From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 23 Aug 2013 08:14:49 +0000 (+0300)
Subject: usb: gadget: gadgetfs: use after free in dev_release()
X-Git-Tag: firefly_0821_release~176^2~5474^2~19^2~4
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=1826e9b1bd9139850954acb9c2e0fb230ba94e0d;p=firefly-linux-kernel-4.4.55.git

usb: gadget: gadgetfs: use after free in dev_release()

The call to put_dev() releases "dev".  Hopefully, we don't need to set
the state to STATE_DEV_DISABLED anyway so I have removed those lines.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
---

diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
index 570c005062ab..465ef8e2cc91 100644
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1270,10 +1270,6 @@ dev_release (struct inode *inode, struct file *fd)
 	dev->buf = NULL;
 	put_dev (dev);
 
-	/* other endpoints were all decoupled from this device */
-	spin_lock_irq(&dev->lock);
-	dev->state = STATE_DEV_DISABLED;
-	spin_unlock_irq(&dev->lock);
 	return 0;
 }