find_tt() can return NULL or the error value in ERR_PTR() and dereferencing the return value without checking for the error can lead to a possible dereference of NULL pointer or ERR_PTR().
Signed-off-by: Sudip Mukherjee <[email protected]> --- drivers/usb/host/ehci-sched.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c index 6dfb242f9a4b..f3fd7e9fe6b2 100644 --- a/drivers/usb/host/ehci-sched.c +++ b/drivers/usb/host/ehci-sched.c @@ -245,6 +245,8 @@ static void reserve_release_intr_bandwidth(struct ehci_hcd *ehci, /* FS/LS bus bandwidth */ if (tt_usecs) { tt = find_tt(qh->ps.udev); + if (IS_ERR_OR_NULL(tt)) + return; if (sign > 0) list_add_tail(&qh->ps.ps_list, &tt->ps_list); else @@ -1338,6 +1340,8 @@ static void reserve_release_iso_bandwidth(struct ehci_hcd *ehci, } tt = find_tt(stream->ps.udev); + if (IS_ERR_OR_NULL(tt)) + return; if (sign > 0) list_add_tail(&stream->ps.ps_list, &tt->ps_list); else -- 2.11.0
