Re: [patch -target tree] usb: gadget: f_tcm: use after free

From: Nicholas A. Bellinger
Date: Thu Mar 10 2016 - 23:10:24 EST


On Thu, 2016-03-10 at 09:34 +0100, Andrzej Pietrasiewicz wrote:
> Hi Nicholas,
>
> W dniu 10.03.2016 o 06:19, Nicholas A. Bellinger pisze:
> > Hi Andrzej,
> >
> > On Wed, 2016-03-09 at 13:53 +0100, Andrzej Pietrasiewicz wrote:
> >> Hi Nicholas,
> >>

<SNIP>

> >
> > Mmmm, usbg_get_cmd() was missing an explicit memset() after tag lookup.
> >
> > How about the following..?
> >
> > diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c
> > index e352a31..d4e8a91 100644
> > --- a/drivers/usb/gadget/function/f_tcm.c
> > +++ b/drivers/usb/gadget/function/f_tcm.c
> > @@ -1078,6 +1078,7 @@ static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu,
> > return ERR_PTR(-ENOMEM);
> >
> > cmd = &((struct usbg_cmd *)se_sess->sess_cmd_map)[tag];
> > + memset(cmd, 0, sizeof(*cmd));
> > cmd->se_cmd.map_tag = tag;
> > cmd->se_cmd.tag = cmd->tag = scsi_tag;
> > cmd->fu = fu;
> >
> >
> >
>
> I tested it. Works for me.

Folding this missing memset() into usb-gadget's percpu_ida conversion
for -v4.

Thanks Andrzej!