[PATCH 2/2] USB: sisusbvga: Fix NULL pointer dereference in sisusb_read
From: Vasiliy Kovalev
Date: Tue Feb 17 2026 - 20:06:01 EST
sisusb_read() passes the user-supplied buffer pointer as 'userbuffer' to
sisusb_read_mem_bulk() in two branches:
/* VRAM path */
errno = sisusb_read_mem_bulk(sisusb, address,
NULL, count, buffer, &bytes_read);
/* MMIO path */
errno = sisusb_read_mem_bulk(sisusb, address,
NULL, count, buffer, &bytes_read);
If buffer == NULL (e.g. read(fd, NULL, count) from userspace), both calls
reach sisusb_read_mem_bulk() with kernbuffer=NULL and userbuffer=NULL.
The condition:
if (userbuffer)
evaluates to false, the kernbuffer path is taken, and the subsequent
dereference:
swap32 = *((u32 *)kernbuffer);
panics the kernel:
Oops: general protection fault, probably for non-canonical
address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 3 UID: 0 PID: 370 Comm: sisusbvga-fops- Not tainted 6.19.0-next-20260217 #1
RIP: 0010:sisusb_read_mem_bulk.constprop.0 (drivers/usb/misc/sisusbvga/sisusbvga.c:1171)
Call Trace:
<TASK>
__pfx_sisusb_read_mem_bulk.constprop.0 (drivers/usb/misc/sisusbvga/sisusbvga.c:1092)
sisusb_read (drivers/usb/misc/sisusbvga/sisusbvga.c:2396)
vfs_read (fs/read_write.c:572)
ksys_read (fs/read_write.c:718)
do_syscall_64 (arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f335af3fefc
</TASK>
Add a NULL check after the existing sanity checks, before the first
branch, to guard both the VRAM and the MMIO paths. Release the mutex
before returning, consistent with the existing -ENODEV path above.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Tested with 'USB Gadget Tests'[1]:
$ TEST=sisusbvga-fops-svace-null-deref
$ echo $TEST > tests/list.txt && make && sudo ./check.sh
[1] Link: https://github.com/kovalev0/usb-gadget-tests
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Vasiliy Kovalev <kovalev@xxxxxxxxxxxx>
---
drivers/usb/misc/sisusbvga/sisusbvga.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/usb/misc/sisusbvga/sisusbvga.c b/drivers/usb/misc/sisusbvga/sisusbvga.c
index 89d566d192aa..e14deb1955d9 100644
--- a/drivers/usb/misc/sisusbvga/sisusbvga.c
+++ b/drivers/usb/misc/sisusbvga/sisusbvga.c
@@ -2319,6 +2319,11 @@ static ssize_t sisusb_read(struct file *file, char __user *buffer,
return -ENODEV;
}
+ if (!buffer) {
+ mutex_unlock(&sisusb->lock);
+ return -EFAULT;
+ }
+
if ((*ppos) >= SISUSB_PCI_PSEUDO_IOPORTBASE &&
(*ppos) < SISUSB_PCI_PSEUDO_IOPORTBASE + 128) {
--
2.50.1