greybus: es2: fix use-after-free at disconnect

The interface private data is released as part of host-device removal
and must not be accessed afterwards.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

diff --git a/drivers/staging/greybus/es2.c b/drivers/staging/greybus/es2.c
index 1e786a6ef7d7a40b21eebcaa1eefecdba71d1042..ebf41f740ccc5e6da35f47cb26c7346591c9b9f0 100644 (file)
--- a/drivers/staging/greybus/es2.c
+++ b/drivers/staging/greybus/es2.c
@@ -510,6 +510,7 @@ static void ap_disconnect(struct usb_interface *interface)
 {
        struct es2_ap_dev *es2;
        struct usb_device *udev;
+       int *cport_to_ep;
        int bulk_in;
        int i;
 
@@ -548,9 +549,10 @@ static void ap_disconnect(struct usb_interface *interface)
 
        usb_set_intfdata(interface, NULL);
        udev = es2->usb_dev;
+       cport_to_ep = es2->cport_to_ep;
        gb_hd_remove(es2->hd);
-       kfree(es2->cport_to_ep);
 
+       kfree(cport_to_ep);
        usb_put_dev(udev);
 }