From: Johan Hovold <johan@hovoldconsulting.com>
Date: Wed, 4 Nov 2015 17:55:12 +0000 (+0100)
Subject: greybus: es2: fix use-after-free at disconnect
X-Git-Tag: v4.14-rc1~2366^2~378^2~21^2~1063
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a51e8551e298841f26ccf02193caf2b69da2434c;p=platform%2Fkernel%2Flinux-rpi.git

greybus: es2: fix use-after-free at disconnect

The interface private data is released as part of host-device removal
and must not be accessed afterwards.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
---

diff --git a/drivers/staging/greybus/es2.c b/drivers/staging/greybus/es2.c
index 1e786a6..ebf41f7 100644
--- a/drivers/staging/greybus/es2.c
+++ b/drivers/staging/greybus/es2.c
@@ -510,6 +510,7 @@ static void ap_disconnect(struct usb_interface *interface)
 {
 	struct es2_ap_dev *es2;
 	struct usb_device *udev;
+	int *cport_to_ep;
 	int bulk_in;
 	int i;
 
@@ -548,9 +549,10 @@ static void ap_disconnect(struct usb_interface *interface)
 
 	usb_set_intfdata(interface, NULL);
 	udev = es2->usb_dev;
+	cport_to_ep = es2->cport_to_ep;
 	gb_hd_remove(es2->hd);
-	kfree(es2->cport_to_ep);
 
+	kfree(cport_to_ep);
 	usb_put_dev(udev);
 }