From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Maciej Żenczykowski" <maze@google.com>,
"Brooke Basile" <brookebasile@gmail.com>,
"Bryan O'Donoghue" <bryan.odonoghue@linaro.org>,
"Felipe Balbi" <balbi@kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Lorenzo Colitti" <lorenzo@google.com>,
"Sasha Levin" <sashal@kernel.org>,
linux-usb@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 08/35] usb: gadget: u_ether: fix a potential null pointer dereference
Date: Thu, 9 Sep 2021 08:00:49 -0400 [thread overview]
Message-ID: <20210909120116.150912-8-sashal@kernel.org> (raw)
In-Reply-To: <20210909120116.150912-1-sashal@kernel.org>
From: Maciej Żenczykowski <maze@google.com>
[ Upstream commit 8ae01239609b29ec2eff55967c8e0fe3650cfa09 ]
f_ncm tx timeout can call us with null skb to flush
a pending frame. In this case skb is NULL to begin
with but ceases to be null after dev->wrap() completes.
In such a case in->maxpacket will be read, even though
we've failed to check that 'in' is not NULL.
Though I've never observed this fail in practice,
however the 'flush operation' simply does not make sense with
a null usb IN endpoint - there's nowhere to flush to...
(note that we're the gadget/device, and IN is from the point
of view of the host, so here IN actually means outbound...)
Cc: Brooke Basile <brookebasile@gmail.com>
Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/u_ether.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
index 46c50135ef9f..4bc95ac3d448 100644
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -507,8 +507,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb,
}
spin_unlock_irqrestore(&dev->lock, flags);
- if (skb && !in) {
- dev_kfree_skb_any(skb);
+ if (!in) {
+ if (skb)
+ dev_kfree_skb_any(skb);
return NETDEV_TX_OK;
}
--
2.30.2
next prev parent reply other threads:[~2021-09-09 13:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20210909120116.150912-1-sashal@kernel.org>
2021-09-09 12:00 ` [PATCH AUTOSEL 4.4 07/35] usb: host: fotg210: fix the actual_length of an iso packet Sasha Levin
2021-09-09 12:00 ` Sasha Levin [this message]
2021-09-09 12:01 ` [PATCH AUTOSEL 4.4 32/35] Revert "USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set" Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210909120116.150912-8-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=balbi@kernel.org \
--cc=brookebasile@gmail.com \
--cc=bryan.odonoghue@linaro.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=lorenzo@google.com \
--cc=maze@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).