http://bugzilla.opensuse.org/show_bug.cgi?id=1210329 Bug ID: 1210329 Summary: use after free bug in da9150_charger_remove due to race condition Classification: openSUSE Product: openSUSE Distribution Version: Leap 16.0 Hardware: x86-64 OS: Linux Status: NEW Severity: Major Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: hackerzheng666@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- In da9150_charger_probe, &charger->otg_work is bound with da9150_charger_otg_work. da9150_charger_otg_ncb may be called to start the work. If we remove the module which will call da9150_charger_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows: Fix it by canceling the work before cleanup in the da9150_charger_remove CPU0 CPUc1 |da9150_charger_otg_work da9150_charger_remove | power_supply_unregister | device_unregister | power_supply_dev_release | kfree(psy) | | | power_supply_changed(charger->usb); | //use There's no kernel log. Here is the patch link of [1] Linux-v6.3 and [2]patchwork [1] https://lore.kernel.org/all/CAHk-=whcaHLNpb7Mu_QX7ABwPgyRyfW-V8=v4Mv0S22fpjY... [2] https://lore.kernel.org/all/20230328142620.323334485@linuxfoundation.org/ -- You are receiving this mail because: You are the assignee for the bug.