[PATCH v2 2/2] USB: sisusbvga: Fix NULL pointer dereference in sisusb_read_mem_bulk

[Vasiliy Kovalev]

sisusb_read_mem_bulk() accepts two buffer parameters: kernbuffer for
kernel-space data and userbuffer for userspace data. The function's logic
assumes at least one of them is non-NULL:

    if (userbuffer) {
        /* userspace path */
    } else {
        /* kernel buffer path - dereferences kernbuffer */
        swap32 = *((u32 *)kernbuffer);
    }

However, when called from sisusb_read() with buffer == NULL, both
kernbuffer and userbuffer are NULL, causing immediate kernel panic:

  Oops: general protection fault, probably for non-canonical
        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
  CPU: 3 UID: 0 PID: 370 Comm: sisusbvga-fops- Not tainted 6.19.0-next-20260217 #1
  RIP: 0010:sisusb_read_mem_bulk.constprop.0 (drivers/usb/misc/sisusbvga/sisusbvga.c:1171)
  Call Trace:
   <TASK>
   __pfx_sisusb_read_mem_bulk.constprop.0 (drivers/usb/misc/sisusbvga/sisusbvga.c:1092)
   sisusb_read (drivers/usb/misc/sisusbvga/sisusbvga.c:2396)
   vfs_read (fs/read_write.c:572)
   ksys_read (fs/read_write.c:718)
   do_syscall_64 (arch/x86/entry/syscall_64.c:94)
   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
   RIP: 0033:0x7f335af3fefc
   </TASK>

Add parameter validation at the API level: reject the call with -EINVAL
if both buffers are NULL.

Found by Linux Verification Center (linuxtesting.org) with Svace.
Tested with 'USB Gadget Tests'[1]:

$ TEST=sisusbvga-fops-svace-null-deref
$ echo $TEST > tests/list.txt && make && sudo ./check.sh

[1] Link: https://github.com/kovalev0/usb-gadget-tests
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Fedor Pchelkin <pchelkin@xxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Vasiliy Kovalev <kovalev@xxxxxxxxxxxx>
---
v2: Move NULL check into sisusb_read_mem_bulk() and
return -EINVAL (suggested by Fedor Pchelkin)

v1: https://lore.kernel.org/all/20260218005523.1259725-3-kovalev@xxxxxxxxxxxx/
---
 drivers/usb/misc/sisusbvga/sisusbvga.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/misc/sisusbvga/sisusbvga.c b/drivers/usb/misc/sisusbvga/sisusbvga.c
index 89d566d192aa..abda425199ee 100644
--- a/drivers/usb/misc/sisusbvga/sisusbvga.c
+++ b/drivers/usb/misc/sisusbvga/sisusbvga.c
@@ -1098,6 +1098,9 @@ static int sisusb_read_mem_bulk(struct sisusb_usb_data *sisusb, u32 addr,
 	u16 swap16;
 	u32 swap32;
 
+	if (!kernbuffer && !userbuffer)
+		return -EINVAL;
+
 	(*bytes_read = 0);
 
 	length &= 0x00ffffff;
-- 
2.50.1