Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754531AbcCJIfD (ORCPT <rfc822;w@1wt.eu>);
	Thu, 10 Mar 2016 03:35:03 -0500
Received: from mailout3.w1.samsung.com ([210.118.77.13]:20326 "EHLO
	mailout3.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751959AbcCJIe4 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 10 Mar 2016 03:34:56 -0500
X-AuditID: cbfec7f5-f79b16d000005389-d9-56e131ab2c71
Subject: Re: [patch -target tree] usb: gadget: f_tcm: use after free
To: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
References: <20160302100848.GC5533@mwanda> <87k2ll856m.fsf@ti.com>
 <1457162818.19657.282.camel@haakon3.risingtidesystems.com>
 <56E01CE4.5060501@samsung.com>
 <1457587163.4062.13.camel@haakon3.risingtidesystems.com>
Cc: Felipe Balbi <balbi@kernel.org>, Dan Carpenter <dan.carpenter@oracle.com>,
        Christoph Hellwig <hch@lst.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        Bart Van Assche <bart.vanassche@sandisk.com>,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        target-devel@vger.kernel.org
From: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Message-id: <56E131AA.30107@samsung.com>
Date: Thu, 10 Mar 2016 09:34:50 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.6.0
MIME-version: 1.0
In-reply-to: <1457587163.4062.13.camel@haakon3.risingtidesystems.com>
Content-type: text/plain; charset=utf-8; format=flowed
Content-transfer-encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrFLMWRmVeSWpSXmKPExsVy+t/xy7qrDR+GGUzdom1xrO0Ju8XBn22M
	FtMuTmK2eP1vOotF8+L1bBYrVx9lsri8aw6bxaJlrcwWbavPMFq0Ln3L5MDlsWlVJ5vHu3Pn
	2D3ubz/C5LF/7hp2j903G9g8Pj69xeIxbc15Jo/Pm+QCOKK4bFJSczLLUov07RK4Ml5dWche
	0Clc8er+XqYGxrm8XYycHBICJhJfGm4xQ9hiEhfurWfrYuTiEBJYyijx/eQVKOcFo8Sja/NY
	QaqEBVwkZm28zdLFyMEhImAo8eFoJUTNbUaJlbsuMIE4zAIPmCQ2H/3CBtLAJmAssfdgByOI
	zSugIfH67hsmEJtFQFXi8aWN7CC2qECExJO5J6FqBCV+TL4HtoBTwFXi0akakDCzgJnEl5eH
	WSFseYnNa94yT2AUmIWkYxaSsllIyhYwMq9iFE0tTS4oTkrPNdIrTswtLs1L10vOz93ECImR
	rzsYlx6zOsQowMGoxMObUfcgTIg1say4MvcQowQHs5IIb73BwzAh3pTEyqrUovz4otKc1OJD
	jNIcLErivDN3vQ8REkhPLEnNTk0tSC2CyTJxcEo1MKquaTg+7/cqrTu7ZyWYbN+U1HaDJ0Rz
	Y/kSr58p/BW/7IIsev0bl7jzZgu//CvrlbV0V9yH5EuJWwPS9mgf54x8Ib/K4d5HCUfurtSd
	TOt5C0OudDldWuoVx9yT9t6pKVojYhFHwnV/x/qrGVMkLs9Jlv8za46poeihuMMLFjR76qUw
	mvlfV2Ipzkg01GIuKk4EAKFJZsuNAgAA
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2368
Lines: 73

Hi Nicholas,

W dniu 10.03.2016 o 06:19, Nicholas A. Bellinger pisze:
> Hi Andrzej,
>
> On Wed, 2016-03-09 at 13:53 +0100, Andrzej Pietrasiewicz wrote:
>> Hi Nicholas,
>>

<snip>

>
> Applying the following patch to re-add the missing assingment
> as a proper alloc_session callback.
>
> diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c
> index e352a31..348140c 100644
> --- a/drivers/usb/gadget/function/f_tcm.c
> +++ b/drivers/usb/gadget/function/f_tcm.c
> @@ -1570,6 +1570,16 @@ out:
>          return ret;
>   }
>
> +static int usbg_alloc_sess_cb(struct se_portal_group *se_tpg,
> +                             struct se_session *se_sess, void *p)
> +{
> +       struct usbg_tpg *tpg = container_of(se_tpg,
> +                               struct usbg_tpg, se_tpg);
> +
> +       tpg->tpg_nexus = p;
> +       return 0;
> +}
> +
>   static int tcm_usbg_make_nexus(struct usbg_tpg *tpg, char *name)
>   {
>          struct tcm_usbg_nexus *tv_nexus;
> @@ -1591,7 +1601,7 @@ static int tcm_usbg_make_nexus(struct usbg_tpg *tpg, char *name)
>          tv_nexus->tvn_se_sess = target_alloc_session(&tpg->se_tpg, 128,
>                                                       sizeof(struct usbg_cmd),
>                                                       TARGET_PROT_NORMAL, name,
> -                                                    tv_nexus, NULL);
> +                                                    tv_nexus, usbg_alloc_sess_cb);
>          if (IS_ERR(tv_nexus->tvn_se_sess)) {
>   #define MAKE_NEXUS_MSG "core_tpg_check_initiator_node_acl() failed for %s\n"
>                  pr_debug(MAKE_NEXUS_MSG, name);
>

<snip>

>
> Mmmm, usbg_get_cmd() was missing an explicit memset() after tag lookup.
>
> How about the following..?
>
> diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c
> index e352a31..d4e8a91 100644
> --- a/drivers/usb/gadget/function/f_tcm.c
> +++ b/drivers/usb/gadget/function/f_tcm.c
> @@ -1078,6 +1078,7 @@ static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu,
>                  return ERR_PTR(-ENOMEM);
>
>          cmd = &((struct usbg_cmd *)se_sess->sess_cmd_map)[tag];
> +       memset(cmd, 0, sizeof(*cmd));
>          cmd->se_cmd.map_tag = tag;
>          cmd->se_cmd.tag = cmd->tag = scsi_tag;
>          cmd->fu = fu;
>
>
>

I tested it. Works for me.

AP