From e2720b40fd5852f65a012d3c044b9829fb21c0cd Mon Sep 17 00:00:00 2001 From: Thinh Nguyen Date: Wed, 11 Dec 2024 08:31:36 +0800 Subject: [PATCH] usb: gadget: f_tcm: Don't free command immediately ANBZ: #19399 commit c225d006a31949d673e646d585d9569bc28feeb9 upstream. Don't prematurely free the command. Wait for the status completion of the sense status. It can be freed then. Otherwise we will double-free the command. Fixes: cff834c16d23 ("usb-gadget/tcm: Convert to TARGET_SCF_ACK_KREF I/O krefs") Cc: stable@vger.kernel.org Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/ae919ac431f16275e05ec819bdffb3ac5f44cbe1.1733876548.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman Fixes: CVE-2024-58055 Signed-off-by: Xiao Long Signed-off-by: 362994 <362994> --- drivers/usb/gadget/function/f_tcm.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c index 5a2e9ce2bc35..caa23265fae4 100644 --- a/drivers/usb/gadget/function/f_tcm.c +++ b/drivers/usb/gadget/function/f_tcm.c @@ -1068,7 +1068,6 @@ static void usbg_cmd_work(struct work_struct *work) out: transport_send_check_condition_and_sense(se_cmd, TCM_UNSUPPORTED_SCSI_OPCODE, 1); - transport_generic_free_cmd(&cmd->se_cmd, 0); } static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu, @@ -1199,7 +1198,6 @@ static void bot_cmd_work(struct work_struct *work) out: transport_send_check_condition_and_sense(se_cmd, TCM_UNSUPPORTED_SCSI_OPCODE, 1); - transport_generic_free_cmd(&cmd->se_cmd, 0); } static int bot_submit_command(struct f_uas *fu, -- Gitee