subject:"\[PATCH\] usb\: gadget\: pch_udc\: don't update td\->next after it has been released to the pool"

Re: [PATCH] usb: gadget: pch_udc: don't update td->next after it has been released to the pool

2017-03-28 Thread Felipe Balbi


Hi,

Colin King  writes:
> From: Colin Ian King 
>
> Writing to td->next should be avoided after td has been freed using
> dma_pool_free. The intent was to nullify the next pointer, but this
> is potentially dangerous once it is back in the pool. Remove it.
>
> Detected by CoverityScan, CID#1091173 ("Write tp pointer after free")
>
> Signed-off-by: Colin Ian King 
> ---
>  drivers/usb/gadget/udc/pch_udc.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/drivers/usb/gadget/udc/pch_udc.c 
> b/drivers/usb/gadget/udc/pch_udc.c
> index 84dcbcd756f0..08bbe2c24134 100644
> --- a/drivers/usb/gadget/udc/pch_udc.c
> +++ b/drivers/usb/gadget/udc/pch_udc.c
> @@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev 
> *dev,
>   td = phys_to_virt(addr);
>   addr2 = (dma_addr_t)td->next;
>   dma_pool_free(dev->data_requests, td, addr);
> - td->next = 0x00;

I already have a patch for this, thanks

1f459262b0e1649a1e5ad12fa4c66eb76c2220ce
Author: Gustavo A. R. Silva 
AuthorDate: Fri Mar 10 15:39:32 2017 -0600
Commit: Felipe Balbi 
CommitDate: Wed Mar 22 11:21:10 2017 +0200

usb: gadget: udc: remove pointer dereference after free

Remove pointer dereference after free.

Addresses-Coverity-ID: 1091173
Acked-by: Michal Nazarewicz 
Signed-off-by: Gustavo A. R. Silva 
Signed-off-by: Felipe Balbi 

1 file changed, 1 deletion(-)
drivers/usb/gadget/udc/pch_udc.c | 1 -

modified   drivers/usb/gadget/udc/pch_udc.c
@@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev 
*dev,
td = phys_to_virt(addr);
addr2 = (dma_addr_t)td->next;
pci_pool_free(dev->data_requests, td, addr);
-   td->next = 0x00;
addr = addr2;
}
req->chain_len = 1;

-- 
balbi
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] usb: gadget: pch_udc: don't update td->next after it has been released to the pool

2017-03-28 Thread Colin Ian King

On 28/03/17 13:51, Felipe Balbi wrote:
> 
> Hi,
> 
> Colin King  writes:
>> From: Colin Ian King 
>>
>> Writing to td->next should be avoided after td has been freed using
>> dma_pool_free. The intent was to nullify the next pointer, but this
>> is potentially dangerous once it is back in the pool. Remove it.
>>
>> Detected by CoverityScan, CID#1091173 ("Write tp pointer after free")
>>
>> Signed-off-by: Colin Ian King 
>> ---
>>  drivers/usb/gadget/udc/pch_udc.c | 1 -
>>  1 file changed, 1 deletion(-)
>>
>> diff --git a/drivers/usb/gadget/udc/pch_udc.c 
>> b/drivers/usb/gadget/udc/pch_udc.c
>> index 84dcbcd756f0..08bbe2c24134 100644
>> --- a/drivers/usb/gadget/udc/pch_udc.c
>> +++ b/drivers/usb/gadget/udc/pch_udc.c
>> @@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev 
>> *dev,
>>  td = phys_to_virt(addr);
>>  addr2 = (dma_addr_t)td->next;
>>  dma_pool_free(dev->data_requests, td, addr);
>> -td->next = 0x00;
> 
> I already have a patch for this, thanks

Ah, I somehow overlooked that. Good to see it is fixed.

Colin

> 
> 1f459262b0e1649a1e5ad12fa4c66eb76c2220ce
> Author: Gustavo A. R. Silva 
> AuthorDate: Fri Mar 10 15:39:32 2017 -0600
> Commit: Felipe Balbi 
> CommitDate: Wed Mar 22 11:21:10 2017 +0200
> 
> usb: gadget: udc: remove pointer dereference after free
> 
> Remove pointer dereference after free.
> 
> Addresses-Coverity-ID: 1091173
> Acked-by: Michal Nazarewicz 
> Signed-off-by: Gustavo A. R. Silva 
> Signed-off-by: Felipe Balbi 
> 
> 1 file changed, 1 deletion(-)
> drivers/usb/gadget/udc/pch_udc.c | 1 -
> 
> modified   drivers/usb/gadget/udc/pch_udc.c
> @@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev 
> *dev,
>   td = phys_to_virt(addr);
>   addr2 = (dma_addr_t)td->next;
>   pci_pool_free(dev->data_requests, td, addr);
> - td->next = 0x00;
>   addr = addr2;
>   }
>   req->chain_len = 1;
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] usb: gadget: pch_udc: don't update td->next after it has been released to the pool

2017-03-28 Thread Colin King

From: Colin Ian King 

Writing to td->next should be avoided after td has been freed using
dma_pool_free. The intent was to nullify the next pointer, but this
is potentially dangerous once it is back in the pool. Remove it.

Detected by CoverityScan, CID#1091173 ("Write tp pointer after free")

Signed-off-by: Colin Ian King 
---
 drivers/usb/gadget/udc/pch_udc.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c
index 84dcbcd756f0..08bbe2c24134 100644
--- a/drivers/usb/gadget/udc/pch_udc.c
+++ b/drivers/usb/gadget/udc/pch_udc.c
@@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev 
*dev,
td = phys_to_virt(addr);
addr2 = (dma_addr_t)td->next;
dma_pool_free(dev->data_requests, td, addr);
-   td->next = 0x00;
addr = addr2;
}
req->chain_len = 1;
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] usb: gadget: pch_udc: don't update td->next after it has been released to the pool

Re: [PATCH] usb: gadget: pch_udc: don't update td->next after it has been released to the pool

[PATCH] usb: gadget: pch_udc: don't update td->next after it has been released to the pool

3 matches

Site Navigation

Mail list logo

Footer information