github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 14:04:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

ANDROID: usb: f_accessory: Cancel any pending work before teardown

Browse Source 
Tearing down and freeing the 'acc_dev' structure when there is
potentially asynchronous work queued involving its member fields is
likely to lead to use-after-free issues.

Cancel any pending work before freeing the structure.

Bug: 173789633
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I68a91274aea18034637b738d558d043ac74fadf4
Signed-off-by: Giuliano Procida <gprocida@google.com>
This commit is contained in:
Will Deacon 2020-12-15 17:11:11 +00:00 committed by Giuliano Procida
parent 24a78046c1
commit dafa07c7e5
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/usb/gadget/function/f_accessory.c
View File

@ -302,6 +302,12 @@ static void __put_acc_dev(struct kref *kref)
struct acc_dev_ref *ref = container_of(kref, struct acc_dev_ref, kref);
struct acc_dev *dev = ref->acc_dev;
/* Cancel any async work */
cancel_delayed_work_sync(&dev->start_work);
cancel_work_sync(&dev->getprotocol_work);
cancel_work_sync(&dev->sendstring_work);
cancel_work_sync(&dev->hid_work);
ref->acc_dev = NULL;
kfree(dev);
}