Re: [PATCH] usb: xhci: Check kcalloc_node() when allocating interrupter array in xhci_mem_init()
From: Mathias Nyman
Date: Mon Nov 03 2025 - 06:02:27 EST
On 11/3/25 10:40, Michal Pecio wrote:
On Thu, 18 Sep 2025 21:08:38 +0800, Guangshuo Li wrote:
kcalloc_node() may fail. When the interrupter array allocation returns
NULL, subsequent code uses xhci->interrupters (e.g. in xhci_add_interrupter()
and in cleanup paths), leading to a potential NULL pointer dereference.
Check the allocation and bail out to the existing fail path to avoid
the NULL dereference.
Fixes: c99b38c412343 ("xhci: add support to allocate several interrupters")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
---
drivers/usb/host/xhci-mem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index d698095fc88d..da257856e864 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -2505,7 +2505,8 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
"Allocating primary event ring");
xhci->interrupters = kcalloc_node(xhci->max_interrupters, sizeof(*xhci->interrupters),
flags, dev_to_node(dev));
-
+ if (!xhci->interrupters)
+ goto fail;
ir = xhci_alloc_interrupter(xhci, 0, flags);
if (!ir)
goto fail;
--
2.43.0
Hi Greg and Mathias,
I noticed that this bug still exists in current 6.6 and 6.12 releases,
what would be the sensible course of action to fix it?
Not sure this qualifies for stable.
Is this something that has really happened in real life?
The stable-kernel-rules.rst states it should "fix a real bug that bothers people"
If kcalloc_node() fails to allocate that array of pointers then something
else is already badly messed up.
That being said, I don't object this being added to stable either
Thanks
Mathias