Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754667AbcCEHUk (ORCPT ); Sat, 5 Mar 2016 02:20:40 -0500 Received: from mail.linux-iscsi.org ([67.23.28.174]:42568 "EHLO linux-iscsi.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750952AbcCEHUc (ORCPT ); Sat, 5 Mar 2016 02:20:32 -0500 Message-ID: <1457162429.19657.277.camel@haakon3.risingtidesystems.com> Subject: Re: [patch -target tree] usb: gadget: f_tcm: use after free From: "Nicholas A. Bellinger" To: Dan Carpenter Cc: Felipe Balbi , Christoph Hellwig , Greg Kroah-Hartman , Sebastian Andrzej Siewior , Andrzej Pietrasiewicz , Bart Van Assche , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, target-devel@vger.kernel.org Date: Fri, 04 Mar 2016 23:20:29 -0800 In-Reply-To: <20160302100848.GC5533@mwanda> References: <20160302100848.GC5533@mwanda> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.4.4-1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 903 Lines: 25 On Wed, 2016-03-02 at 13:08 +0300, Dan Carpenter wrote: > We need to move the kfree() down a line so we don't dereference a freed > variable. > > Fixes: 1b418a8fcbc0 ('target: Convert demo-mode only drivers to target_alloc_session') > Signed-off-by: Dan Carpenter > > diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c > index 7276a73..e352a31 100644 > --- a/drivers/usb/gadget/function/f_tcm.c > +++ b/drivers/usb/gadget/function/f_tcm.c > @@ -1596,8 +1596,8 @@ static int tcm_usbg_make_nexus(struct usbg_tpg *tpg, char *name) > #define MAKE_NEXUS_MSG "core_tpg_check_initiator_node_acl() failed for %s\n" > pr_debug(MAKE_NEXUS_MSG, name); > #undef MAKE_NEXUS_MSG > - kfree(tv_nexus); > ret = PTR_ERR(tv_nexus->tvn_se_sess); > + kfree(tv_nexus); > } > > out_unlock: Fixed + squashed into the original patch. Thanks Dan.