From patchwork Sun Mar 10 19:32:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Van Asbroeck X-Patchwork-Id: 10846455 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C40871823 for ; Sun, 10 Mar 2019 19:33:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B11B02870F for ; Sun, 10 Mar 2019 19:33:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A4DD828F2E; Sun, 10 Mar 2019 19:33:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 48BF42870F for ; Sun, 10 Mar 2019 19:33:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726660AbfCJTdA (ORCPT ); Sun, 10 Mar 2019 15:33:00 -0400 Received: from mail-it1-f195.google.com ([209.85.166.195]:36745 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726658AbfCJTdA (ORCPT ); Sun, 10 Mar 2019 15:33:00 -0400 Received: by mail-it1-f195.google.com with SMTP id v83so4034880itf.1; Sun, 10 Mar 2019 12:32:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=u+DoI4sI+hMVW166TNGuic0psX3hAbOUaR7E0HZK7I0=; b=CefmRJ5jnqnTC6+suGK+V3lL5Fdyf3x20xpF2m1h0Yp/4na6BEJsEVwe0c+ReE88TJ ePoMYjY0fpr/4IePni2vJFisQPxx5t+FiHG9S2yJXODhIDY5nr17Qiln+EY1pYKUhOws wWe/+PCSXV1O8DnAK9P/+HC2LussSXnDVGFVwkWUtKP9zmWkBca1WKHKSxIpLI4DvMsT fN+o0mF48unpUnzO0qWh7TUA5C7hr48KoaDkOTr6z99mCV3/1BBNjSTEaO53ZU5VHXQi rotkgR4rjtPtlW+nobzBHp+/oe3cc7Q1+2fKoVjqv0xAlQEKuTfIYDpAQJqB85UtX4rW vXhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=u+DoI4sI+hMVW166TNGuic0psX3hAbOUaR7E0HZK7I0=; b=nrTMph6DntEqGyMenog4KKrehjpvJCxnmgn6OcWjIJfAvCiEtENn1F1OahLCB0G5hb guBJi4mLtQCgCtY9Dj+26KHdUXpm28aTMYpyGyphBubr1JhszsPaxZ7mH9uz+Kxi+rJ/ bdF5GF6K1INpt1Li3t7QataEDe9WEtnfrfmpwsu5fyTnxXgp2bc1FTmHHE8b8iD/idGD eMmtFwzQq41P9OZWwYn4vjZKKtlJ27lOkz7O2kjp+mRE6UGztVc/nTRr9KcXJBjdCBxg DraYbN/dY5QCDbs1vA2sJa/wDgnY4anfJVx2ckiU0c9jWEz8yvGO+v8j21AHaK55GI9K UDtA== X-Gm-Message-State: APjAAAXqmTpvHdm/eI2BvNmhdUi7592sPpm8ny8RWfLnI/bNedLugd+h vpySIi4JDpKpZZ4WgPeWpVs= X-Google-Smtp-Source: APXvYqydBApxDLyKgcWQWctp+hyrCtPmRfUuwKSXCeeunLwJja/XvGr7WBg2/bGL8Tgy8rh0AwRn2w== X-Received: by 2002:a24:21d5:: with SMTP id e204mr14309614ita.56.1552246379241; Sun, 10 Mar 2019 12:32:59 -0700 (PDT) Received: from localhost.localdomain ([198.52.185.227]) by smtp.gmail.com with ESMTPSA id w74sm7160856itb.44.2019.03.10.12.32.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Mar 2019 12:32:58 -0700 (PDT) From: Sven Van Asbroeck X-Google-Original-From: Sven Van Asbroeck To: Peter Rosin , Jonathan Cameron Cc: Hartmut Knaack , Lars-Peter Clausen , Peter Meerwald-Stadler , linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] iio: envelope-detector: fix use-after-free on device remove Date: Sun, 10 Mar 2019 15:32:46 -0400 Message-Id: <20190310193246.31761-1-TheSven73@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This driver's remove path never explicitly cancels the delayed work. So it is possible for the delayed work to run after the core has freed the private structure (struct envelope). This is a potential use-after-free. Fix by adding a devm_add_action callback to the remove path, called right after iio_device_unregister(), which explicitly cancels the delayed work. This issue was detected with the help of Coccinelle. Signed-off-by: Sven Van Asbroeck --- drivers/iio/adc/envelope-detector.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/iio/adc/envelope-detector.c b/drivers/iio/adc/envelope-detector.c index 2f2b563c1162..2f1c78b3ff44 100644 --- a/drivers/iio/adc/envelope-detector.c +++ b/drivers/iio/adc/envelope-detector.c @@ -321,6 +321,14 @@ static const struct iio_info envelope_detector_info = { .read_raw = &envelope_detector_read_raw, }; +static void envelope_detector_stop_work(void *data) +{ + struct iio_dev *indio_dev = data; + struct envelope *env = iio_priv(indio_dev); + + cancel_delayed_work_sync(&env->comp_timeout); +} + static int envelope_detector_probe(struct platform_device *pdev) { struct device *dev = &pdev->dev; @@ -395,6 +403,10 @@ static int envelope_detector_probe(struct platform_device *pdev) return ret; } + ret = devm_add_action(dev, envelope_detector_stop_work, indio_dev); + if (ret) + return ret; + return devm_iio_device_register(dev, indio_dev); }