Re: [PATCH] usb: gadget: pch_udc: don't update td->next after it has been released to the pool
Hi, Colin Kingwrites: > From: Colin Ian King > > Writing to td->next should be avoided after td has been freed using > dma_pool_free. The intent was to nullify the next pointer, but this > is potentially dangerous once it is back in the pool. Remove it. > > Detected by CoverityScan, CID#1091173 ("Write tp pointer after free") > > Signed-off-by: Colin Ian King > --- > drivers/usb/gadget/udc/pch_udc.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/drivers/usb/gadget/udc/pch_udc.c > b/drivers/usb/gadget/udc/pch_udc.c > index 84dcbcd756f0..08bbe2c24134 100644 > --- a/drivers/usb/gadget/udc/pch_udc.c > +++ b/drivers/usb/gadget/udc/pch_udc.c > @@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev > *dev, > td = phys_to_virt(addr); > addr2 = (dma_addr_t)td->next; > dma_pool_free(dev->data_requests, td, addr); > - td->next = 0x00; I already have a patch for this, thanks 1f459262b0e1649a1e5ad12fa4c66eb76c2220ce Author: Gustavo A. R. Silva AuthorDate: Fri Mar 10 15:39:32 2017 -0600 Commit: Felipe Balbi CommitDate: Wed Mar 22 11:21:10 2017 +0200 usb: gadget: udc: remove pointer dereference after free Remove pointer dereference after free. Addresses-Coverity-ID: 1091173 Acked-by: Michal Nazarewicz Signed-off-by: Gustavo A. R. Silva Signed-off-by: Felipe Balbi 1 file changed, 1 deletion(-) drivers/usb/gadget/udc/pch_udc.c | 1 - modified drivers/usb/gadget/udc/pch_udc.c @@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev *dev, td = phys_to_virt(addr); addr2 = (dma_addr_t)td->next; pci_pool_free(dev->data_requests, td, addr); - td->next = 0x00; addr = addr2; } req->chain_len = 1; -- balbi -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] usb: gadget: pch_udc: don't update td->next after it has been released to the pool
On 28/03/17 13:51, Felipe Balbi wrote: > > Hi, > > Colin Kingwrites: >> From: Colin Ian King >> >> Writing to td->next should be avoided after td has been freed using >> dma_pool_free. The intent was to nullify the next pointer, but this >> is potentially dangerous once it is back in the pool. Remove it. >> >> Detected by CoverityScan, CID#1091173 ("Write tp pointer after free") >> >> Signed-off-by: Colin Ian King >> --- >> drivers/usb/gadget/udc/pch_udc.c | 1 - >> 1 file changed, 1 deletion(-) >> >> diff --git a/drivers/usb/gadget/udc/pch_udc.c >> b/drivers/usb/gadget/udc/pch_udc.c >> index 84dcbcd756f0..08bbe2c24134 100644 >> --- a/drivers/usb/gadget/udc/pch_udc.c >> +++ b/drivers/usb/gadget/udc/pch_udc.c >> @@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev >> *dev, >> td = phys_to_virt(addr); >> addr2 = (dma_addr_t)td->next; >> dma_pool_free(dev->data_requests, td, addr); >> -td->next = 0x00; > > I already have a patch for this, thanks Ah, I somehow overlooked that. Good to see it is fixed. Colin > > 1f459262b0e1649a1e5ad12fa4c66eb76c2220ce > Author: Gustavo A. R. Silva > AuthorDate: Fri Mar 10 15:39:32 2017 -0600 > Commit: Felipe Balbi > CommitDate: Wed Mar 22 11:21:10 2017 +0200 > > usb: gadget: udc: remove pointer dereference after free > > Remove pointer dereference after free. > > Addresses-Coverity-ID: 1091173 > Acked-by: Michal Nazarewicz > Signed-off-by: Gustavo A. R. Silva > Signed-off-by: Felipe Balbi > > 1 file changed, 1 deletion(-) > drivers/usb/gadget/udc/pch_udc.c | 1 - > > modified drivers/usb/gadget/udc/pch_udc.c > @@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev > *dev, > td = phys_to_virt(addr); > addr2 = (dma_addr_t)td->next; > pci_pool_free(dev->data_requests, td, addr); > - td->next = 0x00; > addr = addr2; > } > req->chain_len = 1; > -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] usb: gadget: pch_udc: don't update td->next after it has been released to the pool
From: Colin Ian KingWriting to td->next should be avoided after td has been freed using dma_pool_free. The intent was to nullify the next pointer, but this is potentially dangerous once it is back in the pool. Remove it. Detected by CoverityScan, CID#1091173 ("Write tp pointer after free") Signed-off-by: Colin Ian King --- drivers/usb/gadget/udc/pch_udc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c index 84dcbcd756f0..08bbe2c24134 100644 --- a/drivers/usb/gadget/udc/pch_udc.c +++ b/drivers/usb/gadget/udc/pch_udc.c @@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev *dev, td = phys_to_virt(addr); addr2 = (dma_addr_t)td->next; dma_pool_free(dev->data_requests, td, addr); - td->next = 0x00; addr = addr2; } req->chain_len = 1; -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html