Re: [patch -target tree] usb: gadget: f_tcm: use after free

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
To: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
Cc: Felipe Balbi <balbi@kernel.org>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	Christoph Hellwig <hch@lst.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
	Bart Van Assche <bart.vanassche@sandisk.com>,
	linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
	target-devel@vger.kernel.org
Subject: Re: [patch -target tree] usb: gadget: f_tcm: use after free
Date: Thu, 10 Mar 2016 09:34:50 +0100	[thread overview]
Message-ID: <56E131AA.30107@samsung.com> (raw)
In-Reply-To: <1457587163.4062.13.camel@haakon3.risingtidesystems.com>

Hi Nicholas,

W dniu 10.03.2016 o 06:19, Nicholas A. Bellinger pisze:
> Hi Andrzej,
>
> On Wed, 2016-03-09 at 13:53 +0100, Andrzej Pietrasiewicz wrote:
>> Hi Nicholas,
>>

<snip>

>
> Applying the following patch to re-add the missing assingment
> as a proper alloc_session callback.
>
> diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c
> index e352a31..348140c 100644
> --- a/drivers/usb/gadget/function/f_tcm.c
> +++ b/drivers/usb/gadget/function/f_tcm.c
> @@ -1570,6 +1570,16 @@ out:
>          return ret;
>   }
>
> +static int usbg_alloc_sess_cb(struct se_portal_group *se_tpg,
> +                             struct se_session *se_sess, void *p)
> +{
> +       struct usbg_tpg *tpg = container_of(se_tpg,
> +                               struct usbg_tpg, se_tpg);
> +
> +       tpg->tpg_nexus = p;
> +       return 0;
> +}
> +
>   static int tcm_usbg_make_nexus(struct usbg_tpg *tpg, char *name)
>   {
>          struct tcm_usbg_nexus *tv_nexus;
> @@ -1591,7 +1601,7 @@ static int tcm_usbg_make_nexus(struct usbg_tpg *tpg, char *name)
>          tv_nexus->tvn_se_sess = target_alloc_session(&tpg->se_tpg, 128,
>                                                       sizeof(struct usbg_cmd),
>                                                       TARGET_PROT_NORMAL, name,
> -                                                    tv_nexus, NULL);
> +                                                    tv_nexus, usbg_alloc_sess_cb);
>          if (IS_ERR(tv_nexus->tvn_se_sess)) {
>   #define MAKE_NEXUS_MSG "core_tpg_check_initiator_node_acl() failed for %s\n"
>                  pr_debug(MAKE_NEXUS_MSG, name);
>

<snip>

>
> Mmmm, usbg_get_cmd() was missing an explicit memset() after tag lookup.
>
> How about the following..?
>
> diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c
> index e352a31..d4e8a91 100644
> --- a/drivers/usb/gadget/function/f_tcm.c
> +++ b/drivers/usb/gadget/function/f_tcm.c
> @@ -1078,6 +1078,7 @@ static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu,
>                  return ERR_PTR(-ENOMEM);
>
>          cmd = &((struct usbg_cmd *)se_sess->sess_cmd_map)[tag];
> +       memset(cmd, 0, sizeof(*cmd));
>          cmd->se_cmd.map_tag = tag;
>          cmd->se_cmd.tag = cmd->tag = scsi_tag;
>          cmd->fu = fu;
>
>
>

I tested it. Works for me.

AP

next prev parent reply	other threads:[~2016-03-10  8:35 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-02 10:08 [patch -target tree] usb: gadget: f_tcm: use after free Dan Carpenter
2016-03-02 11:55 ` Felipe Balbi
2016-03-05  7:26   ` Nicholas A. Bellinger
2016-03-09 11:38     ` Felipe Balbi
2016-03-10  6:23       ` Nicholas A. Bellinger
2016-03-09 12:53     ` Andrzej Pietrasiewicz
2016-03-10  5:19       ` Nicholas A. Bellinger
2016-03-10  8:34         ` Andrzej Pietrasiewicz [this message]
2016-03-11  4:10           ` Nicholas A. Bellinger
2016-03-05  7:20 ` Nicholas A. Bellinger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56E131AA.30107@samsung.com \
    --to=andrzej.p@samsung.com \
    --cc=balbi@kernel.org \
    --cc=bart.vanassche@sandisk.com \
    --cc=bigeasy@linutronix.de \
    --cc=dan.carpenter@oracle.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hch@lst.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=nab@linux-iscsi.org \
    --cc=target-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.