From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752778AbdBMQHC (ORCPT ); Mon, 13 Feb 2017 11:07:02 -0500 Received: from mail-wr0-f180.google.com ([209.85.128.180]:35476 "EHLO mail-wr0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751703AbdBMQGx (ORCPT ); Mon, 13 Feb 2017 11:06:53 -0500 From: Michal Nazarewicz To: "Gustavo A. R. Silva" , balbi@kernel.org, gregkh@linuxfoundation.org, bhelgaas@google.com, heikki.krogerus@linux.intel.com Cc: linux-geode@lists.infradead.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/2] usb: gadget: udc: avoid use of freed pointer In-Reply-To: <0c06bad2c5454514ea6105de030374348abd7408.1486867169.git.garsilva@embeddedor.com> Organization: http://mina86.com/ References: <0c06bad2c5454514ea6105de030374348abd7408.1486867169.git.garsilva@embeddedor.com> User-Agent: Notmuch/0.19+53~g2e63a09 (http://notmuchmail.org) Emacs/26.0.50.1 (x86_64-unknown-linux-gnu) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWbfGlUPDDHgE57V0jUupKjgIObY0PLrom9mH4dFRK4gmjPs41MxjOgAAACP0lEQVQ4T23Sv2vbQBQHcBk1xE6WyALX107VUEgmn6+ouUwpEQQ6uRjttkWP4CkBg2M0BQLBdPFZYPsyFYo7qEtKDQ7on+t7+nF2Ux8ahD587717OmNYrOvycHsZ+o2r051wHTHysAvGb8ygvgu4QWT0sCmkgZCIEnlV2X8BtyraazFGDuxhmKSQJMlwHQ7v5MHSNxmz78rfElwAa3ieVD9e+hBhjaPDDG6NgFo2f4wBMNIo5YmRtF0RyDgFjJjlMIWbnuM4x9MMfABGTlN4qgIQB4A1DEyA1BHWtfeWNUMwiVJKoqh97KrkOO+qzgluVYLvFCUKAX73nONeBr7BGMdM6Sg0kuep03VywLaIzRiVr+GAzKlpQIsAFnWAG2e6DT5WmWDiudZMIc6hYrMOmeMQK9WX0B+/RfjzL9DI7Y9/Iayn29Ci0r2i4f9gMimMSZLCDMalgQGU5hnUtqAN0OGvEmO1Wnl0C0wWSCEHnuHBqmygxdxA8oWXwbipoc1EoNR9DqOpBpOJrnr0criQab9ZT4LL+wI+K7GBQH30CrhUruilgP9DRTrhVWZCiAyILP+wiuLeCKGTD6r/nc8LOJcAwR6IBTUs+7CASw3QFZ0MdA2PI3zNziH4ZKVhXCRMBjeZ1DWMekKwDCASwExy+NQ86TaykaDAFHO4aP48y4fIcDM5yOG8GcTLbOyp8A8azjJI93JFd1EA6yN8sSxMQJWoABqniRZVykYgRXErzrdqExAoUrRb0xfRp8p2A/4XmfilTtkDZ4cAAAAASUVORK5CYII= X-Face: -TR8(rDTHy/(xl?SfWd1|3:TTgDIatE^t'vop%*gVg[kn$t{EpK(P"VQ=~T2#ysNmJKN$"yTRLB4YQs$4{[.]Fc1)*O]3+XO^oXM>Q#b^ix,O)Zbn)q[y06$`e3?C)`CwR9y5riE=fv^X@x$y?D:XO6L&x4f-}}I4=VRNwiA^t1-ZrVK^07.Pi/57c_du'& X-PGP: 50751FF4 X-PGP-FP: AC1F 5F5C D418 88F8 CC84 5858 2060 4012 5075 1FF4 X-Hashcash: 1:20:170213:heikki.krogerus@linux.intel.com::few/+wydWHuaidkS:0000000000000000000000000000000JlG X-Hashcash: 1:20:170213:gregkh@linuxfoundation.org::U8r4v3PV7GTqhs8G:000000000000000000000000000000000001JGF X-Hashcash: 1:20:170213:garsilva@embeddedor.com::o2siJQBcULkA8tlG:0000000000000000000000000000000000000029n7 X-Hashcash: 1:20:170213:linux-geode@lists.infradead.org::XQDEe3YUh5WIYCdg:0000000000000000000000000000002HRS X-Hashcash: 1:20:170213:linux-usb@vger.kernel.org::eWQgqrv2lKqUrqjG:00000000000000000000000000000000000035yO X-Hashcash: 1:20:170213:linux-kernel@vger.kernel.org::9mrbJMrHFHrjaScR:0000000000000000000000000000000005+oe X-Hashcash: 1:20:170213:bhelgaas@google.com::SzqjTxZDOVci53z0:0000000000000000000000000000000000000000007E7s X-Hashcash: 1:20:170213:balbi@kernel.org::j7tcECDK5QvjhcrJ:0BICQ Date: Mon, 13 Feb 2017 17:06:49 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id v1DG9VD6025758 On Mon, Feb 13 2017, Gustavo A. R. Silva wrote: > Rewrite udc_free_dma_chain() function to avoid use of pointer after free. > > Addresses-Coverity-ID: 1091172 > Reviewed-by: Greg Kroah-Hartman > Signed-off-by: Gustavo A. R. Silva Acked-by: Michal Nazarewicz > --- > drivers/usb/gadget/udc/amd5536udc.c | 20 +++++++++++--------- > 1 file changed, 11 insertions(+), 9 deletions(-) > > diff --git a/drivers/usb/gadget/udc/amd5536udc.c b/drivers/usb/gadget/udc/amd5536udc.c > index ea03ca7..ded97a3 100644 > --- a/drivers/usb/gadget/udc/amd5536udc.c > +++ b/drivers/usb/gadget/udc/amd5536udc.c > @@ -611,21 +611,23 @@ udc_alloc_request(struct usb_ep *usbep, gfp_t gfp) > static int udc_free_dma_chain(struct udc *dev, struct udc_request *req) > { > int ret_val = 0; > - struct udc_data_dma *td; > - struct udc_data_dma *td_last = NULL; > + struct udc_data_dma *td = req->td_data; > unsigned int i; > > + dma_addr_t addr_aux = 0x00; Perhaps call it ‘addr_next’ or ‘next’? > + dma_addr_t addr = (dma_addr_t)td->next; > + td->next = 0x00; > + > DBG(dev, "free chain req = %p\n", req); > > /* do not free first desc., will be done by free for request */ > - td_last = req->td_data; > - td = phys_to_virt(td_last->next); > - > for (i = 1; i < req->chain_len; i++) { > - pci_pool_free(dev->data_requests, td, > - (dma_addr_t)td_last->next); > - td_last = td; > - td = phys_to_virt(td_last->next); > + td = phys_to_virt(addr); > + addr_aux = (dma_addr_t)td->next; > + td->next = 0x00; This is unnecessary. > + pci_pool_free(dev->data_requests, td, addr); > + td = NULL; Ditto. > + addr = addr_aux; > } > > return ret_val; > -- > 2.5.0 > -- Best regards ミハウ “𝓶𝓲𝓷𝓪86” ナザレヴイツ «If at first you don’t succeed, give up skydiving»