Patch "power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition" has been added to the 5.10-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     power-supply-da9150-fix-use-after-free-bug-in-da9150.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ea0795085e7de5174057f3b1b34720c228f22478
Author: Zheng Wang <zyytlz.wz@xxxxxxx>
Date:   Sun Mar 12 01:46:50 2023 +0800

    power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition
    
    [ Upstream commit 06615d11cc78162dfd5116efb71f29eb29502d37 ]
    
    In da9150_charger_probe, &charger->otg_work is bound with
    da9150_charger_otg_work. da9150_charger_otg_ncb may be
    called to start the work.
    
    If we remove the module which will call da9150_charger_remove
    to make cleanup, there may be a unfinished work. The possible
    sequence is as follows:
    
    Fix it by canceling the work before cleanup in the da9150_charger_remove
    
    CPU0                  CPUc1
    
                        |da9150_charger_otg_work
    da9150_charger_remove      |
    power_supply_unregister  |
    device_unregister   |
    power_supply_dev_release|
    kfree(psy)          |
                        |
                        |   power_supply_changed(charger->usb);
                        |   //use
    
    Fixes: c1a281e34dae ("power: Add support for DA9150 Charger")
    Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/power/supply/da9150-charger.c b/drivers/power/supply/da9150-charger.c
index f9314cc0cd75f..6b987da586556 100644
--- a/drivers/power/supply/da9150-charger.c
+++ b/drivers/power/supply/da9150-charger.c
@@ -662,6 +662,7 @@ static int da9150_charger_remove(struct platform_device *pdev)
 
 	if (!IS_ERR_OR_NULL(charger->usb_phy))
 		usb_unregister_notifier(charger->usb_phy, &charger->otg_nb);
+	cancel_work_sync(&charger->otg_work);
 
 	power_supply_unregister(charger->battery);
 	power_supply_unregister(charger->usb);