diff mbox series

power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition

Message ID 20230309174728.233732-1-zyytlz.wz@163.com (mailing list archive)
State Handled Elsewhere, archived
Headers show
Series power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition | expand

Commit Message

Zheng Wang March 9, 2023, 5:47 p.m. UTC 
In bq24190_probe, &bdi->input_current_limit_work is bound
with bq24190_input_current_limit_work. When external power
changed, it will call bq24190_charger_external_power_changed
 to start the work.

If we remove the module which will call bq24190_remove to make
cleanup, there may be a unfinished work. The possible
sequence is as follows:

CPU0                  CPUc1

                    |bq24190_input_current_limit_work
bq24190_remove      |
power_supply_unregister  |
device_unregister   |
power_supply_dev_release|
kfree(psy)          |
                    |
                    | power_supply_get_property_from_supplier
                    |   //use

Fix it by finishing the work before cleanup in the bq24190_remove

Fixes: 97774672573a ("power_supply: Initialize changed_work before calling device_add")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
 drivers/power/supply/bq24190_charger.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Sebastian Reichel March 9, 2023, 11:40 p.m. UTC | #1 
Hi,

On Fri, Mar 10, 2023 at 01:47:28AM +0800, Zheng Wang wrote:
> In bq24190_probe, &bdi->input_current_limit_work is bound
> with bq24190_input_current_limit_work. When external power
> changed, it will call bq24190_charger_external_power_changed
>  to start the work.
> 
> If we remove the module which will call bq24190_remove to make
> cleanup, there may be a unfinished work. The possible
> sequence is as follows:
> 
> CPU0                  CPUc1
> 
>                     |bq24190_input_current_limit_work
> bq24190_remove      |
> power_supply_unregister  |
> device_unregister   |
> power_supply_dev_release|
> kfree(psy)          |
>                     |
>                     | power_supply_get_property_from_supplier
>                     |   //use
> 
> Fix it by finishing the work before cleanup in the bq24190_remove
> 
> Fixes: 97774672573a ("power_supply: Initialize changed_work before calling device_add")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---

Thanks, queued to fixes branch.

-- Sebastian

>  drivers/power/supply/bq24190_charger.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c
> index be34b9848450..de67b985f0a9 100644
> --- a/drivers/power/supply/bq24190_charger.c
> +++ b/drivers/power/supply/bq24190_charger.c
> @@ -1906,6 +1906,7 @@ static void bq24190_remove(struct i2c_client *client)
>  	struct bq24190_dev_info *bdi = i2c_get_clientdata(client);
>  	int error;
>  
> +	cancel_delayed_work_sync(&bdi->input_current_limit_work);
>  	error = pm_runtime_resume_and_get(bdi->dev);
>  	if (error < 0)
>  		dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);
> -- 
> 2.25.1
>
Zheng Hacker March 10, 2023, 4:24 p.m. UTC | #2 
Sebastian Reichel <sebastian.reichel@collabora.com> 于2023年3月10日周五 07:39写道:
>
> Hi,
>
> On Fri, Mar 10, 2023 at 02:10:36AM +0800, Zheng Wang wrote:
> > In da9150_charger_probe, &charger->otg_work is bound with
> > da9150_charger_otg_work. da9150_charger_otg_ncb may be
> > called to start the work.
> >
> > If we remove the module which will call da9150_charger_remove
> >  to make cleanup, there may be a unfinished work. The possible
> >   sequence is as follows:
> >
> > Fix it by canceling the work before cleanup in the mtk_jpeg_remove
>
> mtk_jpeg_remove?

Sorry that's mistake. I will correct it in the next version of patch.

>
> >
> > CPU0                  CPUc1
> >
> >                     |da9150_charger_otg_work
> > da9150_charger_remove      |
> > power_supply_unregister  |
> > device_unregister   |
> > power_supply_dev_release|
> > kfree(psy)          |
> >                     |
> >                     |         power_supply_changed(charger->usb);
> >                     |   //use
> > Fixes: c1a281e34dae ("power: Add support for DA9150 Charger")
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > ---
>
> Looks correct to me, but the cancel_work_sync should happen after
> usb_unregister_notifier(), otherwise there is still a race
> condition.

Yes, I agree that. Thanks for pointing that out. Will do in the next path.

Best regards,
Zheng

>
> >  drivers/power/supply/da9150-charger.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/power/supply/da9150-charger.c b/drivers/power/supply/da9150-charger.c
> > index 14da5c595dd9..41b68f2f6ed8 100644
> > --- a/drivers/power/supply/da9150-charger.c
> > +++ b/drivers/power/supply/da9150-charger.c
> > @@ -642,6 +642,7 @@ static int da9150_charger_remove(struct platform_device *pdev)
> >       struct da9150_charger *charger = platform_get_drvdata(pdev);
> >       int irq;
> >
> > +     cancel_work_sync(&charger->otg_work);
> >       /* Make sure IRQs are released before unregistering power supplies */
> >       irq = platform_get_irq_byname(pdev, "CHG_VBUS");
> >       free_irq(irq, charger);
> > --
> > 2.25.1
> >
Zheng Hacker March 10, 2023, 4:25 p.m. UTC | #3 
Sebastian Reichel <sebastian.reichel@collabora.com> 于2023年3月10日周五 07:40写道:
>
> Hi,
>
> On Fri, Mar 10, 2023 at 01:47:28AM +0800, Zheng Wang wrote:
> > In bq24190_probe, &bdi->input_current_limit_work is bound
> > with bq24190_input_current_limit_work. When external power
> > changed, it will call bq24190_charger_external_power_changed
> >  to start the work.
> >
> > If we remove the module which will call bq24190_remove to make
> > cleanup, there may be a unfinished work. The possible
> > sequence is as follows:
> >
> > CPU0                  CPUc1
> >
> >                     |bq24190_input_current_limit_work
> > bq24190_remove      |
> > power_supply_unregister  |
> > device_unregister   |
> > power_supply_dev_release|
> > kfree(psy)          |
> >                     |
> >                     | power_supply_get_property_from_supplier
> >                     |   //use
> >
> > Fix it by finishing the work before cleanup in the bq24190_remove
> >
> > Fixes: 97774672573a ("power_supply: Initialize changed_work before calling device_add")
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > ---
>
> Thanks, queued to fixes branch.
>
Very glad to hear that. Thanks  for your effort.

Best regards,
Zheng

>
> >  drivers/power/supply/bq24190_charger.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c
> > index be34b9848450..de67b985f0a9 100644
> > --- a/drivers/power/supply/bq24190_charger.c
> > +++ b/drivers/power/supply/bq24190_charger.c
> > @@ -1906,6 +1906,7 @@ static void bq24190_remove(struct i2c_client *client)
> >       struct bq24190_dev_info *bdi = i2c_get_clientdata(client);
> >       int error;
> >
> > +     cancel_delayed_work_sync(&bdi->input_current_limit_work);
> >       error = pm_runtime_resume_and_get(bdi->dev);
> >       if (error < 0)
> >               dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);
> > --
> > 2.25.1
> >
diff mbox series

Patch

diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c
index be34b9848450..de67b985f0a9 100644
--- a/drivers/power/supply/bq24190_charger.c
+++ b/drivers/power/supply/bq24190_charger.c
@@ -1906,6 +1906,7 @@  static void bq24190_remove(struct i2c_client *client)
 	struct bq24190_dev_info *bdi = i2c_get_clientdata(client);
 	int error;
 
+	cancel_delayed_work_sync(&bdi->input_current_limit_work);
 	error = pm_runtime_resume_and_get(bdi->dev);
 	if (error < 0)
 		dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);