ANDROID: usb: f_accessory: Cancel any pending work before teardown

Tearing down and freeing the 'acc_dev' structure when there is potentially asynchronous work queued involving its member fields is likely to lead to use-after-free issues. Cancel any pending work before freeing the structure. Bug: 173789633 Signed-off-by: Will Deacon <willdeacon@google.com> Change-Id: I68a91274aea18034637b738d558d043ac74fadf4 Signed-off-by: Giuliano Procida <gprocida@google.com>
author: Will Deacon <willdeacon@google.com> 2020-12-15 17:11:11 +0000
committer: Giuliano Procida <gprocida@google.com> 2021-01-05 15:58:52 +0000
commit: 73251a2c8ca2bc680a69c0e50446d17b7e1ba416 (patch)
tree: 573ecb6d39421dfcad1856bba9660cc388de6cb4
parent: b5b38b010efc2330816691b98bb6cb9ec7e80d68 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c
index b48d75657012..eb544c26dbee 100644
--- a/drivers/usb/gadget/function/f_accessory.c
+++ b/drivers/usb/gadget/function/f_accessory.c
@@ -227,6 +227,10 @@ static void __put_acc_dev(struct kref *kref)
 	struct acc_dev_ref *ref = container_of(kref, struct acc_dev_ref, kref);
 	struct acc_dev *dev = ref->acc_dev;
 
+	/* Cancel any async work */
+	cancel_delayed_work_sync(&dev->start_work);
+	cancel_work_sync(&dev->hid_work);
+
 	ref->acc_dev = NULL;
 	kfree(dev);
 }
author	Will Deacon <willdeacon@google.com>	2020-12-15 17:11:11 +0000
committer	Giuliano Procida <gprocida@google.com>	2021-01-05 15:58:52 +0000
commit	73251a2c8ca2bc680a69c0e50446d17b7e1ba416 (patch)
tree	573ecb6d39421dfcad1856bba9660cc388de6cb4
parent	b5b38b010efc2330816691b98bb6cb9ec7e80d68 (diff)