Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933964AbcCKEKV (ORCPT <rfc822;w@1wt.eu>);
	Thu, 10 Mar 2016 23:10:21 -0500
Received: from mail.linux-iscsi.org ([67.23.28.174]:44839 "EHLO
	linux-iscsi.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932612AbcCKEKT (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 10 Mar 2016 23:10:19 -0500
Message-ID: <1457669416.4062.62.camel@haakon3.risingtidesystems.com>
Subject: Re: [patch -target tree] usb: gadget: f_tcm: use after free
From: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
To: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Cc: Felipe Balbi <balbi@kernel.org>, Dan Carpenter <dan.carpenter@oracle.com>,
        Christoph Hellwig <hch@lst.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        Bart Van Assche <bart.vanassche@sandisk.com>,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        target-devel@vger.kernel.org
Date: Thu, 10 Mar 2016 20:10:16 -0800
In-Reply-To: <56E131AA.30107@samsung.com>
References: <20160302100848.GC5533@mwanda> <87k2ll856m.fsf@ti.com>
	 <1457162818.19657.282.camel@haakon3.risingtidesystems.com>
	 <56E01CE4.5060501@samsung.com>
	 <1457587163.4062.13.camel@haakon3.risingtidesystems.com>
	 <56E131AA.30107@samsung.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.4.4-1 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1098
Lines: 39

On Thu, 2016-03-10 at 09:34 +0100, Andrzej Pietrasiewicz wrote:
> Hi Nicholas,
> 
> W dniu 10.03.2016 o 06:19, Nicholas A. Bellinger pisze:
> > Hi Andrzej,
> >
> > On Wed, 2016-03-09 at 13:53 +0100, Andrzej Pietrasiewicz wrote:
> >> Hi Nicholas,
> >>

<SNIP>

> >
> > Mmmm, usbg_get_cmd() was missing an explicit memset() after tag lookup.
> >
> > How about the following..?
> >
> > diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c
> > index e352a31..d4e8a91 100644
> > --- a/drivers/usb/gadget/function/f_tcm.c
> > +++ b/drivers/usb/gadget/function/f_tcm.c
> > @@ -1078,6 +1078,7 @@ static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu,
> >                  return ERR_PTR(-ENOMEM);
> >
> >          cmd = &((struct usbg_cmd *)se_sess->sess_cmd_map)[tag];
> > +       memset(cmd, 0, sizeof(*cmd));
> >          cmd->se_cmd.map_tag = tag;
> >          cmd->se_cmd.tag = cmd->tag = scsi_tag;
> >          cmd->fu = fu;
> >
> >
> >
> 
> I tested it. Works for me.

Folding this missing memset() into usb-gadget's percpu_ida conversion
for -v4.

Thanks Andrzej!