[PATCH] usb: cdns3: Do not access memory after free
Marek Vasut
marek.vasut at mailbox.org
Tue Aug 19 16:51:25 CEST 2025
On 8/14/25 12:45 PM, Andrew Goodbody wrote:
> On 14/08/2025 04:21, Marek Vasut wrote:
>> On 8/13/25 6:30 PM, Andrew Goodbody wrote:
>>> The call to cdns3_gadget_ep_free_request will free priv_req so do the
>>> call to list_del_init which accesses the memory pointed to by priv_req
>>> before the free.
>>>
>>> This issue was found by Smatch.
>>>
>>> Signed-off-by: Andrew Goodbody <andrew.goodbody at linaro.org>
>>> ---
>>> drivers/usb/cdns3/gadget.c | 4 ++--
>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/usb/cdns3/gadget.c b/drivers/usb/cdns3/gadget.c
>>> index a30c40ef80e..9eaf7e40ab6 100644
>>> --- a/drivers/usb/cdns3/gadget.c
>>> +++ b/drivers/usb/cdns3/gadget.c
>>> @@ -557,10 +557,10 @@ static void cdns3_wa2_remove_old_request(struct
>>> cdns3_endpoint *priv_ep)
>>> trace_cdns3_wa2(priv_ep, "removes eldest request");
>>> + list_del_init(&priv_req->list);
>>> kfree(priv_req->request.buf);
>>> cdns3_gadget_ep_free_request(&priv_ep->endpoint,
>>> &priv_req->request);
>>> - list_del_init(&priv_req->list);
>>
>> Shouldn't the kfree() be moved here instead ?
>> cdns3_gadget_ep_free_request() also accesses priv_req->request .
>
> No, I do not think so. The kfree frees priv_req->request.buf not
> priv_req->request so must happen before the call to
> cdns3_gadget_ep_free_request.
Thank you for clarifying. Please add this into the commit message,
ideally wait for TI to test this and provide RB, then send V2 so this
can go in.
More information about the U-Boot
mailing list