diff mbox series

usb: renesas_usbhs: Fix use after free bug in usbhs_remove due to race condition

Message ID 20230310130230.1732896-1-zyytlz.wz@163.com
State Superseded
Headers show
Series usb: renesas_usbhs: Fix use after free bug in usbhs_remove due to race condition | expand

Commit Message

Zheng Wang March 10, 2023, 1:02 p.m. UTC 
In usbhs_probe, &priv->notify_hotplug_work is bound with
usbhsc_notify_hotplug. It will be started then.

If we remove the driver which will call usbhs_remove
  to make cleanup, there may be a unfinished work.

The possible sequence is as follows:

Fix it by finishing the work before cleanup in the usbhs_remove

CPU0                  CPU1

                    |usbhsc_notify_hotplug
usbhs_remove         |
usbhs_mod_remove     |
usbhs_mod_gadget_remove|
kfree(gpriv);       |
                    |usbhsc_hotplug
                    |usbhs_mod_call start
                    |usbhsg_start
                    |usbhsg_try_start
                    |//use gpriv
Fixes: bc57381e6347 ("usb: renesas_usbhs: use delayed_work instead of work_struct")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
 drivers/usb/renesas_usbhs/common.c | 1 +
 1 file changed, 1 insertion(+)
diff mbox series

Patch

diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c
index 96f3939a65e2..17a0987ef4f5 100644
--- a/drivers/usb/renesas_usbhs/common.c
+++ b/drivers/usb/renesas_usbhs/common.c
@@ -768,6 +768,7 @@  static int usbhs_remove(struct platform_device *pdev)
 
 	dev_dbg(&pdev->dev, "usb remove\n");
 
+	cancel_delayed_work_sync(&priv->notify_hotplug_work);
 	/* power off */
 	if (!usbhs_get_dparam(priv, runtime_pwctrl))
 		usbhsc_power_ctrl(priv, 0);