From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Date: Fri, 3 Apr 2015 11:20:15 +0000 (+0900)
Subject: dmaengine: usb-dmac: Fix dereferencing freed memory 'desc'
X-Git-Tag: v4.14-rc1~5484^2~8
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=d7d8e892aa6fe280a2e2974d9fd1ec9253ee1a05;p=platform%2Fkernel%2Flinux-rpi.git

dmaengine: usb-dmac: Fix dereferencing freed memory 'desc'

This patch fixes an issue that the usb_dmac_desc_free() is
dereferencing freed memory 'desc' because it uses list_for_each_entry().
This function should use list_for_each_entry_safe().

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
---

diff --git a/drivers/dma/sh/usb-dmac.c b/drivers/dma/sh/usb-dmac.c
index d5dad98..f705798 100644
--- a/drivers/dma/sh/usb-dmac.c
+++ b/drivers/dma/sh/usb-dmac.c
@@ -285,13 +285,13 @@ static int usb_dmac_desc_alloc(struct usb_dmac_chan *chan, unsigned int sg_len,
 
 static void usb_dmac_desc_free(struct usb_dmac_chan *chan)
 {
-	struct usb_dmac_desc *desc;
+	struct usb_dmac_desc *desc, *_desc;
 	LIST_HEAD(list);
 
 	list_splice_init(&chan->desc_freed, &list);
 	list_splice_init(&chan->desc_got, &list);
 
-	list_for_each_entry(desc, &list, node) {
+	list_for_each_entry_safe(desc, _desc, &list, node) {
 		list_del(&desc->node);
 		kfree(desc);
 	}