Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753646AbcCBKJV (ORCPT ); Wed, 2 Mar 2016 05:09:21 -0500 Received: from aserp1040.oracle.com ([141.146.126.69]:18658 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752947AbcCBKJS (ORCPT ); Wed, 2 Mar 2016 05:09:18 -0500 Date: Wed, 2 Mar 2016 13:08:48 +0300 From: Dan Carpenter To: Felipe Balbi , Christoph Hellwig , Nicholas Bellinger Cc: Greg Kroah-Hartman , Sebastian Andrzej Siewior , Andrzej Pietrasiewicz , Bart Van Assche , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, target-devel@vger.kernel.org Subject: [patch -target tree] usb: gadget: f_tcm: use after free Message-ID: <20160302100848.GC5533@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-Source-IP: userv0022.oracle.com [156.151.31.74] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 751 Lines: 20 We need to move the kfree() down a line so we don't dereference a freed variable. Fixes: 1b418a8fcbc0 ('target: Convert demo-mode only drivers to target_alloc_session') Signed-off-by: Dan Carpenter diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c index 7276a73..e352a31 100644 --- a/drivers/usb/gadget/function/f_tcm.c +++ b/drivers/usb/gadget/function/f_tcm.c @@ -1596,8 +1596,8 @@ static int tcm_usbg_make_nexus(struct usbg_tpg *tpg, char *name) #define MAKE_NEXUS_MSG "core_tpg_check_initiator_node_acl() failed for %s\n" pr_debug(MAKE_NEXUS_MSG, name); #undef MAKE_NEXUS_MSG - kfree(tv_nexus); ret = PTR_ERR(tv_nexus->tvn_se_sess); + kfree(tv_nexus); } out_unlock: