[PATCH] misc: hisi_hikey_usb: Fix use after free bug in hisi_hikey_usb_remove due to race condition
From: Zheng Wang
Date: Sun Mar 12 2023 - 10:53:41 EST
In hisi_hikey_usb_probe, it called hisi_hikey_usb_of_role_switch
and bound &hisi_hikey_usb->work with relay_set_role_switch.
When it calls hub_usb_role_switch_set, it will finally call
schedule_work to start the work.
When we call hisi_hikey_usb_remove to remove the driver, there
may be a sequence as follows:
Fix it by finishing the work before cleanup in hisi_hikey_usb_remove.
CPU0 CPU1
|relay_set_role_switch
hisi_hikey_usb_remove|
usb_role_switch_put|
usb_role_switch_release |
kfree(sw) |
| usb_role_switch_set_role
| //use
Fixes: 7a6ff4c4cbc3 ("misc: hisi_hikey_usb: Driver to support onboard USB gpio hub on Hikey960")
Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
---
drivers/misc/hisi_hikey_usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/misc/hisi_hikey_usb.c b/drivers/misc/hisi_hikey_usb.c
index 2165ec35a343..26fc895c4418 100644
--- a/drivers/misc/hisi_hikey_usb.c
+++ b/drivers/misc/hisi_hikey_usb.c
@@ -242,6 +242,7 @@ static int hisi_hikey_usb_probe(struct platform_device *pdev)
static int hisi_hikey_usb_remove(struct platform_device *pdev)
{
struct hisi_hikey_usb *hisi_hikey_usb = platform_get_drvdata(pdev);
+ cancel_work_sync(&hisi_hikey_usb->work);
if (hisi_hikey_usb->hub_role_sw) {
usb_role_switch_unregister(hisi_hikey_usb->hub_role_sw);
--
2.25.1