aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWill Deacon2020-12-15 11:11:11 -0600
committerGiuliano Procida2020-12-30 04:20:48 -0600
commitdafa07c7e5a5e34f2908dc4a2e4feee709beabc9 (patch)
treeed21ee8c08fb8ca52b5d514c1e1196f22147e361
parent24a78046c104ab573a32504635d55abc494c8d65 (diff)
downloadkernel-dafa07c7e5a5e34f2908dc4a2e4feee709beabc9.tar.gz
kernel-dafa07c7e5a5e34f2908dc4a2e4feee709beabc9.tar.xz
kernel-dafa07c7e5a5e34f2908dc4a2e4feee709beabc9.zip
ANDROID: usb: f_accessory: Cancel any pending work before teardown
Tearing down and freeing the 'acc_dev' structure when there is potentially asynchronous work queued involving its member fields is likely to lead to use-after-free issues. Cancel any pending work before freeing the structure. Bug: 173789633 Signed-off-by: Will Deacon <willdeacon@google.com> Change-Id: I68a91274aea18034637b738d558d043ac74fadf4 Signed-off-by: Giuliano Procida <gprocida@google.com>
-rw-r--r--drivers/usb/gadget/function/f_accessory.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c
index 0cae99243080..8cafecce5243 100644
--- a/drivers/usb/gadget/function/f_accessory.c
+++ b/drivers/usb/gadget/function/f_accessory.c
@@ -302,6 +302,12 @@ static void __put_acc_dev(struct kref *kref)
302 struct acc_dev_ref *ref = container_of(kref, struct acc_dev_ref, kref); 302 struct acc_dev_ref *ref = container_of(kref, struct acc_dev_ref, kref);
303 struct acc_dev *dev = ref->acc_dev; 303 struct acc_dev *dev = ref->acc_dev;
304 304
305 /* Cancel any async work */
306 cancel_delayed_work_sync(&dev->start_work);
307 cancel_work_sync(&dev->getprotocol_work);
308 cancel_work_sync(&dev->sendstring_work);
309 cancel_work_sync(&dev->hid_work);
310
305 ref->acc_dev = NULL; 311 ref->acc_dev = NULL;
306 kfree(dev); 312 kfree(dev);
307} 313}