From: EJ Hsu <ejh@xxxxxxxxxx>
For the dual-role port, it will assign the phy dev to usb-phy dev and
use the port dev driver as the dev driver of usb-phy.
When we try to destroy the port dev, it will destroy its dev driver
as well. But we did not remove the reference from usb-phy dev. This
might cause the use-after-free issue in KASAN.
Fixes: e8f7d2f409a1 ("phy: tegra: xusb: Add usb-phy support")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: EJ Hsu <ejh@xxxxxxxxxx>
Signed-off-by: Haotien Hsu <haotienh@xxxxxxxxxx>
---
drivers/phy/tegra/xusb.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c
index 78045bd6c214..515298a9a433 100644
--- a/drivers/phy/tegra/xusb.c
+++ b/drivers/phy/tegra/xusb.c
@@ -563,13 +563,6 @@ static int tegra_xusb_port_init(struct tegra_xusb_port *port,
static void tegra_xusb_port_unregister(struct tegra_xusb_port *port)
{
- if (!IS_ERR_OR_NULL(port->usb_role_sw)) {
- of_platform_depopulate(&port->dev);
- usb_role_switch_unregister(port->usb_role_sw);
- cancel_work_sync(&port->usb_phy_work);
- usb_remove_phy(&port->usb_phy);
- }
-
if (port->ops->remove)
port->ops->remove(port);
@@ -832,6 +825,14 @@ void tegra_xusb_usb2_port_remove(struct tegra_xusb_port *port)
{
struct tegra_xusb_usb2_port *usb2 = to_usb2_port(port);
+ if (!IS_ERR_OR_NULL(port->usb_role_sw)) {
+ of_platform_depopulate(&port->dev);
+ usb_role_switch_unregister(port->usb_role_sw);
+ cancel_work_sync(&port->usb_phy_work);
+ usb_remove_phy(&port->usb_phy);
+ port->usb_phy.dev->driver = NULL;
+ }
+
regulator_put(usb2->supply);
}
--
2.25.1
