From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
To: Michal Nazarewicz <mina86@mina86.com>,
balbi@kernel.org, gregkh@linuxfoundation.org,
bhelgaas@google.com, heikki.krogerus@linux.intel.com
Cc: linux-geode@lists.infradead.org, linux-usb@vger.kernel.org,
linux-kernel@vger.kernel.org,
Peter Senna Tschudin <peter.senna@gmail.com>,
"Gustavo A. R. Silva" <garsilva@embeddedor.com>
Subject: [PATCH v2 1/2] usb: gadget: udc: avoid use of freed pointer
Date: Mon, 3 Apr 2017 23:28:46 -0500 [thread overview]
Message-ID: <20170404042846.GA15984@embeddedgus> (raw)
In-Reply-To: <20170214155351.Horde.RbjzVc4YaibN9ftOcW_ubLW@webmail.embeddedor.com>
Rewrite udc_free_dma_chain() function to avoid use of pointer after free.
Addresses-Coverity-ID: 1091172
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
---
Changes in v2:
Remove 'td->next = 0x00' inside for loop.
Remove unnecessary pointer nullification after free.
Rename variable addr_aux to addr_next.
drivers/usb/gadget/udc/amd5536udc.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/drivers/usb/gadget/udc/amd5536udc.c b/drivers/usb/gadget/udc/amd5536udc.c
index ea03ca7..821d088 100644
--- a/drivers/usb/gadget/udc/amd5536udc.c
+++ b/drivers/usb/gadget/udc/amd5536udc.c
@@ -611,21 +611,20 @@ udc_alloc_request(struct usb_ep *usbep, gfp_t gfp)
static int udc_free_dma_chain(struct udc *dev, struct udc_request *req)
{
int ret_val = 0;
- struct udc_data_dma *td;
- struct udc_data_dma *td_last = NULL;
+ struct udc_data_dma *td = req->td_data;
unsigned int i;
+ dma_addr_t addr_next = 0x00;
+ dma_addr_t addr = (dma_addr_t)td->next;
+
DBG(dev, "free chain req = %p\n", req);
/* do not free first desc., will be done by free for request */
- td_last = req->td_data;
- td = phys_to_virt(td_last->next);
-
for (i = 1; i < req->chain_len; i++) {
- pci_pool_free(dev->data_requests, td,
- (dma_addr_t)td_last->next);
- td_last = td;
- td = phys_to_virt(td_last->next);
+ td = phys_to_virt(addr);
+ addr_next = (dma_addr_t)td->next;
+ pci_pool_free(dev->data_requests, td, addr);
+ addr = addr_next;
}
return ret_val;
--
2.5.0
next prev parent reply other threads:[~2017-04-04 4:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-13 15:37 [PATCH 0/2] avoid use of freed pointer Gustavo A. R. Silva
2017-02-13 15:40 ` [PATCH 1/2] usb: gadget: udc: " Gustavo A. R. Silva
2017-02-13 16:06 ` Michal Nazarewicz
2017-02-14 21:53 ` Gustavo A. R. Silva
2017-02-14 21:58 ` [PATCH v2 " Gustavo A. R. Silva
2017-02-14 22:03 ` [PATCH v2 2/2] usb: gadget: udc: remove unnecessary variable and update function prototype Gustavo A. R. Silva
2017-04-04 4:28 ` Gustavo A. R. Silva [this message]
2017-04-04 4:34 ` Gustavo A. R. Silva
2017-04-05 12:32 ` [PATCH v2 1/2] usb: gadget: udc: avoid use of freed pointer Felipe Balbi
2017-02-13 15:40 ` [PATCH 2/2] usb: gadget: udc: remove unnecessary variable and update function prototype Gustavo A. R. Silva
2017-02-13 16:07 ` Michal Nazarewicz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170404042846.GA15984@embeddedgus \
--to=garsilva@embeddedor.com \
--cc=balbi@kernel.org \
--cc=bhelgaas@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=heikki.krogerus@linux.intel.com \
--cc=linux-geode@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mina86@mina86.com \
--cc=peter.senna@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.