On Thu, Sep 04, 2025 at 07:46:13PM +0800, Kuen-Han Tsai wrote: > When an ncm_bind/unbind cycle occurs, the ncm->notify_req pointer is > left pointing to a stale address. If a subsequent call to ncm_bind() > fails to allocate the endpoints, the function jumps to the unified error > label. The cleanup code sees the stale ncm->notify_req pointer and calls > usb_ep_free_request(). > > This results in a NPE because it attempts to access the free_request > function through the endpoint's operations table (ep->ops), which is > NULL. > > Refactor the error path to use cascading goto labels, ensuring that > resources are freed in reverse order of allocation. Besides, explicitly > set pointers to NULL after freeing them. Why must the pointers be set to NULL? What is checking and requiring that? And this unwinding is tailor-made for the guard() type of logic, why not convert this code to do that instead, which will fix all of these bugs automatically, right? thanks, greg k-h
