On 8/14/25 12:45 PM, Andrew Goodbody wrote:
On 14/08/2025 04:21, Marek Vasut wrote:
On 8/13/25 6:30 PM, Andrew Goodbody wrote:
The call to cdns3_gadget_ep_free_request will free priv_req so do the
call to list_del_init which accesses the memory pointed to by priv_req
before the free.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodb...@linaro.org>
---
drivers/usb/cdns3/gadget.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/cdns3/gadget.c b/drivers/usb/cdns3/gadget.c
index a30c40ef80e..9eaf7e40ab6 100644
--- a/drivers/usb/cdns3/gadget.c
+++ b/drivers/usb/cdns3/gadget.c
@@ -557,10 +557,10 @@ static void cdns3_wa2_remove_old_request(struct
cdns3_endpoint *priv_ep)
trace_cdns3_wa2(priv_ep, "removes eldest request");
+ list_del_init(&priv_req->list);
kfree(priv_req->request.buf);
cdns3_gadget_ep_free_request(&priv_ep->endpoint,
&priv_req->request);
- list_del_init(&priv_req->list);
Shouldn't the kfree() be moved here instead ?
cdns3_gadget_ep_free_request() also accesses priv_req->request .
No, I do not think so. The kfree frees priv_req->request.buf not
priv_req->request so must happen before the call to
cdns3_gadget_ep_free_request.
Thank you for clarifying. Please add this into the commit message,
ideally wait for TI to test this and provide RB, then send V2 so this
can go in.
