From patchwork Thu Nov 28 06:45:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pei Xiao X-Patchwork-Id: 13887726 Received: from mailgw.kylinos.cn (mailgw.kylinos.cn [124.126.103.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1871F28F5; Thu, 28 Nov 2024 06:46:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=124.126.103.232 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732776375; cv=none; b=cPjn/tleJzsQ3Rcm5OuVW1drGcoQLsrFmbr1nTJ3nuBf++mbNrefuVG/mA0aaqaTOXxAfhr7y43eoP3qZC72QWO21Pxlzw0bTdgK/GDFytwAUFBaSWc6m7pgMMTXUhPNko6C2xBapkMF4aCrWKIHdBN54proJqd4yoftYwP2hrY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732776375; c=relaxed/simple; bh=tCWl4IxTsFuYjpJQm7xOZt0YVfdtJTzfs2wYkT7ulO0=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=SzfEdlNALO0oHNpbqGiP/IwJs6FOBHaS0vMBM6nSiSPSDDYDdML4ukCK1RUmpT4ek/qd0Cj4Ye6dOGNmypFDHU083mIegLwdqJ9Kd+keFKnuPOvgUm2B+1Ax4CCbMGReEniPXy6ZW1zEs89OwfiqeJpCUsIcuwi8Rn93f8OBP+c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kylinos.cn; spf=pass smtp.mailfrom=kylinos.cn; arc=none smtp.client-ip=124.126.103.232 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kylinos.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kylinos.cn X-UUID: 6b2886d4ad5411efa216b1d71e6e1362-20241128 X-CTIC-Tags: HR_CC_AS_FROM, HR_CC_COUNT, HR_CC_DOMAIN_COUNT, HR_CC_NAME, HR_CTE_8B HR_CTT_MISS, HR_DATE_H, HR_DATE_WKD, HR_DATE_ZONE, HR_FROM_DIGIT_LEN HR_FROM_NAME, HR_SJ_DIGIT_LEN, HR_SJ_LANG, HR_SJ_LEN, HR_SJ_LETTER HR_SJ_NOR_SYM, HR_SJ_PHRASE, HR_SJ_PHRASE_LEN, HR_SJ_WS, HR_TO_COUNT HR_TO_DOMAIN_COUNT, HR_TO_NO_NAME, IP_TRUSTED, SRC_TRUSTED, DN_TRUSTED SA_TRUSTED, SA_EXISTED, SN_TRUSTED, SN_EXISTED, SPF_NOPASS DKIM_NOPASS, DMARC_NOPASS, CIE_BAD, CIE_GOOD_SPF, GTI_FG_BS GTI_RG_INFO, GTI_C_BU, AMN_GOOD X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.38,REQID:54dd7897-df25-4d86-b676-eedd053d6e51,IP:0,U RL:0,TC:0,Content:0,EDM:25,RT:0,SF:-5,FILE:0,BULK:0,RULE:Release_Ham,ACTIO N:release,TS:20 X-CID-INFO: VERSION:1.1.38,REQID:54dd7897-df25-4d86-b676-eedd053d6e51,IP:0,URL :0,TC:0,Content:0,EDM:25,RT:0,SF:-5,FILE:0,BULK:0,RULE:Release_Ham,ACTION: release,TS:20 X-CID-META: VersionHash:82c5f88,CLOUDID:d0922f9f7799d0b610411b8e44fcc665,BulkI D:241128144558SQCFMD0J,BulkQuantity:0,Recheck:0,SF:17|19|38|66|102,TC:nil, Content:0,EDM:5,IP:nil,URL:0,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0 ,OSI:0,OSA:0,AV:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_FAS,TF_CID_SPAM_FSD,TF_CID_SPAM_SNR X-UUID: 6b2886d4ad5411efa216b1d71e6e1362-20241128 X-User: xiaopei01@kylinos.cn Received: from xiaopei-pc.. [(10.44.16.150)] by mailgw.kylinos.cn (envelope-from ) (Generic MTA with TLSv1.3 TLS_AES_256_GCM_SHA384 256/256) with ESMTP id 1842071045; Thu, 28 Nov 2024 14:45:55 +0800 From: Pei Xiao To: eugen.hristev@linaro.org, jic23@kernel.org, lars@metafoo.de, nicolas.ferre@microchip.com, linux-iio@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, alexandre.belloni@bootlin.com Cc: Pei Xiao Subject: [PATCH] iio: adc: at91-sama5d2_adc: Fix use-after-free in sama5d2_adc driver Date: Thu, 28 Nov 2024 14:45:50 +0800 Message-Id: <1c67249dbc78678c451a155c04ef908627da6d1a.1732776187.git.xiaopei01@kylinos.cn> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-iio@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq). If we remove the module which will call at91_adc_remove to make cleanup, it will free indio_dev through iio_device_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | at91_adc_workq_handler at91_adc_remove | iio_device_unregister(indio_dev) | device_release | //free indio_dev | | iio_push_to_buffers(indio_dev) | //use indio_dev Fix it by ensuring that the work is canceled before proceeding with the cleanup in at91_adc_remove. Fixes: 27e177190891 ("iio:adc:at91_adc8xx: introduce new atmel adc driver") Signed-off-by: Pei Xiao Reviewed-by: Eugen Hristev --- drivers/iio/adc/at91-sama5d2_adc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c index 8e5aaf15a921..4ba52b500054 100644 --- a/drivers/iio/adc/at91-sama5d2_adc.c +++ b/drivers/iio/adc/at91-sama5d2_adc.c @@ -2491,6 +2491,7 @@ static void at91_adc_remove(struct platform_device *pdev) struct iio_dev *indio_dev = platform_get_drvdata(pdev); struct at91_adc_state *st = iio_priv(indio_dev); + cancel_work_sync(&st->touch_st.workq); iio_device_unregister(indio_dev); at91_adc_dma_disable(st);