usb: gadget: gadgetfs: potential use after free in unbind()
authorDan Carpenter <dan.carpenter@oracle.com>
Fri, 23 Aug 2013 08:16:15 +0000 (11:16 +0300)
committerFelipe Balbi <balbi@ti.com>
Tue, 27 Aug 2013 20:03:32 +0000 (15:03 -0500)
ffs_data_put() can sometimes free "ffs" so I have moved the call down
a line below the dereference.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
drivers/usb/gadget/f_fs.c

index f394f295d63d1b87927fb49fe9ebe3234fe0c635..1a66c5baa0d1f292188a1756cf17d5243b2ffe58 100644 (file)
@@ -1417,8 +1417,8 @@ static void functionfs_unbind(struct ffs_data *ffs)
                usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
                ffs->ep0req = NULL;
                ffs->gadget = NULL;
-               ffs_data_put(ffs);
                clear_bit(FFS_FL_BOUND, &ffs->flags);
+               ffs_data_put(ffs);
        }
 }