From a51e8551e298841f26ccf02193caf2b69da2434c Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@hovoldconsulting.com>
Date: Wed, 4 Nov 2015 18:55:12 +0100
Subject: [PATCH] greybus: es2: fix use-after-free at disconnect

The interface private data is released as part of host-device removal
and must not be accessed afterwards.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
---
 drivers/staging/greybus/es2.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/greybus/es2.c b/drivers/staging/greybus/es2.c
index 1e786a6..ebf41f7 100644
--- a/drivers/staging/greybus/es2.c
+++ b/drivers/staging/greybus/es2.c
@@ -510,6 +510,7 @@ static void ap_disconnect(struct usb_interface *interface)
 {
 	struct es2_ap_dev *es2;
 	struct usb_device *udev;
+	int *cport_to_ep;
 	int bulk_in;
 	int i;
 
@@ -548,9 +549,10 @@ static void ap_disconnect(struct usb_interface *interface)
 
 	usb_set_intfdata(interface, NULL);
 	udev = es2->usb_dev;
+	cport_to_ep = es2->cport_to_ep;
 	gb_hd_remove(es2->hd);
-	kfree(es2->cport_to_ep);
 
+	kfree(cport_to_ep);
 	usb_put_dev(udev);
 }
 
-- 
2.7.4