy+vi3IQLP2Vu2CxaHOYQGRfjo3d+nE ZHcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vAXr31QE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d10si7016205ilu.50.2021.09.20.18.47.37; Mon, 20 Sep 2021 18:47:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vAXr31QE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350182AbhITR1Y (ORCPT + 99 others); Mon, 20 Sep 2021 13:27:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:54322 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349819AbhITRYw (ORCPT ); Mon, 20 Sep 2021 13:24:52 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3D64461A89; Mon, 20 Sep 2021 17:02:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632157326; bh=K89+PjeYf+JmyFRph+y/P6rffIMvMSbu4Zh+Ou+QUiU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vAXr31QER+vJr/NucFbhKyfWRVqxlTXd5T3PIF30t3UWPlt3Q5rb1eoXHIdafxbeo suVZC7X/oorOp1Pz/mmvJtxwzlyoA/xvTUvbpBYrzeZTeSdpk083bgxyX7FABlzFFn rne9QclQ8iLXsdGtSdKZcxB+C/Yv8Dlr9kwAXQ9k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Brooke Basile , "Bryan ODonoghue" , Felipe Balbi , Lorenzo Colitti , =?UTF-8?q?Maciej=20=C5=BBenczykowski?= , Sasha Levin Subject: [PATCH 4.14 140/217] usb: gadget: u_ether: fix a potential null pointer dereference Date: Mon, 20 Sep 2021 18:42:41 +0200 Message-Id: <20210920163929.391734906@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163924.591371269@linuxfoundation.org> References: <20210920163924.591371269@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Maciej Żenczykowski [ Upstream commit 8ae01239609b29ec2eff55967c8e0fe3650cfa09 ] f_ncm tx timeout can call us with null skb to flush a pending frame. In this case skb is NULL to begin with but ceases to be null after dev->wrap() completes. In such a case in->maxpacket will be read, even though we've failed to check that 'in' is not NULL. Though I've never observed this fail in practice, however the 'flush operation' simply does not make sense with a null usb IN endpoint - there's nowhere to flush to... (note that we're the gadget/device, and IN is from the point of view of the host, so here IN actually means outbound...) Cc: Brooke Basile Cc: "Bryan O'Donoghue" Cc: Felipe Balbi Cc: Greg Kroah-Hartman Cc: Lorenzo Colitti Signed-off-by: Maciej Żenczykowski Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/u_ether.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c index 989682cc8686..38a35f57b22c 100644 --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c @@ -495,8 +495,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb, } spin_unlock_irqrestore(&dev->lock, flags); - if (skb && !in) { - dev_kfree_skb_any(skb); + if (!in) { + if (skb) + dev_kfree_skb_any(skb); return NETDEV_TX_OK; } -- 2.30.2