shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-07 19:30:30 +09:00
Code Issues Packages Projects Releases Wiki Activity

ANDROID: usb: f_accessory: Cancel any pending work before teardown

Browse Source 
Tearing down and freeing the 'acc_dev' structure when there is
potentially asynchronous work queued involving its member fields is
likely to lead to use-after-free issues.

Cancel any pending work before freeing the structure.

Bug: 173789633
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I68a91274aea18034637b738d558d043ac74fadf4
This commit is contained in:
Will Deacon
2020-12-15 17:11:11 +00:00
committed by Greg Kroah-Hartman
parent f4e1525cde
commit e7152730c9
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/usb/gadget/function/f_accessory.c
View File

@@ -302,6 +302,12 @@ static void __put_acc_dev(struct kref *kref)
struct acc_dev_ref *ref = container_of(kref, struct acc_dev_ref, kref);
struct acc_dev *dev = ref->acc_dev;
/* Cancel any async work */
cancel_delayed_work_sync(&dev->start_work);
cancel_work_sync(&dev->getprotocol_work);
cancel_work_sync(&dev->sendstring_work);
cancel_work_sync(&dev->hid_work);
ref->acc_dev = NULL;
kfree(dev);
}