USB: chipidea: fix use after free bug

commit 98c35534420d3147553bd3071a5fc63cd56de5b1 upstream.

The pointer to a platform_device struct must not be dereferenced after
the device has been unregistered.

This bug produces a crash when unloading the ci13xxx kernel module
compiled with CONFIG_PAGE_POISONING enabled.

Signed-off-by: Lothar Waßmann <LW@KARO-electronics.de>
Acked-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c
index f69d029b460716c7fdb233a7da34c9c2bb5ea8aa..b726c49f96196002a55bf76d7ff02eb3d32be2a0 100644 (file)
--- a/drivers/usb/chipidea/core.c
+++ b/drivers/usb/chipidea/core.c
@@ -385,8 +385,9 @@ EXPORT_SYMBOL_GPL(ci13xxx_add_device);
 
 void ci13xxx_remove_device(struct platform_device *pdev)
 {
+       int id = pdev->id;
        platform_device_unregister(pdev);
-       ida_simple_remove(&ci_ida, pdev->id);
+       ida_simple_remove(&ci_ida, id);
 }
 EXPORT_SYMBOL_GPL(ci13xxx_remove_device);