staging: vme_user: Fix possible UAF in tsi148_dma_list_add

Smatch report warning as follows: drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn: '&entry->list' not removed from list In tsi148_dma_list_add(), the error path "goto err_dma" will not remove entry->list from list->entries, but entry will be freed, then list traversal may cause UAF. Fix by removeing it from list->entries before free(). Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping") Signed-off-by: Gaosheng Cui <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
author: Gaosheng Cui <[email protected]> 2022-11-17 11:59:14 +0800
committer: Greg Kroah-Hartman <[email protected]> 2022-11-22 13:20:13 +0100
commit: 357057ee55d3c99a5de5abe8150f7bca04f8e53b (patch)
tree: 42fa68c6a7c3b71dd8d051aed217d4b4eb8ae152
parent: ccdbe14b77a5e39496baf632e157f9daf322dd27 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/staging/vme_user/vme_tsi148.c b/drivers/staging/vme_user/vme_tsi148.c
index 020e0b3bce64..0171f46d1848 100644
--- a/drivers/staging/vme_user/vme_tsi148.c
+++ b/drivers/staging/vme_user/vme_tsi148.c
@@ -1751,6 +1751,7 @@ static int tsi148_dma_list_add(struct vme_dma_list *list,
 	return 0;
 
 err_dma:
+	list_del(&entry->list);
 err_dest:
 err_source:
 err_align:
author	Gaosheng Cui <[email protected]>	2022-11-17 11:59:14 +0800
committer	Greg Kroah-Hartman <[email protected]>	2022-11-22 13:20:13 +0100
commit	357057ee55d3c99a5de5abe8150f7bca04f8e53b (patch)
tree	42fa68c6a7c3b71dd8d051aed217d4b4eb8ae152
parent	ccdbe14b77a5e39496baf632e157f9daf322dd27 (diff)