usb: dwc2: Fix use after free in debug code

We're not allowed to dereference "urb" after calling
usb_hcd_giveback_urb() so save the urb->status ahead of time.

Fixes: 7359d482eb4d ("staging: HCD files for the DWC2 driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://patch.msgid.link/ag1NwBpqT4IEQcdJ@stanley.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
index 1a763ad4f7215b9e55aaca054c7e42f025b59c72..2414291aa9087d87d409dddd20588e6170e381bc 100644 (file)
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -4804,6 +4804,7 @@ static int _dwc2_hcd_urb_dequeue(struct usb_hcd *hcd, struct urb *urb,
        struct dwc2_hsotg *hsotg = dwc2_hcd_to_hsotg(hcd);
        int rc;
        unsigned long flags;
+       int urb_status;
 
        dev_dbg(hsotg->dev, "DWC OTG HCD URB Dequeue\n");
        dwc2_dump_urb_info(hcd, urb, "urb_dequeue");
@@ -4828,11 +4829,12 @@ static int _dwc2_hcd_urb_dequeue(struct usb_hcd *hcd, struct urb *urb,
 
        /* Higher layer software sets URB status */
        spin_unlock(&hsotg->lock);
+       urb_status = urb->status;
        usb_hcd_giveback_urb(hcd, urb, status);
        spin_lock(&hsotg->lock);
 
        dev_dbg(hsotg->dev, "Called usb_hcd_giveback_urb()\n");
-       dev_dbg(hsotg->dev, "  urb->status = %d\n", urb->status);
+       dev_dbg(hsotg->dev, "  urb->status = %d\n", urb_status);
 out:
        spin_unlock_irqrestore(&hsotg->lock, flags);