diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-08-23 04:16:15 -0400 |
|---|---|---|
| committer | Felipe Balbi <balbi@ti.com> | 2013-08-27 16:03:32 -0400 |
| commit | df4989954abc5ae160865bec79b0f099086decce (patch) | |
| tree | 13d8c00b7fc665020acce3cfb1f5ecf4d6e11d68 /drivers/usb/gadget/f_fs.c | |
| parent | 1826e9b1bd9139850954acb9c2e0fb230ba94e0d (diff) | |
usb: gadget: gadgetfs: potential use after free in unbind()
ffs_data_put() can sometimes free "ffs" so I have moved the call down
a line below the dereference.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Diffstat (limited to 'drivers/usb/gadget/f_fs.c')
| -rw-r--r-- | drivers/usb/gadget/f_fs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c index f394f295d63d..1a66c5baa0d1 100644 --- a/drivers/usb/gadget/f_fs.c +++ b/drivers/usb/gadget/f_fs.c | |||
| @@ -1417,8 +1417,8 @@ static void functionfs_unbind(struct ffs_data *ffs) | |||
| 1417 | usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req); | 1417 | usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req); |
| 1418 | ffs->ep0req = NULL; | 1418 | ffs->ep0req = NULL; |
| 1419 | ffs->gadget = NULL; | 1419 | ffs->gadget = NULL; |
| 1420 | ffs_data_put(ffs); | ||
| 1421 | clear_bit(FFS_FL_BOUND, &ffs->flags); | 1420 | clear_bit(FFS_FL_BOUND, &ffs->flags); |
| 1421 | ffs_data_put(ffs); | ||
| 1422 | } | 1422 | } |
| 1423 | } | 1423 | } |
| 1424 | 1424 | ||