Message ID | 20230413154351.619730-1-zyytlz.wz@163.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [v2] usb: renesas_usbhs: Fix use after free bug in usbhs_remove due to race condition | expand |
diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c index 96f3939a65e2..17a0987ef4f5 100644 --- a/drivers/usb/renesas_usbhs/common.c +++ b/drivers/usb/renesas_usbhs/common.c @@ -768,6 +768,7 @@ static int usbhs_remove(struct platform_device *pdev) dev_dbg(&pdev->dev, "usb remove\n"); + cancel_delayed_work_sync(&priv->notify_hotplug_work); /* power off */ if (!usbhs_get_dparam(priv, runtime_pwctrl)) usbhsc_power_ctrl(priv, 0);
In usbhs_probe, &priv->notify_hotplug_work is bound with usbhsc_notify_hotplug. It will be started then. If we remove the driver which will call usbhs_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows: Fix it by finishing the work before cleanup in the usbhs_remove CPU0 CPU1 | usbhsc_notify_hotplug usbhs_remove | usbhs_mod_remove | usbhs_mod_gadget_remove | kfree(gpriv); | | usbhsc_hotplug | usbhs_mod_call start | usbhsg_start | usbhsg_try_start | //use gpriv Fixes: bc57381e6347 ("usb: renesas_usbhs: use delayed_work instead of work_struct") Signed-off-by: Zheng Wang <zyytlz.wz@163.com> --- v2: - beautify the format as Yoshihiro Shimoda suggested --- drivers/usb/renesas_usbhs/common.c | 1 + 1 file changed, 1 insertion(+)