usb: gadget: f_tcm: out of bound access in usbg_drop_tpg
Commitdc8c46a5ae
("usb: gadget: f_tcm: convert to new function interface with backward compatibility") introduced a possible out of bounds memory access: If tpg is not found in function usbg_drop_tpg, tpg_instances[TPG_INSTANCES] is accessed. Fixes:dc8c46a5ae
("usb: gadget: f_tcm: convert to new function interface with backward compatibility") Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
This commit is contained in:
parent
ffeee83aa0
commit
e877b729c6
@ -1445,16 +1445,18 @@ static void usbg_drop_tpg(struct se_portal_group *se_tpg)
|
||||
for (i = 0; i < TPG_INSTANCES; ++i)
|
||||
if (tpg_instances[i].tpg == tpg)
|
||||
break;
|
||||
if (i < TPG_INSTANCES)
|
||||
if (i < TPG_INSTANCES) {
|
||||
tpg_instances[i].tpg = NULL;
|
||||
opts = container_of(tpg_instances[i].func_inst,
|
||||
struct f_tcm_opts, func_inst);
|
||||
mutex_lock(&opts->dep_lock);
|
||||
if (opts->has_dep)
|
||||
module_put(opts->dependent);
|
||||
else
|
||||
configfs_undepend_item_unlocked(&opts->func_inst.group.cg_item);
|
||||
mutex_unlock(&opts->dep_lock);
|
||||
opts = container_of(tpg_instances[i].func_inst,
|
||||
struct f_tcm_opts, func_inst);
|
||||
mutex_lock(&opts->dep_lock);
|
||||
if (opts->has_dep)
|
||||
module_put(opts->dependent);
|
||||
else
|
||||
configfs_undepend_item_unlocked(
|
||||
&opts->func_inst.group.cg_item);
|
||||
mutex_unlock(&opts->dep_lock);
|
||||
}
|
||||
mutex_unlock(&tpg_instances_lock);
|
||||
|
||||
kfree(tpg);
|
||||
|
Loading…
Reference in New Issue
Block a user