From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752744AbdBMQCz (ORCPT <rfc822;w@1wt.eu>);
        Mon, 13 Feb 2017 11:02:55 -0500
Received: from mail-wm0-f49.google.com ([74.125.82.49]:38431 "EHLO
        mail-wm0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751313AbdBMQCp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 13 Feb 2017 11:02:45 -0500
From: Michal Nazarewicz <mina86@mina86.com>
To: "Gustavo A. R. Silva" <garsilva@embeddedor.com>,
        Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: gregkh@linuxfoundation.org, balbi@kernel.org,
        heikki.krogerus@linux.intel.com, mail@iagoabal.eu,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        Peter Senna Tschudin <peter.senna@gmail.com>
Subject: Re: [PATCH v2] usb: gadget: udc: remove pointer dereference after free
In-Reply-To: <20170211110731.Horde.BPRpngvnMPXYcqid3jyhoJ-@gator4166.hostgator.com>
Organization: http://mina86.com/
References: <20170208191549.GA3998@embeddedgus> <1486582639.2133.412.camel@linux.intel.com> <20170208153322.Horde.mdD6qAMhN7aTL6u10JtoBcQ@gator4166.hostgator.com> <20170211110731.Horde.BPRpngvnMPXYcqid3jyhoJ-@gator4166.hostgator.com>
User-Agent: Notmuch/0.19+53~g2e63a09 (http://notmuchmail.org) Emacs/26.0.50.1 (x86_64-unknown-linux-gnu)
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWbfGlUPDDHgE57V0jUupKjgIObY0PLrom9mH4dFRK4gmjPs41MxjOgAAACP0lEQVQ4T23Sv2vbQBQHcBk1xE6WyALX107VUEgmn6+ouUwpEQQ6uRjttkWP4CkBg2M0BQLBdPFZYPsyFYo7qEtKDQ7on+t7+nF2Ux8ahD587717OmNYrOvycHsZ+o2r051wHTHysAvGb8ygvgu4QWT0sCmkgZCIEnlV2X8BtyraazFGDuxhmKSQJMlwHQ7v5MHSNxmz78rfElwAa3ieVD9e+hBhjaPDDG6NgFo2f4wBMNIo5YmRtF0RyDgFjJjlMIWbnuM4x9MMfABGTlN4qgIQB4A1DEyA1BHWtfeWNUMwiVJKoqh97KrkOO+qzgluVYLvFCUKAX73nONeBr7BGMdM6Sg0kuep03VywLaIzRiVr+GAzKlpQIsAFnWAG2e6DT5WmWDiudZMIc6hYrMOmeMQK9WX0B+/RfjzL9DI7Y9/Iayn29Ci0r2i4f9gMimMSZLCDMalgQGU5hnUtqAN0OGvEmO1Wnl0C0wWSCEHnuHBqmygxdxA8oWXwbipoc1EoNR9DqOpBpOJrnr0criQab9ZT4LL+wI+K7GBQH30CrhUruilgP9DRTrhVWZCiAyILP+wiuLeCKGTD6r/nc8LOJcAwR6IBTUs+7CASw3QFZ0MdA2PI3zNziH4ZKVhXCRMBjeZ1DWMekKwDCASwExy+NQ86TaykaDAFHO4aP48y4fIcDM5yOG8GcTLbOyp8A8azjJI93JFd1EA6yN8sSxMQJWoABqniRZVykYgRXErzrdqExAoUrRb0xfRp8p2A/4XmfilTtkDZ4cAAAAASUVORK5CYII=
X-Face: -TR8(<R,PRXkou>rDTHy/(xl?SfWd1|3:TTgDIatE^t'vop%*gVg[kn$t{EpK(P"VQ=~T2#ysNmJKN$"yTRLB4YQs$4{[.]Fc1)*O]3+XO^oXM>Q#b^ix,O)Zbn)q[y06$`e3?C)`CwR9y5riE=fv^X@x$y?D<m=O>:XO6L&x4f-}}I4=VRNwiA^t1-ZrVK^07.Pi/57c_du'&
X-PGP: 50751FF4
X-PGP-FP: AC1F 5F5C D418 88F8 CC84 5858 2060 4012 5075 1FF4
X-Hashcash: 1:20:170213:linux-usb@vger.kernel.org::RhX/cn7KiJp3qrbA:0000000000000000000000000000000000000CmB
X-Hashcash: 1:20:170213:balbi@kernel.org::b0PZb8NX2Prm9/2y:01F9b
X-Hashcash: 1:20:170213:linux-kernel@vger.kernel.org::j+dW0rL+5usOgwwt:0000000000000000000000000000000003VeF
X-Hashcash: 1:20:170213:andriy.shevchenko@linux.intel.com::EahaFfcChVAPb2zB:00000000000000000000000000004V8l
X-Hashcash: 1:20:170213:mail@iagoabal.eu::5rvYVw4dNa37SLxj:02slN
X-Hashcash: 1:20:170213:heikki.krogerus@linux.intel.com::ULImW6MnQbvq+ZTJ:0000000000000000000000000000005+wn
X-Hashcash: 1:20:170213:garsilva@embeddedor.com::AxVNOK/OutHF5XTX:000000000000000000000000000000000000007qt4
X-Hashcash: 1:20:170213:peter.senna@gmail.com::H6BAqVT3+k6V2YA0:00000000000000000000000000000000000000009/AN
X-Hashcash: 1:20:170213:gregkh@linuxfoundation.org::KU3xDg+18p/A2okG:00000000000000000000000000000000000BbXK
Date: Mon, 13 Feb 2017 17:02:41 +0100
Message-ID: <xa1tfujidqou.fsf@mina86.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id v1DG2wTs024844

On Sat, Feb 11 2017, Gustavo A. R. Silva wrote:
> Remove pointer dereference after free and set pointer to NULL after free.
>
> Addresses-Coverity-ID: 1091173
> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>

Acked-by: Michal Nazarewicz <mina86@mina86.com>

> ---
> Changes in v2:
>   Move pointer dereference before pci_pool_free()
>   Set pointer to NULL after free
>
>   drivers/usb/gadget/udc/pch_udc.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/gadget/udc/pch_udc.c  
> b/drivers/usb/gadget/udc/pch_udc.c
> index a97da64..73bb58f 100644
> --- a/drivers/usb/gadget/udc/pch_udc.c
> +++ b/drivers/usb/gadget/udc/pch_udc.c
> @@ -1522,8 +1522,9 @@ static void pch_udc_free_dma_chain(struct  
> pch_udc_dev *dev,
>   		/* do not free first desc., will be done by free for request */
>   		td = phys_to_virt(addr);
>   		addr2 = (dma_addr_t)td->next;
> -		pci_pool_free(dev->data_requests, td, addr);
>   		td->next = 0x00;

Or just drop this.  pci_pool_free doesn’t care about contents of td.
It’s just a void* for it. 

> +		pci_pool_free(dev->data_requests, td, addr);
> +		td = NULL;

This isn’t necessary either.  td will get overwritten on next iteration
and once we’re done it’s not used again.

>   		addr = addr2;
>   	}
>   	req->chain_len = 1;

-- 
Best regards
ミハウ “𝓶𝓲𝓷𝓪86” ナザレヴイツ
«If at first you don’t succeed, give up skydiving»