projects / firefly-linux-kernel-4.4.55.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 28591df)
dmaengine: usb-dmac: Fix dereferencing freed memory 'desc'
authorYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Fri, 3 Apr 2015 11:20:15 +0000 (20:20 +0900)
committerVinod Koul <vinod.koul@intel.com>
Fri, 17 Apr 2015 17:58:48 +0000 (23:28 +0530)
This patch fixes an issue that the usb_dmac_desc_free() is
dereferencing freed memory 'desc' because it uses list_for_each_entry().
This function should use list_for_each_entry_safe().

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
drivers/dma/sh/usb-dmac.c patch | blob | history

diff --git a/drivers/dma/sh/usb-dmac.c b/drivers/dma/sh/usb-dmac.c
index d5dad98bef0ba694227a50cef80706ea508f9e36..f705798ce3eb1129151a2d5472067b845f947781 100644 (file)
--- a/drivers/dma/sh/usb-dmac.c
+++ b/drivers/dma/sh/usb-dmac.c
@@ -285,13 +285,13 @@ static int usb_dmac_desc_alloc(struct usb_dmac_chan *chan, unsigned int sg_len,
 
 static void usb_dmac_desc_free(struct usb_dmac_chan *chan)
 {
-       struct usb_dmac_desc *desc;
+       struct usb_dmac_desc *desc, *_desc;
        LIST_HEAD(list);
 
        list_splice_init(&chan->desc_freed, &list);
        list_splice_init(&chan->desc_got, &list);
 
-       list_for_each_entry(desc, &list, node) {
+       list_for_each_entry_safe(desc, _desc, &list, node) {
                list_del(&desc->node);
                kfree(desc);
        }
Unnamed repository; edit this file 'description' to name the repository.