diff mbox series

usb: cdns3: avoid possible null_ptr_deref in cdns3_gadget_ep_queue

Message ID 20241025064331.1049538-1-chenridong@huaweicloud.com (mailing list archive)
State New
Headers show
Series usb: cdns3: avoid possible null_ptr_deref in cdns3_gadget_ep_queue | expand

Commit Message

Chen Ridong Oct. 25, 2024, 6:43 a.m. UTC 
From: Chen Ridong <chenridong@huawei.com>

The cdns3_gadget_ep_alloc_request functions may return NULL
when memory is out of use. To void possible null_ptr_deref,
return ENOMEM when cdns3_gadget_ep_alloc_request returns NULL.

Signed-off-by: Chen Ridong <chenridong@huawei.com>
---
 drivers/usb/cdns3/cdns3-gadget.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Greg KH Oct. 29, 2024, 3:35 a.m. UTC | #1 
On Fri, Oct 25, 2024 at 06:43:31AM +0000, Chen Ridong wrote:
> From: Chen Ridong <chenridong@huawei.com>
> 
> The cdns3_gadget_ep_alloc_request functions may return NULL
> when memory is out of use. To void possible null_ptr_deref,
> return ENOMEM when cdns3_gadget_ep_alloc_request returns NULL.
> 
> Signed-off-by: Chen Ridong <chenridong@huawei.com>
> ---
>  drivers/usb/cdns3/cdns3-gadget.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c
> index fd1beb10bba7..982e8e0759e8 100644
> --- a/drivers/usb/cdns3/cdns3-gadget.c
> +++ b/drivers/usb/cdns3/cdns3-gadget.c
> @@ -2657,6 +2657,10 @@ static int cdns3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request,
>  		struct cdns3_request *priv_req;
>  
>  		zlp_request = cdns3_gadget_ep_alloc_request(ep, GFP_ATOMIC);
> +		if (!zlp_request) {
> +			spin_unlock_irqrestore(&priv_dev->lock, flags);
> +			return -ENOMEM;

Are you sure this is ok?  What about the resources that have been
allocated before this return would interrupt them?  How was this tested?

thanks,

greg k-h
diff mbox series

Patch

diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c
index fd1beb10bba7..982e8e0759e8 100644
--- a/drivers/usb/cdns3/cdns3-gadget.c
+++ b/drivers/usb/cdns3/cdns3-gadget.c
@@ -2657,6 +2657,10 @@  static int cdns3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request,
 		struct cdns3_request *priv_req;
 
 		zlp_request = cdns3_gadget_ep_alloc_request(ep, GFP_ATOMIC);
+		if (!zlp_request) {
+			spin_unlock_irqrestore(&priv_dev->lock, flags);
+			return -ENOMEM;
+		}
 		zlp_request->buf = priv_dev->zlp_buf;
 		zlp_request->length = 0;