usb: gadget: gadgetfs: potential use after free in unbind()

ffs_data_put() can sometimes free "ffs" so I have moved the call down a line below the dereference. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Felipe Balbi <balbi@ti.com>

usb: gadget: gadgetfs: potential use after free in unbind()
ffs_data_put() can sometimes free "ffs" so I have moved the call down a line below the dereference. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Felipe Balbi <balbi@ti.com>
Dan Carpenter · Felipe Balbi
1 parent 1826e9b1bd
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
drivers/usb/gadget/f_fs.c
@@ -1417,8 +1417,8 @@
 		usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
 		ffs->ep0req = NULL;
 		ffs->gadget = NULL;
-		ffs_data_put(ffs);
 		clear_bit(FFS_FL_BOUND, &ffs->flags);
+		ffs_data_put(ffs);
 	}
 }
...	...	@@ -1417,8 +1417,8 @@
1417	1417	usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
1418	1418	ffs->ep0req = NULL;
1419	1419	ffs->gadget = NULL;
1420		- ffs_data_put(ffs);
1421	1420	clear_bit(FFS_FL_BOUND, &ffs->flags);
	1421	+ ffs_data_put(ffs);
1422	1422	}
1423	1423	}
1424	1424