qe_alloc_request() may return NULL on allocation failure. ch9getstatus()
passes the return value directly to container_of() and then immediately
dereferences the resulting qe_req pointer. Check the allocation result
before using it and stall the control request on failure.

Signed-off-by: Haoxiang Li <[email protected]>
---
 drivers/usb/gadget/udc/fsl_qe_udc.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/udc/fsl_qe_udc.c 
b/drivers/usb/gadget/udc/fsl_qe_udc.c
index bf87285ad13c..603c77ff129f 100644
--- a/drivers/usb/gadget/udc/fsl_qe_udc.c
+++ b/drivers/usb/gadget/udc/fsl_qe_udc.c
@@ -1945,6 +1945,7 @@ static void ch9getstatus(struct qe_udc *udc, u8 
request_type, u16 value,
                        u16 index, u16 length)
 {
        u16 usb_status = 0;
+       struct usb_request *usb_req;
        struct qe_req *req;
        struct qe_ep *ep;
        int status = 0;
@@ -1983,8 +1984,11 @@ static void ch9getstatus(struct qe_udc *udc, u8 
request_type, u16 value,
                }
        }
 
-       req = container_of(qe_alloc_request(&ep->ep, GFP_KERNEL),
-                                       struct qe_req, req);
+       usb_req = qe_alloc_request(&ep->ep, GFP_KERNEL);
+       if (!usb_req)
+               goto stall;
+
+       req = container_of(usb_req, struct qe_req, req);
        req->req.length = 2;
        req->req.buf = udc->statusbuf;
        *(u16 *)req->req.buf = cpu_to_le16(usb_status);
-- 
2.25.1


Reply via email to