From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754064AbcIFCAh (ORCPT ); Mon, 5 Sep 2016 22:00:37 -0400 Received: from mail-db5eur01on0064.outbound.protection.outlook.com ([104.47.2.64]:16000 "EHLO EUR01-DB5-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751993AbcIFCAf (ORCPT ); Mon, 5 Sep 2016 22:00:35 -0400 From: Peter Chen To: Colin King , Felipe Balbi , Greg Kroah-Hartman , Andrzej Pietrasiewicz , Nicholas Bellinger , "Robert Baldyga" , John Youn , "linux-usb@vger.kernel.org" CC: "linux-kernel@vger.kernel.org" Subject: RE: [PATCH] usb: gadget: prevent potenial null pointer dereference on skb->len Thread-Topic: [PATCH] usb: gadget: prevent potenial null pointer dereference on skb->len Thread-Index: AQHSB4uTZHxABPZL+0+GQbjOkAPIYKBrsR3g Date: Tue, 6 Sep 2016 01:44:29 +0000 Message-ID: References: <20160905153712.15205-1-colin.king@canonical.com> In-Reply-To: <20160905153712.15205-1-colin.king@canonical.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=peter.chen@nxp.com; x-originating-ip: [199.59.225.131] x-ms-office365-filtering-correlation-id: 5740bd7c-256e-4f78-b02d-08d3d5f757c0 x-microsoft-exchange-diagnostics: 1;VI1PR04MB1454;6:B1rDcBqkmHANug9hTrAcmCzvgr4leOs9nd9bjIrK/iwMdw8OR6TRR6udyccaUBl7qKjKPMDAqV6y0xomb3v0NaxbQKU7DzpICRGwah4TKsEt/L9+fKiriKVChNEHGW7lxzBhW+AhnQktzrkTsBk+3/jH2z/vMRb8Y6FFbDBj0VzFtGW90e7bFsZdjzMaN6s4q4hz3WVrivPKvjX4BJ/32ZxSN+dmlVIqh06i6IdHNMgXDYcoN8JTNkbeJf5C+5vMk115Jn7aCq+cq6czep9lblKQHrCxABOMEru8ntSOCZaDXVyikv63uLjZJOHW/hXVyzGgCAe/aD04WW845OZZ9A==;5:JTCGI+bbO2l+omz1VyahynfV/N3WL8YglA6RcQwUfvnKgcfDQ8nIepQMtqrveFLXCmfNbgn8P+wCwiA7AUezSt8rZLkJuVsQW3fTRvQYrKPLuxx+QgNF8wu7eT77bM0otAXSf9BUrNNDKwfYnd4FzA==;24:EFrudzz8mM53bAHPSzLgxcv2Bs9Z3iubVW+b/57DymKPLo2ccgFhdOF5jtCvRGUIArzl2Cqf2lB9i4QWpWlOEHSybMaIkYF9f2ZhK2BiyF0=;7:BhWpBiPnpBt2aZWjXz2BSpT5nxzdbWLtkJgo+8vuoxBJQcOaGKUpQjy8G8AWEZEifr1pjpytXAjF0e9nCyOjpInYgHsSDFxxiUaR27op1TIstiJaMVsBPVbAgtcG1h4bkchIKpuftu0bOWNUEea2iyhsRoEFiy92BjoUJ8T11KYflpAHXSGHtlVdsNSEyUuz0m+FzvWsT/mex7vXb0M5RTBTUY3G+9Hqlq2TEOxh9QPsjdpWPQTNNmfQtTU5Rtr9 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR04MB1454; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(185117386973197)(198206253151910); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026);SRVR:VI1PR04MB1454;BCL:0;PCL:0;RULEID:;SRVR:VI1PR04MB1454; x-forefront-prvs: 0057EE387C x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6009001)(7916002)(189002)(199003)(2900100001)(33656002)(10400500002)(2950100001)(106116001)(8676002)(5002640100001)(105586002)(2501003)(68736007)(122556002)(54356999)(3280700002)(76176999)(87936001)(305945005)(7846002)(50986999)(92566002)(7696003)(74316002)(7736002)(101416001)(2906002)(8936002)(189998001)(81166006)(81156014)(106356001)(4326007)(97736004)(5660300001)(5001770100001)(76576001)(19580395003)(66066001)(19580405001)(102836003)(6116002)(3846002)(3660700001)(77096005)(11100500001)(86362001)(586003)(9686002);DIR:OUT;SFP:1101;SCL:1;SRVR:VI1PR04MB1454;H:VI1PR04MB1455.eurprd04.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Sep 2016 01:44:29.3064 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB1454 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id u8620f5g004658 > >From: Colin Ian King > >An earlier fix partially fixed the null pointer dereference on skb->len by moving the >assignment of len after the check on skb being non-null, however it failed to remove >the erroneous dereference when assigning len. >Correctly fix this by removing the initialisation of len as was originally intended. > >Fixes: 70237dc8efd092 ("usb: gadget: function: f_eem: socket buffer may be NULL") >Signed-off-by: Colin Ian King >--- > drivers/usb/gadget/function/f_eem.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/drivers/usb/gadget/function/f_eem.c b/drivers/usb/gadget/function/f_eem.c >index 8741fd7..007ec6e 100644 >--- a/drivers/usb/gadget/function/f_eem.c >+++ b/drivers/usb/gadget/function/f_eem.c >@@ -342,7 +342,7 @@ static struct sk_buff *eem_wrap(struct gether *port, struct >sk_buff *skb) > struct sk_buff *skb2 = NULL; > struct usb_ep *in = port->in_ep; > int headroom, tailroom, padlen = 0; >- u16 len = skb->len; >+ u16 len; > > if (!skb) > return NULL; Sorry, my careless, Thanks for fixing it. Acked-by: Peter Chen Peter