[PATCH] usb: cdns3: Do not access memory after free
Andrew Goodbody
andrew.goodbody at linaro.org
Thu Aug 14 12:45:12 CEST 2025
On 14/08/2025 04:21, Marek Vasut wrote:
> On 8/13/25 6:30 PM, Andrew Goodbody wrote:
>> The call to cdns3_gadget_ep_free_request will free priv_req so do the
>> call to list_del_init which accesses the memory pointed to by priv_req
>> before the free.
>>
>> This issue was found by Smatch.
>>
>> Signed-off-by: Andrew Goodbody <andrew.goodbody at linaro.org>
>> ---
>> drivers/usb/cdns3/gadget.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/usb/cdns3/gadget.c b/drivers/usb/cdns3/gadget.c
>> index a30c40ef80e..9eaf7e40ab6 100644
>> --- a/drivers/usb/cdns3/gadget.c
>> +++ b/drivers/usb/cdns3/gadget.c
>> @@ -557,10 +557,10 @@ static void cdns3_wa2_remove_old_request(struct
>> cdns3_endpoint *priv_ep)
>> trace_cdns3_wa2(priv_ep, "removes eldest request");
>> + list_del_init(&priv_req->list);
>> kfree(priv_req->request.buf);
>> cdns3_gadget_ep_free_request(&priv_ep->endpoint,
>> &priv_req->request);
>> - list_del_init(&priv_req->list);
>
> Shouldn't the kfree() be moved here instead ?
> cdns3_gadget_ep_free_request() also accesses priv_req->request .
No, I do not think so. The kfree frees priv_req->request.buf not
priv_req->request so must happen before the call to
cdns3_gadget_ep_free_request. Nothing should touch priv_req after the
call to to cdns3_gadget_ep_free_request. Moving the kfree as you suggest
would make the problem worse.
Andrew
>> --priv_ep->wa2_counter;
>> if (!chain)
>> @@ -1959,10 +1959,10 @@ static int cdns3_gadget_ep_disable(struct
>> usb_ep *ep)
>> while (!list_empty(&priv_ep->wa2_descmiss_req_list)) {
>> priv_req = cdns3_next_priv_request(&priv_ep-
>> >wa2_descmiss_req_list);
>> + list_del_init(&priv_req->list);
>> kfree(priv_req->request.buf);
>> cdns3_gadget_ep_free_request(&priv_ep->endpoint,
>> &priv_req->request);
>> - list_del_init(&priv_req->list);
>
> DTTO ?
More information about the U-Boot
mailing list