CHROMIUM: gobi: fix a crash due to use-after-free of the qcusbnet object

usbnet_disconnect() calls qcnet_unbind(), which accesses the qcusbnet
object. This patch makes sure that the qcusbnet object is freed after
usbnet_disconnect() is called.

BUG=chrome-os-partner:14889
TEST=Tested the following:
1. emerge-lumpy chromeos-kernel
2. Turn on full SLUB debugging and run suspend_stress_test on a system
   with a Gobi 3000 modem.

Change-Id: I3172565bc0df0c3a283d239424d59b58ae1c262f
Signed-off-by: Ben Chan <benchan@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/36177
Reviewed-by: Olof Johansson <olofj@chromium.org>

diff --git a/drivers/net/usb/gobi/qcusbnet.c b/drivers/net/usb/gobi/qcusbnet.c
index bb9ac01..cf4e4ad 100644 (file)
--- a/drivers/net/usb/gobi/qcusbnet.c
+++ b/drivers/net/usb/gobi/qcusbnet.c
@@ -725,8 +725,8 @@ static void qcnet_disconnect(struct usb_interface *intf)
                list_del(&urb->urb_list);
                free_urb_with_skb(urb);
        }
-       qcusbnet_put(dev);
        usbnet_disconnect(intf);
+       qcusbnet_put(dev);
 }
 
 static struct usb_driver qcusbnet = {