From patchwork Wed May 12 06:57:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zou Wei X-Patchwork-Id: 12252897 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 98D68C433B4 for ; Wed, 12 May 2021 06:43:04 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5A99E616ED for ; Wed, 12 May 2021 06:43:04 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5A99E616ED Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=huawei.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:CC:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=7uJND+z9s6cCAm55J49WdySpzx/swgaDl5Tq3JjaqrY=; b=CwnuBP9du2yTOig/uuZ6ARH5CE euzxIL+/63gLKauUNtvI4/20MHk7hvSAaioEnOkIS77sdWJaqS3Wcna2wzkX4tr1IL17ToZIx/Te/ NWv3bAUhGNWtS1vPTsO/mO6huLOIP9V7GFGoJgvx7dESz8LKuVrxqGeeKp+CGNjqneq1B9W+i3ryS j9+yocOorN+mxVspEJuzZPAD9h58ekbHE2nyfBeAAdXEejGsX1zJNSNKVodFuX+3ywUo9wjtDOJnI 4fLucNeImTikIY7yTopHZEPdgyGTij9K5mhaZMubMeFCewwEHE6JLcYhjaH8z5IrFGc0F1I0MAtRr o5bwUnUw==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lgiYN-002AlY-IB; Wed, 12 May 2021 06:41:07 +0000 Received: from bombadil.infradead.org ([2607:7c80:54:e::133]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lgiYL-002AlO-1c for linux-arm-kernel@desiato.infradead.org; Wed, 12 May 2021 06:41:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Content-Type:MIME-Version:Message-ID: Date:Subject:CC:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=c/YSaG3Y7xw6avJxC4u7c5HPwata7hjDMFCN6vxS+oA=; b=OUOKxJ01NGuwd3BIAw8QqZ2SkH /Fu2bfZiqu3t7lbihFtLOlUA1q791CeNoi4dI+gX3HVoAGlKrdiv/y6OO53oIvOR35gmGza8w+f8T AJE7FPGUPAO7GPKXbLFCFyxeRxYhmrzV37CICC3DMHwLMB1JHvEPssxl8diWE9NPIUhcbGUhiganV w37yH3kwoDZTjnbGzCxz5oNuqyU4Czk7iO4Gtae1CgIVf6pnDLFweFq6dleZKyzZDoj+hnPFMqa30 NnEYAgIq59TdaKZ1shc5/mit3XpLUZgN3VxcKmGcli61AL32hzlhllYUtVQmujZt3GmkqWCCPk7lA GrAhK1kw==; Received: from szxga03-in.huawei.com ([45.249.212.189]) by bombadil.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lgiYH-00A9dE-W1 for linux-arm-kernel@lists.infradead.org; Wed, 12 May 2021 06:41:03 +0000 Received: from dggeml709-chm.china.huawei.com (unknown [172.30.72.56]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4Fg4pj3r2vz5tTn; Wed, 12 May 2021 14:37:33 +0800 (CST) Received: from dggemi762-chm.china.huawei.com (10.1.198.148) by dggeml709-chm.china.huawei.com (10.3.17.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2176.2; Wed, 12 May 2021 14:40:55 +0800 Received: from linux-lmwb.huawei.com (10.175.103.112) by dggemi762-chm.china.huawei.com (10.1.198.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2176.2; Wed, 12 May 2021 14:40:54 +0800 From: Zou Wei To: , , CC: , , , Zou Wei Subject: [PATCH -next] watchdog: Fix possible use-after-free by calling del_timer_sync() Date: Wed, 12 May 2021 14:57:56 +0800 Message-ID: <1620802676-19701-1-git-send-email-zou_wei@huawei.com> X-Mailer: git-send-email 2.6.2 MIME-Version: 1.0 X-Originating-IP: [10.175.103.112] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggemi762-chm.china.huawei.com (10.1.198.148) X-CFilter-Loop: Reflected X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210511_234102_217131_C32EA5BF X-CRM114-Status: GOOD ( 12.70 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org This driver's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei Reviewed-by: Guenter Roeck Acked-by: Vladimir Zapolskiy --- drivers/watchdog/lpc18xx_wdt.c | 2 +- drivers/watchdog/w83877f_wdt.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/watchdog/lpc18xx_wdt.c b/drivers/watchdog/lpc18xx_wdt.c index 78cf11c..60b6d74 100644 --- a/drivers/watchdog/lpc18xx_wdt.c +++ b/drivers/watchdog/lpc18xx_wdt.c @@ -292,7 +292,7 @@ static int lpc18xx_wdt_remove(struct platform_device *pdev) struct lpc18xx_wdt_dev *lpc18xx_wdt = platform_get_drvdata(pdev); dev_warn(&pdev->dev, "I quit now, hardware will probably reboot!\n"); - del_timer(&lpc18xx_wdt->timer); + del_timer_sync(&lpc18xx_wdt->timer); return 0; } diff --git a/drivers/watchdog/w83877f_wdt.c b/drivers/watchdog/w83877f_wdt.c index 5772cc5..f265086 100644 --- a/drivers/watchdog/w83877f_wdt.c +++ b/drivers/watchdog/w83877f_wdt.c @@ -166,7 +166,7 @@ static void wdt_startup(void) static void wdt_turnoff(void) { /* Stop the timer */ - del_timer(&timer); + del_timer_sync(&timer); wdt_change(WDT_DISABLE);