usb: gadget: f_mass_storage: Fix NULL dereference in fsg_add()

fsg_common_init() can fail when memory is low. In that case, it returns
PTR_ERR().
fsg_add() does not check for failure, and thus dereferences an invalid
fsg_common later, which crashes.

Verify if we receive an error from fsg_common_init() and handle it
gracefully.

Reported-by: Zixun LI <admin@hifiphile.com>
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Tested-by: Zixun LI <admin@hifiphile.com> # on SAM9X60
Link: https://lore.kernel.org/r/20250328-ums-gadget-leak-v1-3-3b677db99bde@baylibre.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@kernel.org>

diff --git a/drivers/usb/gadget/f_mass_storage.c b/drivers/usb/gadget/f_mass_storage.c
index 6f46418..fcce6d1 100644 (file)
--- a/drivers/usb/gadget/f_mass_storage.c
+++ b/drivers/usb/gadget/f_mass_storage.c
@@ -2742,6 +2742,8 @@ int fsg_add(struct usb_configuration *c)
        struct fsg_common *fsg_common;
 
        fsg_common = fsg_common_init(NULL, c->cdev);
+       if (IS_ERR(fsg_common))
+               return PTR_ERR(fsg_common);
 
        fsg_common->vendor_name = 0;
        fsg_common->product_name = 0;