staging: vme_user: Fix possible UAF in tsi148_dma_list_add

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Smatch report warning as follows:

drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn:
'&entry->list' not removed from list

In tsi148_dma_list_add(), the error path "goto err_dma" will not
remove entry->list from list->entries, but entry will be freed,
then list traversal may cause UAF.

Fix by removeing it from list->entries before free().

Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Gaosheng Cui and committed by

Greg Kroah-Hartman 3 years ago 357057ee ccdbe14b

1 changed file

expand all

drivers

staging

vme_user

vme_tsi148.c

drivers/staging/vme_user/vme_tsi148.c

··· 1751 1751 return 0; 1752 1752 1753 1753 err_dma: 1754 + list_del(&entry->list); 1754 1755 err_dest: 1755 1756 err_source: 1756 1757 err_align: