usb: gadget: f_tcm: out of bound access in usbg_drop_tpg

Commit dc8c46a5ae77 ("usb: gadget: f_tcm: convert to new function interface with backward compatibility") introduced a possible out of bounds memory access: If tpg is not found in function usbg_drop_tpg, tpg_instances[TPG_INSTANCES] is accessed. Fixes: dc8c46a5ae77 ("usb: gadget: f_tcm: convert to new function interface with backward compatibility") Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
author: Heinrich Schuchardt <xypron.glpk@gmx.de> 2016-05-08 16:50:12 -0400
committer: Felipe Balbi <felipe.balbi@linux.intel.com> 2016-05-31 04:24:30 -0400
commit: e877b729c649c2850f61f2ae37296ae701f9ad63 (patch)
tree: 428e47fa38118e7af581ff0a3e36e7f35351a5cf /drivers/usb
parent: ffeee83aa0461992e8a99a59db2df31933e60362 (diff)
1 files changed, 11 insertions, 9 deletions
diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c
index 35fe3c80cfc0..197f73386fac 100644
--- a/drivers/usb/gadget/function/f_tcm.c
+++ b/drivers/usb/gadget/function/f_tcm.c
@@ -1445,16 +1445,18 @@ static void usbg_drop_tpg(struct se_portal_group *se_tpg)
        for (i = 0; i < TPG_INSTANCES; ++i)
                if (tpg_instances[i].tpg == tpg)
                        break;
-        if (i < TPG_INSTANCES)
+        if (i < TPG_INSTANCES) {
                tpg_instances[i].tpg = NULL;
-        opts = container_of(tpg_instances[i].func_inst,
+                opts = container_of(tpg_instances[i].func_inst,
-                struct f_tcm_opts, func_inst);
+                        struct f_tcm_opts, func_inst);
-        mutex_lock(&opts->dep_lock);
+                mutex_lock(&opts->dep_lock);
-        if (opts->has_dep)
+                if (opts->has_dep)
-                module_put(opts->dependent);
+                        module_put(opts->dependent);
-        else
+                else
-                configfs_undepend_item_unlocked(&opts->func_inst.group.cg_item);
+                        configfs_undepend_item_unlocked(
-        mutex_unlock(&opts->dep_lock);
+                                &opts->func_inst.group.cg_item);
+                mutex_unlock(&opts->dep_lock);
+        }
        mutex_unlock(&tpg_instances_lock);
        kfree(tpg);
author	Heinrich Schuchardt <xypron.glpk@gmx.de>	2016-05-08 16:50:12 -0400
committer	Felipe Balbi <felipe.balbi@linux.intel.com>	2016-05-31 04:24:30 -0400
commit	e877b729c649c2850f61f2ae37296ae701f9ad63 (patch)
tree	428e47fa38118e7af581ff0a3e36e7f35351a5cf /drivers/usb
parent	ffeee83aa0461992e8a99a59db2df31933e60362 (diff)

diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c index 35fe3c80cfc0..197f73386fac 100644 --- a/drivers/usb/gadget/function/f_tcm.c +++ b/drivers/usb/gadget/function/f_tcm.c
@@ -1445,16 +1445,18 @@ static void usbg_drop_tpg(struct se_portal_group *se_tpg)
1445	for (i = 0; i < TPG_INSTANCES; ++i)	1445	for (i = 0; i < TPG_INSTANCES; ++i)
1446	if (tpg_instances[i].tpg == tpg)	1446	if (tpg_instances[i].tpg == tpg)
1447	break;	1447	break;
1448	if (i < TPG_INSTANCES)	1448	if (i < TPG_INSTANCES) {
1449	tpg_instances[i].tpg = NULL;	1449	tpg_instances[i].tpg = NULL;
1450	opts = container_of(tpg_instances[i].func_inst,	1450	opts = container_of(tpg_instances[i].func_inst,
1451	struct f_tcm_opts, func_inst);	1451	struct f_tcm_opts, func_inst);
1452	mutex_lock(&opts->dep_lock);	1452	mutex_lock(&opts->dep_lock);
1453	if (opts->has_dep)	1453	if (opts->has_dep)
1454	module_put(opts->dependent);	1454	module_put(opts->dependent);
1455	else	1455	else
1456	configfs_undepend_item_unlocked(&opts->func_inst.group.cg_item);	1456	configfs_undepend_item_unlocked(
1457	mutex_unlock(&opts->dep_lock);	1457	&opts->func_inst.group.cg_item);
		1458	mutex_unlock(&opts->dep_lock);
		1459	}
1458	mutex_unlock(&tpg_instances_lock);	1460	mutex_unlock(&tpg_instances_lock);
1459		1461
1460	kfree(tpg);	1462	kfree(tpg);