USB: mdm_bridge: Fix a possible freed memory access
When tethered rmnet/dun interface probe is failed, the bridge channel
platform device is removed in error path. The gadget driver schedule
a work to open the bridge channel in probe. Cancel this work in remove
before closing the channel.
Cancel any pending work while closing the bridge. Otherwise there is
a possibility of rx work running in parallel with probe error path. If
this happens, rx work access already freed memory.
CRs-Fixed: 442119
Change-Id: I41adb997e7f13a7a5acac99762a2f3ce81ccb178
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
diff --git a/drivers/usb/misc/mdm_data_bridge.c b/drivers/usb/misc/mdm_data_bridge.c
index 655e2f6..fcbf0e1 100644
--- a/drivers/usb/misc/mdm_data_bridge.c
+++ b/drivers/usb/misc/mdm_data_bridge.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2012, Code Aurora Forum. All rights reserved.
+/* Copyright (c) 2011-2013, Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -343,6 +343,9 @@
dev_dbg(&dev->intf->dev, "%s:\n", __func__);
+ cancel_work_sync(&dev->kevent);
+ cancel_work_sync(&dev->process_rx_w);
+
usb_unlink_anchored_urbs(&dev->tx_active);
usb_unlink_anchored_urbs(&dev->rx_active);
usb_unlink_anchored_urbs(&dev->delayed);
@@ -995,9 +998,6 @@
usb_set_intfdata(intf, NULL);
__dev[dev->id] = NULL;
- cancel_work_sync(&dev->process_rx_w);
- cancel_work_sync(&dev->kevent);
-
/*free rx urbs*/
head = &dev->rx_idle;
spin_lock_irqsave(&dev->rx_done.lock, flags);