Re: [patch -target tree] usb: gadget: f_tcm: use after free

From: Felipe Balbi
Date: Wed Mar 02 2016 - 06:56:33 EST


Dan Carpenter <dan.carpenter@xxxxxxxxxx> writes:
> We need to move the kfree() down a line so we don't dereference a freed
> variable.
>
> Fixes: 1b418a8fcbc0 ('target: Convert demo-mode only drivers to target_alloc_session')
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

It's okay to take this via target:

Signed-off-by: Felipe Balbi <balbi@xxxxxxxxxx>

> diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c
> index 7276a73..e352a31 100644
> --- a/drivers/usb/gadget/function/f_tcm.c
> +++ b/drivers/usb/gadget/function/f_tcm.c
> @@ -1596,8 +1596,8 @@ static int tcm_usbg_make_nexus(struct usbg_tpg *tpg, char *name)
> #define MAKE_NEXUS_MSG "core_tpg_check_initiator_node_acl() failed for %s\n"
> pr_debug(MAKE_NEXUS_MSG, name);
> #undef MAKE_NEXUS_MSG
> - kfree(tv_nexus);
> ret = PTR_ERR(tv_nexus->tvn_se_sess);
> + kfree(tv_nexus);
> }
>
> out_unlock:

--
balbi

Attachment: signature.asc
Description: PGP signature