[PATCH v4] usb: gadget: pch_udc: fix use after free

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
To: Felipe Balbi <balbi@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Michal Nazarewicz <mina86@mina86.com>,
	Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavo@embeddedor.com>
Subject: [PATCH v4] usb: gadget: pch_udc: fix use after free
Date: Wed, 6 Nov 2019 14:28:21 -0600	[thread overview]
Message-ID: <20191106202821.GA20347@embeddedor> (raw)

Remove pointer dereference after free.

pci_pool_free doesn't care about contents of td.
It's just a void* for it

Addresses-Coverity-ID: 1091173 ("Use after free")
Cc: stable@vger.kernel.org
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
Changes in v4:
  Fix line-wrapping.
  Update commit log.
  Update subject line.

Changes in v3:
  Remove 'td->next = 0x00' inside for loop.
  Remove unnecessary pointer nullification after free.

Changes in v2:
  Move pointer dereference before pci_pool_free()
  Set pointer to NULL after free

 drivers/usb/gadget/udc/pch_udc.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c
index 265dab2bbfac..3344fb8c4181 100644
--- a/drivers/usb/gadget/udc/pch_udc.c
+++ b/drivers/usb/gadget/udc/pch_udc.c
@@ -1519,7 +1519,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev *dev,
 		td = phys_to_virt(addr);
 		addr2 = (dma_addr_t)td->next;
 		dma_pool_free(dev->data_requests, td, addr);
-		td->next = 0x00;
 		addr = addr2;
 	}
 	req->chain_len = 1;
-- 
2.23.0

