From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752347AbdC1M3E (ORCPT ); Tue, 28 Mar 2017 08:29:04 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:39064 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752293AbdC1M3C (ORCPT ); Tue, 28 Mar 2017 08:29:02 -0400 From: Colin King To: Felipe Balbi , Greg Kroah-Hartman , Andy Shevchenko , Michal Nazarewicz , "Gustavo A . R . Silva" , Iago Abal , Romain Perier , linux-usb@vger.kernel.org Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] usb: gadget: pch_udc: don't update td->next after it has been released to the pool Date: Tue, 28 Mar 2017 13:28:50 +0100 Message-Id: <20170328122850.18819-1-colin.king@canonical.com> X-Mailer: git-send-email 2.11.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Colin Ian King Writing to td->next should be avoided after td has been freed using dma_pool_free. The intent was to nullify the next pointer, but this is potentially dangerous once it is back in the pool. Remove it. Detected by CoverityScan, CID#1091173 ("Write tp pointer after free") Signed-off-by: Colin Ian King --- drivers/usb/gadget/udc/pch_udc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c index 84dcbcd756f0..08bbe2c24134 100644 --- a/drivers/usb/gadget/udc/pch_udc.c +++ b/drivers/usb/gadget/udc/pch_udc.c @@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev *dev, td = phys_to_virt(addr); addr2 = (dma_addr_t)td->next; dma_pool_free(dev->data_requests, td, addr); - td->next = 0x00; addr = addr2; } req->chain_len = 1; -- 2.11.0 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Colin King Date: Tue, 28 Mar 2017 12:28:50 +0000 Subject: [PATCH] usb: gadget: pch_udc: don't update td->next after it has been released to the pool Message-Id: <20170328122850.18819-1-colin.king@canonical.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Felipe Balbi , Greg Kroah-Hartman , Andy Shevchenko , Michal Nazarewicz , "Gustavo A . R . Silva" , Iago Abal , Romain Perier , linux-usb@vger.kernel.org Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org From: Colin Ian King Writing to td->next should be avoided after td has been freed using dma_pool_free. The intent was to nullify the next pointer, but this is potentially dangerous once it is back in the pool. Remove it. Detected by CoverityScan, CID#1091173 ("Write tp pointer after free") Signed-off-by: Colin Ian King --- drivers/usb/gadget/udc/pch_udc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c index 84dcbcd756f0..08bbe2c24134 100644 --- a/drivers/usb/gadget/udc/pch_udc.c +++ b/drivers/usb/gadget/udc/pch_udc.c @@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev *dev, td = phys_to_virt(addr); addr2 = (dma_addr_t)td->next; dma_pool_free(dev->data_requests, td, addr); - td->next = 0x00; addr = addr2; } req->chain_len = 1; -- 2.11.0