Re: [patch -target tree] usb: gadget: f_tcm: use after free

From: Nicholas A. Bellinger
Date: Sat Mar 05 2016 - 02:20:46 EST


On Wed, 2016-03-02 at 13:08 +0300, Dan Carpenter wrote:
> We need to move the kfree() down a line so we don't dereference a freed
> variable.
>
> Fixes: 1b418a8fcbc0 ('target: Convert demo-mode only drivers to target_alloc_session')
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
>
> diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c
> index 7276a73..e352a31 100644
> --- a/drivers/usb/gadget/function/f_tcm.c
> +++ b/drivers/usb/gadget/function/f_tcm.c
> @@ -1596,8 +1596,8 @@ static int tcm_usbg_make_nexus(struct usbg_tpg *tpg, char *name)
> #define MAKE_NEXUS_MSG "core_tpg_check_initiator_node_acl() failed for %s\n"
> pr_debug(MAKE_NEXUS_MSG, name);
> #undef MAKE_NEXUS_MSG
> - kfree(tv_nexus);
> ret = PTR_ERR(tv_nexus->tvn_se_sess);
> + kfree(tv_nexus);
> }
>
> out_unlock:

Fixed + squashed into the original patch.

Thanks Dan.