USB: chipidea: fix use after free bug

The pointer to a platform_device struct must not be dereferenced after
the device has been unregistered.

This bug produces a crash when unloading the ci13xxx kernel module
compiled with CONFIG_PAGE_POISONING enabled.

Signed-off-by: Lothar Waßmann <LW@KARO-electronics.de>
Cc: stable <stable@vger.kernel.org> # 3.6
Acked-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c
index 5a4a5eca41942823f9c6a8290e2c66fa9ca5c187..aebf695a9344563e4c4bfc561ec44d3bf422d0d3 100644 (file)
--- a/drivers/usb/chipidea/core.c
+++ b/drivers/usb/chipidea/core.c
@@ -385,8 +385,9 @@ EXPORT_SYMBOL_GPL(ci13xxx_add_device);
 
 void ci13xxx_remove_device(struct platform_device *pdev)
 {
+       int id = pdev->id;
        platform_device_unregister(pdev);
-       ida_simple_remove(&ci_ida, pdev->id);
+       ida_simple_remove(&ci_ida, id);
 }
 EXPORT_SYMBOL_GPL(ci13xxx_remove_device);