Re: [PATCH 1/2] usb: gadget: udc: avoid use of freed pointer
Hi Michal,
Quoting Michal Nazarewicz :
On Mon, Feb 13 2017, Gustavo A. R. Silva wrote:
Rewrite udc_free_dma_chain() function to avoid use of pointer after free.
Addresses-Coverity-ID: 1091172
Reviewed-by: Greg Kroah-Hartman
Signed-off-by: Gustavo A. R. Silva
Acked-by: Michal Nazarewicz
---
drivers/usb/gadget/udc/amd5536udc.c | 20 +++-
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/drivers/usb/gadget/udc/amd5536udc.c
b/drivers/usb/gadget/udc/amd5536udc.c
index ea03ca7..ded97a3 100644
--- a/drivers/usb/gadget/udc/amd5536udc.c
+++ b/drivers/usb/gadget/udc/amd5536udc.c
@@ -611,21 +611,23 @@ udc_alloc_request(struct usb_ep *usbep, gfp_t gfp)
static int udc_free_dma_chain(struct udc *dev, struct udc_request *req)
{
int ret_val = 0;
- struct udc_data_dma *td;
- struct udc_data_dma *td_last = NULL;
+ struct udc_data_dma *td = req->td_data;
unsigned int i;
+ dma_addr_t addr_aux = 0x00;
Perhaps call it ‘addr_next’ or ‘next’?
+ dma_addr_t addr = (dma_addr_t)td->next;
+ td->next = 0x00;
+
DBG(dev, "free chain req = %p\n", req);
/* do not free first desc., will be done by free for request */
- td_last = req->td_data;
- td = phys_to_virt(td_last->next);
-
for (i = 1; i < req->chain_len; i++) {
- pci_pool_free(dev->data_requests, td,
- (dma_addr_t)td_last->next);
- td_last = td;
- td = phys_to_virt(td_last->next);
+ td = phys_to_virt(addr);
+ addr_aux = (dma_addr_t)td->next;
+ td->next = 0x00;
This is unnecessary.
+ pci_pool_free(dev->data_requests, td, addr);
+ td = NULL;
Ditto.
+ addr = addr_aux;
}
return ret_val;
--
2.5.0
Thanks for your comments, I will send version 2 shortly.
--
Gustavo A. R. Silva
Re: [PATCH 1/2] usb: gadget: udc: avoid use of freed pointer
On Mon, Feb 13 2017, Gustavo A. R. Silva wrote:
> Rewrite udc_free_dma_chain() function to avoid use of pointer after free.
>
> Addresses-Coverity-ID: 1091172
> Reviewed-by: Greg Kroah-Hartman
> Signed-off-by: Gustavo A. R. Silva
Acked-by: Michal Nazarewicz
> ---
> drivers/usb/gadget/udc/amd5536udc.c | 20 +++-
> 1 file changed, 11 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/usb/gadget/udc/amd5536udc.c
> b/drivers/usb/gadget/udc/amd5536udc.c
> index ea03ca7..ded97a3 100644
> --- a/drivers/usb/gadget/udc/amd5536udc.c
> +++ b/drivers/usb/gadget/udc/amd5536udc.c
> @@ -611,21 +611,23 @@ udc_alloc_request(struct usb_ep *usbep, gfp_t gfp)
> static int udc_free_dma_chain(struct udc *dev, struct udc_request *req)
> {
> int ret_val = 0;
> - struct udc_data_dma *td;
> - struct udc_data_dma *td_last = NULL;
> + struct udc_data_dma *td = req->td_data;
> unsigned int i;
>
> + dma_addr_t addr_aux = 0x00;
Perhaps call it ‘addr_next’ or ‘next’?
> + dma_addr_t addr = (dma_addr_t)td->next;
> + td->next = 0x00;
> +
> DBG(dev, "free chain req = %p\n", req);
>
> /* do not free first desc., will be done by free for request */
> - td_last = req->td_data;
> - td = phys_to_virt(td_last->next);
> -
> for (i = 1; i < req->chain_len; i++) {
> - pci_pool_free(dev->data_requests, td,
> - (dma_addr_t)td_last->next);
> - td_last = td;
> - td = phys_to_virt(td_last->next);
> + td = phys_to_virt(addr);
> + addr_aux = (dma_addr_t)td->next;
> + td->next = 0x00;
This is unnecessary.
> + pci_pool_free(dev->data_requests, td, addr);
> + td = NULL;
Ditto.
> + addr = addr_aux;
> }
>
> return ret_val;
> --
> 2.5.0
>
--
Best regards
ミハウ “𝓶𝓲𝓷𝓪86” ナザレヴイツ
«If at first you don’t succeed, give up skydiving»
