find_tt() can return NULL or the error value in ERR_PTR() and
dereferencing the return value without checking for the error can
lead to a possible dereference of NULL pointer or ERR_PTR().
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@xxxxxxxxx>
---
drivers/usb/host/ehci-sched.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c
index 6dfb242f9a4b..f3fd7e9fe6b2 100644
--- a/drivers/usb/host/ehci-sched.c
+++ b/drivers/usb/host/ehci-sched.c
@@ -245,6 +245,8 @@ static void reserve_release_intr_bandwidth(struct ehci_hcd *ehci,
/* FS/LS bus bandwidth */
if (tt_usecs) {
tt = find_tt(qh->ps.udev);
+ if (IS_ERR_OR_NULL(tt))
+ return;
if (sign > 0)
list_add_tail(&qh->ps.ps_list, &tt->ps_list);
else
@@ -1338,6 +1340,8 @@ static void reserve_release_iso_bandwidth(struct ehci_hcd *ehci,
}
tt = find_tt(stream->ps.udev);
+ if (IS_ERR_OR_NULL(tt))
+ return;
if (sign > 0)
list_add_tail(&stream->ps.ps_list, &tt->ps_list);
else
--
2.11.0
