Rewrite udc_free_dma_chain() function to avoid use of pointer after free.
Addresses-Coverity-ID: 1091172
Acked-by: Michal Nazarewicz <min...@mina86.com>
Reviewed-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Signed-off-by: Gustavo A. R. Silva <garsi...@embeddedor.com>
---
Changes in v2:
Remove 'td->next = 0x00' inside for loop.
Remove unnecessary pointer nullification after free.
Rename variable addr_aux to addr_next.
drivers/usb/gadget/udc/amd5536udc.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/drivers/usb/gadget/udc/amd5536udc.c
b/drivers/usb/gadget/udc/amd5536udc.c
index ea03ca7..821d088 100644
--- a/drivers/usb/gadget/udc/amd5536udc.c
+++ b/drivers/usb/gadget/udc/amd5536udc.c
@@ -611,21 +611,20 @@ udc_alloc_request(struct usb_ep *usbep, gfp_t gfp)
static int udc_free_dma_chain(struct udc *dev, struct udc_request *req)
{
int ret_val = 0;
- struct udc_data_dma *td;
- struct udc_data_dma *td_last = NULL;
+ struct udc_data_dma *td = req->td_data;
unsigned int i;
+ dma_addr_t addr_next = 0x00;
+ dma_addr_t addr = (dma_addr_t)td->next;
+
DBG(dev, "free chain req = %p\n", req);
/* do not free first desc., will be done by free for request */
- td_last = req->td_data;
- td = phys_to_virt(td_last->next);
-
for (i = 1; i < req->chain_len; i++) {
- pci_pool_free(dev->data_requests, td,
- (dma_addr_t)td_last->next);
- td_last = td;
- td = phys_to_virt(td_last->next);
+ td = phys_to_virt(addr);
+ addr_next = (dma_addr_t)td->next;
+ pci_pool_free(dev->data_requests, td, addr);
+ addr = addr_next;
}
return ret_val;
--
2.5.0
