functionfs: need to cancel ->reset_work in ->kill_sb() ... otherwise we just might free ffs with ffs->reset_work still on queue. That needs to be done after ffs_data_reset() - that's the cutoff point for configfs accesses (serialized on gadget_info->lock), which is where the schedule_work() would come from. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit: ccc0e8d808b489320a88f4898dd66aad6ef4914d [log] [tgz]
author: Al Viro <viro@zeniv.linux.org.uk> Mon Nov 17 16:49:59 2025 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> Mon Nov 17 17:07:02 2025 -0500
tree: 3fa7c605a37fd42467172472c2f2d80f1f401262
parent: 0e5185a02b268acf755c51341f1b07a175b1ad75 [diff]
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 0bcff49..27860fc 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c

@@ -2081,6 +2081,9 @@ ffs_fs_kill_sb(struct super_block *sb)
 		struct ffs_data *ffs = sb->s_fs_info;
 		ffs->state = FFS_CLOSING;
 		ffs_data_reset(ffs);
+		// no configfs accesses from that point on,
+		// so no further schedule_work() is possible
+		cancel_work_sync(&ffs->reset_work);
 		ffs_data_put(ffs);
 	}
 }
commit	ccc0e8d808b489320a88f4898dd66aad6ef4914d	[log] [tgz]
author	Al Viro <viro@zeniv.linux.org.uk>	Mon Nov 17 16:49:59 2025 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	Mon Nov 17 17:07:02 2025 -0500
tree	3fa7c605a37fd42467172472c2f2d80f1f401262
parent	0e5185a02b268acf755c51341f1b07a175b1ad75 [diff]