On Mon, Feb 13 2017, Gustavo A. R. Silva wrote:
> Rewrite udc_free_dma_chain() function to avoid use of pointer after free.
>
> Addresses-Coverity-ID: 1091172
> Reviewed-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Gustavo A. R. Silva <garsilva@xxxxxxxxxxxxxx>
Acked-by: Michal Nazarewicz <mina86@xxxxxxxxxx>
> ---
> drivers/usb/gadget/udc/amd5536udc.c | 20 +++++++++++---------
> 1 file changed, 11 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/usb/gadget/udc/amd5536udc.c b/drivers/usb/gadget/udc/amd5536udc.c
> index ea03ca7..ded97a3 100644
> --- a/drivers/usb/gadget/udc/amd5536udc.c
> +++ b/drivers/usb/gadget/udc/amd5536udc.c
> @@ -611,21 +611,23 @@ udc_alloc_request(struct usb_ep *usbep, gfp_t gfp)
> static int udc_free_dma_chain(struct udc *dev, struct udc_request *req)
> {
> int ret_val = 0;
> - struct udc_data_dma *td;
> - struct udc_data_dma *td_last = NULL;
> + struct udc_data_dma *td = req->td_data;
> unsigned int i;
>
> + dma_addr_t addr_aux = 0x00;
Perhaps call it ‘addr_next’ or ‘next’?
> + dma_addr_t addr = (dma_addr_t)td->next;
> + td->next = 0x00;
> +
> DBG(dev, "free chain req = %p\n", req);
>
> /* do not free first desc., will be done by free for request */
> - td_last = req->td_data;
> - td = phys_to_virt(td_last->next);
> -
> for (i = 1; i < req->chain_len; i++) {
> - pci_pool_free(dev->data_requests, td,
> - (dma_addr_t)td_last->next);
> - td_last = td;
> - td = phys_to_virt(td_last->next);
> + td = phys_to_virt(addr);
> + addr_aux = (dma_addr_t)td->next;
> + td->next = 0x00;
This is unnecessary.
> + pci_pool_free(dev->data_requests, td, addr);
> + td = NULL;
Ditto.
> + addr = addr_aux;
> }
>
> return ret_val;
> --
> 2.5.0
>
--
Best regards
ミハウ “𝓶𝓲𝓷𝓪86” ナザレヴイツ
«If at first you don’t succeed, give up skydiving»
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
