On 2/28/24 11:33 AM, Prashanth K wrote:
> Currently xhci_map_urb_for_dma() creates a temporary buffer
> and copies the SG list to the new linear buffer. But if the
> kzalloc_node() fails, then the following sg_pcopy_to_buffer()
> can lead to crash since it tries to memcpy to NULL pointer.
> So return -EAGAIN if kzalloc returns null pointer.
>
> Cc: <stable@xxxxxxxxxxxxxxx> # 5.11
> Fixes: 2017a1e58472 ("usb: xhci: Use temporary buffer to consolidate SG")
> Signed-off-by: Prashanth K <quic_prashk@xxxxxxxxxxx>
> ---
> drivers/usb/host/xhci.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
> index c057c42c36f4..0597a60bec34 100644
> --- a/drivers/usb/host/xhci.c
> +++ b/drivers/usb/host/xhci.c
> @@ -1218,6 +1218,9 @@ static int xhci_map_temp_buffer(struct usb_hcd *hcd, struct urb *urb)
> temp = kzalloc_node(buf_len, GFP_ATOMIC,
> dev_to_node(hcd->self.sysdev));
>
I don't think we need an empty line here.
> + if (!temp)
> + return -EAGAIN;
Not -ENOMEM?
> +
> if (usb_urb_dir_out(urb))
> sg_pcopy_to_buffer(urb->sg, urb->num_sgs,
> temp, buf_len, 0);
MBR, Sergey
