Re: [PATCH v2] usb: gadget: udc: remove pointer dereference after free
From: Michal Nazarewicz
Date: Mon Feb 13 2017 - 11:03:04 EST
On Sat, Feb 11 2017, Gustavo A. R. Silva wrote:
> Remove pointer dereference after free and set pointer to NULL after free.
>
> Addresses-Coverity-ID: 1091173
> Signed-off-by: Gustavo A. R. Silva <garsilva@xxxxxxxxxxxxxx>
Acked-by: Michal Nazarewicz <mina86@xxxxxxxxxx>
> ---
> Changes in v2:
> Move pointer dereference before pci_pool_free()
> Set pointer to NULL after free
>
> drivers/usb/gadget/udc/pch_udc.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/gadget/udc/pch_udc.c
> b/drivers/usb/gadget/udc/pch_udc.c
> index a97da64..73bb58f 100644
> --- a/drivers/usb/gadget/udc/pch_udc.c
> +++ b/drivers/usb/gadget/udc/pch_udc.c
> @@ -1522,8 +1522,9 @@ static void pch_udc_free_dma_chain(struct
> pch_udc_dev *dev,
> /* do not free first desc., will be done by free for request */
> td = phys_to_virt(addr);
> addr2 = (dma_addr_t)td->next;
> - pci_pool_free(dev->data_requests, td, addr);
> td->next = 0x00;
Or just drop this. pci_pool_free doesnât care about contents of td.
Itâs just a void* for it.
> + pci_pool_free(dev->data_requests, td, addr);
> + td = NULL;
This isnât necessary either. td will get overwritten on next iteration
and once weâre done itâs not used again.
> addr = addr2;
> }
> req->chain_len = 1;
--
Best regards
ããã âðððð86â ãããããã
ÂIf at first you donât succeed, give up skydivingÂ