On Wed, Aug 10, 2016 at 02:20:18PM +0300, Felipe Balbi wrote: > > Hi, > > Peter Chen <hzpeterchen@xxxxxxxxx> writes: > > On Fri, Jul 01, 2016 at 03:33:30PM +0800, Peter Chen wrote: > >> skb is checked for null pointer at above code, so skb might be null. > >> eem_wrap uses it without checking null pointer, fix it by adding null > >> pointer check. > >> > >> Signed-off-by: Peter Chen <peter.chen@xxxxxxx> > >> --- > >> drivers/usb/gadget/function/u_ether.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c > >> index 5f562c1..2bc8823 100644 > >> --- a/drivers/usb/gadget/function/u_ether.c > >> +++ b/drivers/usb/gadget/function/u_ether.c > >> @@ -549,7 +549,7 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb, > >> unsigned long flags; > >> > >> spin_lock_irqsave(&dev->lock, flags); > >> - if (dev->port_usb) > >> + if (dev->port_usb && skb) > >> skb = dev->wrap(dev->port_usb, skb); > >> spin_unlock_irqrestore(&dev->lock, flags); > >> if (!skb) { > >> -- > > > > Felipe, please do not queue this patch, it will break the ncm function > > which the socket buffer may be NULL. > > > > If you are ok with below changes, I will submit patch: > > > > diff --git a/drivers/usb/gadget/function/f_eem.c b/drivers/usb/gadget/function/f_eem.c > > index d58bfc3..5e0db68 100644 > > --- a/drivers/usb/gadget/function/f_eem.c > > +++ b/drivers/usb/gadget/function/f_eem.c > > @@ -341,11 +341,15 @@ static struct sk_buff *eem_wrap(struct gether *port, struct sk_buff *skb) > > { > > struct sk_buff *skb2 = NULL; > > struct usb_ep *in = port->in_ep; > > - int padlen = 0; > > + int headroom, tailroom, padlen = 0; > > u16 len = skb->len; > > > > - int headroom = skb_headroom(skb); > > - int tailroom = skb_tailroom(skb); > > + if (!skb) > > + return NULL; > > + > > + len = skb->len; > > + headroom = skb_headroom(skb); > > + tailroom = skb_tailroom(skb); > > > > /* When (len + EEM_HLEN + ETH_FCS_LEN) % in->maxpacket) is 0, > > * stick two bytes of zero-length EEM packet on the end. > > diff --git a/drivers/usb/gadget/function/f_rndis.c b/drivers/usb/gadget/function/f_rndis.c > > index c800582..16562e4 100644 > > --- a/drivers/usb/gadget/function/f_rndis.c > > +++ b/drivers/usb/gadget/function/f_rndis.c > > @@ -374,6 +374,9 @@ static struct sk_buff *rndis_add_header(struct gether *port, > > { > > struct sk_buff *skb2; > > > > + if (!skb) > > + return NULL; > > + > > skb2 = skb_realloc_headroom(skb, sizeof(struct rndis_packet_msg_type)); > > rndis_add_hdr(skb2); > > > > looks okay to me. Patch 1/3 and 2/3 are still fine, right? > Yes, I will send v2 and appended these two. -- Best Regards, Peter Chen -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html