diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-08-23 11:16:15 +0300 |
---|---|---|
committer | Felipe Balbi <balbi@ti.com> | 2013-08-27 15:03:32 -0500 |
commit | df4989954abc5ae160865bec79b0f099086decce (patch) | |
tree | 13d8c00b7fc665020acce3cfb1f5ecf4d6e11d68 | |
parent | 1826e9b1bd9139850954acb9c2e0fb230ba94e0d (diff) | |
download | linux-df4989954abc5ae160865bec79b0f099086decce.tar.bz2 |
usb: gadget: gadgetfs: potential use after free in unbind()
ffs_data_put() can sometimes free "ffs" so I have moved the call down
a line below the dereference.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
-rw-r--r-- | drivers/usb/gadget/f_fs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c index f394f295d63d..1a66c5baa0d1 100644 --- a/drivers/usb/gadget/f_fs.c +++ b/drivers/usb/gadget/f_fs.c @@ -1417,8 +1417,8 @@ static void functionfs_unbind(struct ffs_data *ffs) usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req); ffs->ep0req = NULL; ffs->gadget = NULL; - ffs_data_put(ffs); clear_bit(FFS_FL_BOUND, &ffs->flags); + ffs_data_put(ffs); } } |