USB: diag_bridge: Fix a possible freed memory access
The platform device is freed in disconnect. Don't access pdev
in diag_bridge_delete() which gets called after disconnect. Store
pdev->id in the corresponding driver's private structure.
CRs-Fixed: 470151
Change-Id: I2d97b508f227d6ccc3a87e03481293fa1054bbbc
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
diff --git a/drivers/usb/misc/diag_bridge.c b/drivers/usb/misc/diag_bridge.c
index b65cc40..b200903 100644
--- a/drivers/usb/misc/diag_bridge.c
+++ b/drivers/usb/misc/diag_bridge.c
@@ -44,6 +44,7 @@
struct mutex ifc_mutex;
struct diag_bridge_ops *ops;
struct platform_device *pdev;
+ int id;
/* debugging counters */
unsigned long bytes_to_host;
@@ -85,7 +86,7 @@
static void diag_bridge_delete(struct kref *kref)
{
struct diag_bridge *dev = container_of(kref, struct diag_bridge, kref);
- int id = dev->pdev->id;
+ int id = dev->id;
usb_put_dev(dev->udev);
__dev[id] = 0;
@@ -459,6 +460,7 @@
return -ENOMEM;
}
__dev[devid] = dev;
+ dev->id = devid;
dev->udev = usb_get_dev(interface_to_usbdev(ifc));
dev->ifc = ifc;