[PATCH] usb: cdns3: Do not access memory after free

Marek Vasut marek.vasut at mailbox.org
Fri Aug 22 16:55:49 CEST 2025 

On 8/22/25 4:14 PM, Siddharth Vadapalli wrote:
> On Thu, Aug 21, 2025 at 10:22:43PM +0200, Marek Vasut wrote:
>> On 8/21/25 8:16 AM, Siddharth Vadapalli wrote:
>>
>> Hi,
>>
>>>>>>> diff --git a/drivers/usb/cdns3/gadget.c b/drivers/usb/cdns3/gadget.c
>>>>>>> index a30c40ef80e..9eaf7e40ab6 100644
>>>>>>> --- a/drivers/usb/cdns3/gadget.c
>>>>>>> +++ b/drivers/usb/cdns3/gadget.c
>>>>>>> @@ -557,10 +557,10 @@ static void
>>>>>>> cdns3_wa2_remove_old_request(struct cdns3_endpoint *priv_ep)
>>>>>>>             trace_cdns3_wa2(priv_ep, "removes eldest request");
>>>>>>> +        list_del_init(&priv_req->list);
>>>>>>>             kfree(priv_req->request.buf);
>>>>>>>             cdns3_gadget_ep_free_request(&priv_ep->endpoint,
>>>>>>>                              &priv_req->request);
>>>>>>> -        list_del_init(&priv_req->list);
>>>>>>
>>>>>> Shouldn't the kfree() be moved here instead ?
>>>>>> cdns3_gadget_ep_free_request() also accesses priv_req->request .
>>>>>
>>>>> No, I do not think so. The kfree frees priv_req->request.buf not
>>>>> priv_req->request so must happen before the call to
>>>>> cdns3_gadget_ep_free_request.
>>>> Thank you for clarifying. Please add this into the commit message, ideally
>>>> wait for TI to test this and provide RB, then send V2 so this can go in.
>>>
>>> I was planning to test this patch but the change being made is only
>>> applicable to Controller Versions:
>>> 	#define DEV_VER_NXP_V1		0x00024502
>>> 	#define DEV_VER_TI_V1		0x00024509
>>> and not to:
>>> 	#define DEV_VER_V2		0x0002450C
>>> 	#define DEV_VER_V3		0x0002450d
>>>
>>> Since I don't have an SoC and a Board with DEV_VER_TI_V1, I cannot test
>>> it. However, the change looks correct to me.
>>>
>>> Reviewed-by: Siddharth Vadapalli <s-vadapalli at ti.com>
>> The change does indeed look correct.
>>
>> Do you know who might still have that board and could test ? (and which
>> board/soc is that) ?
> 
> None of the boards that I have worked with have a DEV_VER_TI_V1 version
> of the controller. I also tried to use the Linux device-tree to check if
> I could identify the SoC/board but I was unable to do so.
Do you know which SoC is V2 and V3 ?

Also +CC Nishanth .

More information about the U-Boot mailing list