usb: gadget: f_tcm: out of bound access in usbg_drop_tpg

Commit dc8c46a5 ("usb: gadget: f_tcm: convert to new function interface with backward compatibility") introduced a possible out of bounds memory access: If tpg is not found in function usbg_drop_tpg, tpg_instances[TPG_INSTANCES] is accessed. Fixes: dc8c46a5 ("usb: gadget: f_tcm: convert to new function interface with backward compatibility") Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>

usb: gadget: f_tcm: out of bound access in usbg_drop_tpg
Commit dc8c46a5 ("usb: gadget: f_tcm: convert to new function interface with backward compatibility") introduced a possible out of bounds memory access: If tpg is not found in function usbg_drop_tpg, tpg_instances[TPG_INSTANCES] is accessed. Fixes: dc8c46a5 ("usb: gadget: f_tcm: convert to new function interface with backward compatibility") Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
e877b729 · Heinrich Schuchardt · Felipe Balbi · ffeee83a · e877b729
Commit e877b729 authored May 08, 2016 by Heinrich Schuchardt Committed by Felipe Balbi May 31, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 9 deletions

drivers/usb/gadget/function/f_tcm.c drivers/usb/gadget/function/f_tcm.c +11 -9

No files found.
--- a/drivers/usb/gadget/function/f_tcm.c
+++ b/drivers/usb/gadget/function/f_tcm.c
@@ -1445,16 +1445,18 @@ static void usbg_drop_tpg(struct se_portal_group *se_tpg)
 	for (i = 0; i < TPG_INSTANCES; ++i)
 		if (tpg_instances[i].tpg == tpg)
 			break;
-	if (i < TPG_INSTANCES)
+	if (i < TPG_INSTANCES) {
 		tpg_instances[i].tpg = NULL;
-	opts = container_of(tpg_instances[i].func_inst,
+		opts = container_of(tpg_instances[i].func_inst,
-		struct f_tcm_opts, func_inst);
+			struct f_tcm_opts, func_inst);
-	mutex_lock(&opts->dep_lock);
+		mutex_lock(&opts->dep_lock);
-	if (opts->has_dep)
+		if (opts->has_dep)
-		module_put(opts->dependent);
+			module_put(opts->dependent);
-	else
+		else
-		configfs_undepend_item_unlocked(&opts->func_inst.group.cg_item);
+			configfs_undepend_item_unlocked(
-	mutex_unlock(&opts->dep_lock);
+				&opts->func_inst.group.cg_item);
+		mutex_unlock(&opts->dep_lock);
+	}
 	mutex_unlock(&tpg_instances_lock);
 	kfree(tpg);