From df4989954abc5ae160865bec79b0f099086decce Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 23 Aug 2013 11:16:15 +0300 Subject: [PATCH] usb: gadget: gadgetfs: potential use after free in unbind() ffs_data_put() can sometimes free "ffs" so I have moved the call down a line below the dereference. Signed-off-by: Dan Carpenter Signed-off-by: Felipe Balbi --- drivers/usb/gadget/f_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c index f394f29..1a66c5b 100644 --- a/drivers/usb/gadget/f_fs.c +++ b/drivers/usb/gadget/f_fs.c @@ -1417,8 +1417,8 @@ static void functionfs_unbind(struct ffs_data *ffs) usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req); ffs->ep0req = NULL; ffs->gadget = NULL; - ffs_data_put(ffs); clear_bit(FFS_FL_BOUND, &ffs->flags); + ffs_data_put(ffs); } } -- 2.7.4