[PATCH] usb: cdns3: Do not access memory after free

Siddharth Vadapalli s-vadapalli at ti.com
Thu Aug 21 08:16:16 CEST 2025 

On Tue, Aug 19, 2025 at 04:51:25PM +0200, Marek Vasut wrote:

Hello Marek,

> On 8/14/25 12:45 PM, Andrew Goodbody wrote:
> > On 14/08/2025 04:21, Marek Vasut wrote:
> > > On 8/13/25 6:30 PM, Andrew Goodbody wrote:
> > > > The call to cdns3_gadget_ep_free_request will free priv_req so do the
> > > > call to list_del_init which accesses the memory pointed to by priv_req
> > > > before the free.
> > > > 
> > > > This issue was found by Smatch.
> > > > 
> > > > Signed-off-by: Andrew Goodbody <andrew.goodbody at linaro.org>
> > > > ---
> > > >   drivers/usb/cdns3/gadget.c | 4 ++--
> > > >   1 file changed, 2 insertions(+), 2 deletions(-)
> > > > 
> > > > diff --git a/drivers/usb/cdns3/gadget.c b/drivers/usb/cdns3/gadget.c
> > > > index a30c40ef80e..9eaf7e40ab6 100644
> > > > --- a/drivers/usb/cdns3/gadget.c
> > > > +++ b/drivers/usb/cdns3/gadget.c
> > > > @@ -557,10 +557,10 @@ static void
> > > > cdns3_wa2_remove_old_request(struct cdns3_endpoint *priv_ep)
> > > >           trace_cdns3_wa2(priv_ep, "removes eldest request");
> > > > +        list_del_init(&priv_req->list);
> > > >           kfree(priv_req->request.buf);
> > > >           cdns3_gadget_ep_free_request(&priv_ep->endpoint,
> > > >                            &priv_req->request);
> > > > -        list_del_init(&priv_req->list);
> > > 
> > > Shouldn't the kfree() be moved here instead ?
> > > cdns3_gadget_ep_free_request() also accesses priv_req->request .
> > 
> > No, I do not think so. The kfree frees priv_req->request.buf not
> > priv_req->request so must happen before the call to
> > cdns3_gadget_ep_free_request.
> Thank you for clarifying. Please add this into the commit message, ideally
> wait for TI to test this and provide RB, then send V2 so this can go in.

I was planning to test this patch but the change being made is only
applicable to Controller Versions:
	#define DEV_VER_NXP_V1		0x00024502
	#define DEV_VER_TI_V1		0x00024509
and not to:
	#define DEV_VER_V2		0x0002450C
	#define DEV_VER_V3		0x0002450d

Since I don't have an SoC and a Board with DEV_VER_TI_V1, I cannot test
it. However, the change looks correct to me.

Reviewed-by: Siddharth Vadapalli <s-vadapalli at ti.com>

Regards,
Siddharth.

More information about the U-Boot mailing list