git.baikalelectronics.ru Git - kernel.git/commit

author	Maciej Żenczykowski <maze@google.com>
	Thu, 1 Jul 2021 11:48:34 +0000 (04:48 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 21 Jul 2021 08:04:19 +0000 (10:04 +0200)
commit	7195ca35c49172727351cc1046ecc1352e694314
tree	952bb6ba4b5bae52c3710dc5b6d32c2d05e26b74	tree \| snapshot
parent	aa406fb3b3adf5c0e2efbfe2433295263e3b0f5a	commit \| diff

usb: gadget: u_ether: fix a potential null pointer dereference

f_ncm tx timeout can call us with null skb to flush
a pending frame. In this case skb is NULL to begin
with but ceases to be null after dev->wrap() completes.

In such a case in->maxpacket will be read, even though
we've failed to check that 'in' is not NULL.

Though I've never observed this fail in practice,
however the 'flush operation' simply does not make sense with
a null usb IN endpoint - there's nowhere to flush to...
(note that we're the gadget/device, and IN is from the point
of view of the host, so here IN actually means outbound...)

Cc: Brooke Basile <brookebasile@gmail.com>
Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>