[PATCH] usb: cdns3: Do not access memory after free
Marek Vasut
marek.vasut at mailbox.org
Thu Aug 21 22:22:43 CEST 2025
On 8/21/25 8:16 AM, Siddharth Vadapalli wrote:
Hi,
>>>>> diff --git a/drivers/usb/cdns3/gadget.c b/drivers/usb/cdns3/gadget.c
>>>>> index a30c40ef80e..9eaf7e40ab6 100644
>>>>> --- a/drivers/usb/cdns3/gadget.c
>>>>> +++ b/drivers/usb/cdns3/gadget.c
>>>>> @@ -557,10 +557,10 @@ static void
>>>>> cdns3_wa2_remove_old_request(struct cdns3_endpoint *priv_ep)
>>>>> trace_cdns3_wa2(priv_ep, "removes eldest request");
>>>>> + list_del_init(&priv_req->list);
>>>>> kfree(priv_req->request.buf);
>>>>> cdns3_gadget_ep_free_request(&priv_ep->endpoint,
>>>>> &priv_req->request);
>>>>> - list_del_init(&priv_req->list);
>>>>
>>>> Shouldn't the kfree() be moved here instead ?
>>>> cdns3_gadget_ep_free_request() also accesses priv_req->request .
>>>
>>> No, I do not think so. The kfree frees priv_req->request.buf not
>>> priv_req->request so must happen before the call to
>>> cdns3_gadget_ep_free_request.
>> Thank you for clarifying. Please add this into the commit message, ideally
>> wait for TI to test this and provide RB, then send V2 so this can go in.
>
> I was planning to test this patch but the change being made is only
> applicable to Controller Versions:
> #define DEV_VER_NXP_V1 0x00024502
> #define DEV_VER_TI_V1 0x00024509
> and not to:
> #define DEV_VER_V2 0x0002450C
> #define DEV_VER_V3 0x0002450d
>
> Since I don't have an SoC and a Board with DEV_VER_TI_V1, I cannot test
> it. However, the change looks correct to me.
>
> Reviewed-by: Siddharth Vadapalli <s-vadapalli at ti.com>
The change does indeed look correct.
Do you know who might still have that board and could test ? (and which
board/soc is that) ?
More information about the U-Boot
mailing list