qe_alloc_request() may return NULL on allocation failure. ch9getstatus() passes the return value directly to container_of() and then immediately dereferences the resulting qe_req pointer. Check the allocation result before using it and stall the control request on failure.
Signed-off-by: Haoxiang Li <[email protected]> --- drivers/usb/gadget/udc/fsl_qe_udc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/udc/fsl_qe_udc.c b/drivers/usb/gadget/udc/fsl_qe_udc.c index bf87285ad13c..603c77ff129f 100644 --- a/drivers/usb/gadget/udc/fsl_qe_udc.c +++ b/drivers/usb/gadget/udc/fsl_qe_udc.c @@ -1945,6 +1945,7 @@ static void ch9getstatus(struct qe_udc *udc, u8 request_type, u16 value, u16 index, u16 length) { u16 usb_status = 0; + struct usb_request *usb_req; struct qe_req *req; struct qe_ep *ep; int status = 0; @@ -1983,8 +1984,11 @@ static void ch9getstatus(struct qe_udc *udc, u8 request_type, u16 value, } } - req = container_of(qe_alloc_request(&ep->ep, GFP_KERNEL), - struct qe_req, req); + usb_req = qe_alloc_request(&ep->ep, GFP_KERNEL); + if (!usb_req) + goto stall; + + req = container_of(usb_req, struct qe_req, req); req->req.length = 2; req->req.buf = udc->statusbuf; *(u16 *)req->req.buf = cpu_to_le16(usb_status); -- 2.25.1
