From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 23 Aug 2013 08:16:15 +0000 (+0300)
Subject: usb: gadget: gadgetfs: potential use after free in unbind()
X-Git-Tag: firefly_0821_release~176^2~5474^2~19^2~3
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=df4989954abc5ae160865bec79b0f099086decce;p=firefly-linux-kernel-4.4.55.git

usb: gadget: gadgetfs: potential use after free in unbind()

ffs_data_put() can sometimes free "ffs" so I have moved the call down
a line below the dereference.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
---

diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c
index f394f295d63d..1a66c5baa0d1 100644
--- a/drivers/usb/gadget/f_fs.c
+++ b/drivers/usb/gadget/f_fs.c
@@ -1417,8 +1417,8 @@ static void functionfs_unbind(struct ffs_data *ffs)
 		usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
 		ffs->ep0req = NULL;
 		ffs->gadget = NULL;
-		ffs_data_put(ffs);
 		clear_bit(FFS_FL_BOUND, &ffs->flags);
+		ffs_data_put(ffs);
 	}
 }