On 11/3/25 10:40, Michal Pecio wrote:
On Thu, 18 Sep 2025 21:08:38 +0800, Guangshuo Li wrote:
kcalloc_node() may fail. When the interrupter array allocation returns NULL, subsequent code uses xhci->interrupters (e.g. in xhci_add_interrupter() and in cleanup paths), leading to a potential NULL pointer dereference.
Check the allocation and bail out to the existing fail path to avoid the NULL dereference.
Fixes: c99b38c412343 ("xhci: add support to allocate several interrupters") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li lgs201920130244@gmail.com
drivers/usb/host/xhci-mem.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index d698095fc88d..da257856e864 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -2505,7 +2505,8 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags) "Allocating primary event ring"); xhci->interrupters = kcalloc_node(xhci->max_interrupters, sizeof(*xhci->interrupters), flags, dev_to_node(dev));
- if (!xhci->interrupters)
goto fail;-- 2.43.0
Hi Greg and Mathias,
I noticed that this bug still exists in current 6.6 and 6.12 releases, what would be the sensible course of action to fix it?
Not sure this qualifies for stable. Is this something that has really happened in real life?
The stable-kernel-rules.rst states it should "fix a real bug that bothers people"
If kcalloc_node() fails to allocate that array of pointers then something else is already badly messed up.
That being said, I don't object this being added to stable either
Thanks Mathias