Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755095AbcCBL4a (ORCPT <rfc822;w@1wt.eu>);
	Wed, 2 Mar 2016 06:56:30 -0500
Received: from mga11.intel.com ([192.55.52.93]:33136 "EHLO mga11.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753070AbcCBL42 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 2 Mar 2016 06:56:28 -0500
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.22,528,1449561600"; 
   d="asc'?scan'208";a="925104063"
From: Felipe Balbi <balbi@kernel.org>
To: Dan Carpenter <dan.carpenter@oracle.com>, Christoph Hellwig <hch@lst.de>,
        Nicholas Bellinger <nab@linux-iscsi.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        Andrzej Pietrasiewicz <andrzej.p@samsung.com>,
        Bart Van Assche <bart.vanassche@sandisk.com>,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        target-devel@vger.kernel.org
Subject: Re: [patch -target tree] usb: gadget: f_tcm: use after free
In-Reply-To: <20160302100848.GC5533@mwanda>
References: <20160302100848.GC5533@mwanda>
User-Agent: Notmuch/0.21 (http://notmuchmail.org) Emacs/25.0.50.2 (x86_64-pc-linux-gnu)
Date: Wed, 02 Mar 2016 13:55:45 +0200
Message-ID: <87k2ll856m.fsf@ti.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha1; protocol="application/pgp-signature"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1929
Lines: 58

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Dan Carpenter <dan.carpenter@oracle.com> writes:
> We need to move the kfree() down a line so we don't dereference a freed
> variable.
>
> Fixes: 1b418a8fcbc0 ('target: Convert demo-mode only drivers to target_al=
loc_session')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

It's okay to take this via target:

Signed-off-by: Felipe Balbi <balbi@kernel.org>

> diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/fun=
ction/f_tcm.c
> index 7276a73..e352a31 100644
> --- a/drivers/usb/gadget/function/f_tcm.c
> +++ b/drivers/usb/gadget/function/f_tcm.c
> @@ -1596,8 +1596,8 @@ static int tcm_usbg_make_nexus(struct usbg_tpg *tpg=
, char *name)
>  #define MAKE_NEXUS_MSG "core_tpg_check_initiator_node_acl() failed for %=
s\n"
>  		pr_debug(MAKE_NEXUS_MSG, name);
>  #undef MAKE_NEXUS_MSG
> -		kfree(tv_nexus);
>  		ret =3D PTR_ERR(tv_nexus->tvn_se_sess);
> +		kfree(tv_nexus);
>  	}
>=20=20
>  out_unlock:

=2D-=20
balbi

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJW1tTBAAoJEIaOsuA1yqRE84QP/3oPCwTOf7EzvrrV+cY/xwGu
tbCKmQoAACjV+1oDGVklH8p8Nu3+4d9XEOLYXgnaeWJjlqDEX0BNgofQDa3+9HVv
NvNWUukFjc32hcbxrYgb42PCakpA2f6foN8N6wxCqgSzXSJPG/yylg0t7rLQUYON
kt2paZc48I/HWgfQQds2dWeAZb8OPUyj2zE1xd34yCm1IgayJ6mx/BgBH8WIcMyD
aaGhSOHz/9bz5arm0p9WEzRSDxNgKULZcR9c09g3m4ERkXqW6ZECL+GttdHrS86j
ibtD4tF3S0fz9l1iCy8zUtQ5zJE9eBkQ09MX6pTV+Zp8giZS5DiMnBg2WAOEVzIf
8e0XMtCyFWcwGTjCHy/ZgzcU2I0jTSi1W5qTHp6KGUgYCMzAEu2qXoA0mcnibvQG
2LSIAJK6jU1dNz9gpTQjPEPNdbyTvgRdFvz122FCQi1NwZXf0Owk14YEzkgHa/v6
GE+7DugNwSkJmuikv50Vh4SGZmSoUI+HvU6qD7+Fvc3vIccFychuqzoHtVkMKC7/
p2rEiaTplaf/Kq7oGjXI1wMNOYTt3mfImRAqfY7Liib8Tw/X5OcRXYlEsngXYNK4
IE80L9BcrroGOhHK6KPGKo+A+ToUQYegbnQ2XgbMRXMlRrd1iF05Evfc/W05hM5b
KFqf3wVl3lqQyZTwtI6S
=nQdR
-----END PGP SIGNATURE-----
--=-=-=--