[patch] staging: frontier: use after free in disconnect()
Dan Carpenter
dan.carpenter at oracle.com
Mon Jul 22 06:57:49 UTC 2013
usb_alphatrack_delete() frees "dev" so we can't use it on that path.
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
diff --git a/drivers/staging/frontier/alphatrack.c b/drivers/staging/frontier/alphatrack.c
index 5590ebf..817f837 100644
--- a/drivers/staging/frontier/alphatrack.c
+++ b/drivers/staging/frontier/alphatrack.c
@@ -827,11 +827,11 @@ static void usb_alphatrack_disconnect(struct usb_interface *intf)
mutex_unlock(&dev->mtx);
usb_alphatrack_delete(dev);
} else {
+ atomic_set(&dev->writes_pending, 0);
dev->intf = NULL;
mutex_unlock(&dev->mtx);
}
- atomic_set(&dev->writes_pending, 0);
mutex_unlock(&disconnect_mutex);
dev_info(&intf->dev, "Alphatrack Surface #%d now disconnected\n",
More information about the devel
mailing list