Commit c4537247 authored Dec 15, 2020 by Will Deacon Committed by Giuliano Procida Jan 05, 2021

ANDROID: usb: f_accessory: Cancel any pending work before teardown



Tearing down and freeing the 'acc_dev' structure when there is
potentially asynchronous work queued involving its member fields is
likely to lead to use-after-free issues.

Cancel any pending work before freeing the structure.

Bug: 173789633
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I68a91274aea18034637b738d558d043ac74fadf4
Signed-off-by: Giuliano Procida <gprocida@google.com>

parent 0999bcc4

drivers/usb/gadget/function/f_accessory.c

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -227,6 +227,10 @@ static void __put_acc_dev(struct kref *kref)
	struct acc_dev_ref *ref = container_of(kref, struct acc_dev_ref, kref);		struct acc_dev_ref *ref = container_of(kref, struct acc_dev_ref, kref);
	struct acc_dev *dev = ref->acc_dev;		struct acc_dev *dev = ref->acc_dev;

			/* Cancel any async work */
			cancel_delayed_work_sync(&dev->start_work);
			cancel_work_sync(&dev->hid_work);

	ref->acc_dev = NULL;		ref->acc_dev = NULL;
	kfree(dev);		kfree(dev);
	}		}