From: "Maciej Żenczykowski" <zenczykowski@gmail.com>
To: "Maciej Żenczykowski" <maze@google.com>
Cc: Linux USB Mailing List <linux-usb@vger.kernel.org>,
Brooke Basile <brookebasile@gmail.com>,
"Bryan O'Donoghue" <bryan.odonoghue@linaro.org>,
Felipe Balbi <balbi@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Lorenzo Colitti <lorenzo@google.com>
Subject: [PATCH 6/6] usb: gadget: u_ether: fix a potential null pointer dereference
Date: Thu, 1 Jul 2021 04:48:34 -0700 [thread overview]
Message-ID: <20210701114834.884597-6-zenczykowski@gmail.com> (raw)
In-Reply-To: <20210701114834.884597-1-zenczykowski@gmail.com>
From: Maciej Żenczykowski <maze@google.com>
f_ncm tx timeout can call us with null skb to flush
a pending frame. In this case skb is NULL to begin
with but ceases to be null after dev->wrap() completes.
In such a case in->maxpacket will be read, even though
we've failed to check that 'in' is not NULL.
Though I've never observed this fail in practice,
however the 'flush operation' simply does not make sense with
a null usb IN endpoint - there's nowhere to flush to...
(note that we're the gadget/device, and IN is from the point
of view of the host, so here IN actually means outbound...)
Cc: Brooke Basile <brookebasile@gmail.com>
Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
drivers/usb/gadget/function/u_ether.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
index d1d044d9f859..85a3f6d4b5af 100644
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -492,8 +492,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb,
}
spin_unlock_irqrestore(&dev->lock, flags);
- if (skb && !in) {
- dev_kfree_skb_any(skb);
+ if (!in) {
+ if (skb)
+ dev_kfree_skb_any(skb);
return NETDEV_TX_OK;
}
--
2.32.0.93.g670b81a890-goog
prev parent reply other threads:[~2021-07-01 11:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-01 11:48 [PATCH 1/6] usb: gadget: f_ncm: remove timer_force_tx field Maciej Żenczykowski
2021-07-01 11:48 ` [PATCH 2/6] usb: gadget: f_ncm: remove spurious boolean timer_stopping Maciej Żenczykowski
2021-07-01 11:48 ` [PATCH 3/6] usb: gadget: f_ncm: remove check for NULL skb_tx_data in timer function Maciej Żenczykowski
2021-07-01 11:48 ` [PATCH 4/6] usb: gadget: f_ncm: remove spurious if statement Maciej Żenczykowski
2021-07-01 11:48 ` [PATCH 5/6] usb: gadget: f_ncm: ncm_wrap_ntb - move var definitions into " Maciej Żenczykowski
2021-07-01 11:48 ` Maciej Żenczykowski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210701114834.884597-6-zenczykowski@gmail.com \
--to=zenczykowski@gmail.com \
--cc=balbi@kernel.org \
--cc=brookebasile@gmail.com \
--cc=bryan.odonoghue@linaro.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=lorenzo@google.com \
--cc=maze@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.