usb: gadget: f_tcm: out of bound access in usbg_drop_tpg

Commit dc8c46a5ae ("usb: gadget: f_tcm: convert to new function
interface with backward compatibility") introduced a possible out
of bounds memory access:

If tpg is not found in function usbg_drop_tpg,
tpg_instances[TPG_INSTANCES] is accessed.

Fixes: dc8c46a5ae ("usb: gadget: f_tcm: convert to new function interface with backward compatibility")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
This commit is contained in:
Heinrich Schuchardt 2016-05-08 22:50:12 +02:00 committed by Felipe Balbi
parent ffeee83aa0
commit e877b729c6

View File

@ -1445,16 +1445,18 @@ static void usbg_drop_tpg(struct se_portal_group *se_tpg)
for (i = 0; i < TPG_INSTANCES; ++i)
if (tpg_instances[i].tpg == tpg)
break;
if (i < TPG_INSTANCES)
if (i < TPG_INSTANCES) {
tpg_instances[i].tpg = NULL;
opts = container_of(tpg_instances[i].func_inst,
struct f_tcm_opts, func_inst);
mutex_lock(&opts->dep_lock);
if (opts->has_dep)
module_put(opts->dependent);
else
configfs_undepend_item_unlocked(&opts->func_inst.group.cg_item);
mutex_unlock(&opts->dep_lock);
opts = container_of(tpg_instances[i].func_inst,
struct f_tcm_opts, func_inst);
mutex_lock(&opts->dep_lock);
if (opts->has_dep)
module_put(opts->dependent);
else
configfs_undepend_item_unlocked(
&opts->func_inst.group.cg_item);
mutex_unlock(&opts->dep_lock);
}
mutex_unlock(&tpg_instances_lock);
kfree(tpg);