When usb_otg_descriptor_alloc() returns NULL to usb_desc, no error return code of msg_bind() is assigned. To fix this bug, status is assigned with -ENOMEM in this case. Reported-by: TOTE Robot <oslab@xxxxxxxxxxxxxxx>> Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx> --- drivers/usb/gadget/legacy/mass_storage.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/legacy/mass_storage.c b/drivers/usb/gadget/legacy/mass_storage.c index 9ed22c5fb7fe..ac1741126619 100644 --- a/drivers/usb/gadget/legacy/mass_storage.c +++ b/drivers/usb/gadget/legacy/mass_storage.c @@ -175,8 +175,10 @@ static int msg_bind(struct usb_composite_dev *cdev) struct usb_descriptor_header *usb_desc; usb_desc = usb_otg_descriptor_alloc(cdev->gadget); - if (!usb_desc) + if (!usb_desc) { + status = -ENOMEM; goto fail_string_ids; + } usb_otg_descriptor_init(cdev->gadget, usb_desc); otg_desc[0] = usb_desc; otg_desc[1] = NULL; -- 2.17.1