usb: gadget: f_tcm: out of bound access in usbg_drop_tpg (e877b729) · Commits · e / devices / android_kernel_fairphone_FP4

drivers/usb/gadget/function/f_tcm.c

+11 −9

Original line number	Diff line number	Diff line
		@@ -1445,7 +1445,7 @@ static void usbg_drop_tpg(struct se_portal_group *se_tpg)
		for (i = 0; i < TPG_INSTANCES; ++i)
		if (tpg_instances[i].tpg == tpg)
		break;
		if (i < TPG_INSTANCES)
		if (i < TPG_INSTANCES) {
		tpg_instances[i].tpg = NULL;
		opts = container_of(tpg_instances[i].func_inst,
		struct f_tcm_opts, func_inst);
		@@ -1453,8 +1453,10 @@ static void usbg_drop_tpg(struct se_portal_group *se_tpg)
		if (opts->has_dep)
		module_put(opts->dependent);
		else
		configfs_undepend_item_unlocked(&opts->func_inst.group.cg_item);
		configfs_undepend_item_unlocked(
		&opts->func_inst.group.cg_item);
		mutex_unlock(&opts->dep_lock);
		}
		mutex_unlock(&tpg_instances_lock);

		kfree(tpg);