Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp6135770imb; Fri, 8 Mar 2019 10:02:25 -0800 (PST) X-Google-Smtp-Source: APXvYqxXiPNqtzPlxgZ3+2zRbSN+pcKZIoDS7lXQrF7E5HMkOpbUK2qMvPah9OxU8zK3C2Aqyg/k X-Received: by 2002:a17:902:59c3:: with SMTP id d3mr20236790plj.214.1552068145723; Fri, 08 Mar 2019 10:02:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1552068145; cv=none; d=google.com; s=arc-20160816; b=vskIpbKXF9K90A4fUm87lbgYCHWwxpNyx8iwoI9UJXNrKV5gUcdKoKKULczOafNEFA kXSy+h/q/xZKZYBR2OgJG6R+WEXZxda2fEMprn4uMzBhUAZCJDmZc0ajHAxPZ+CJ3K/K stN/Cgb5MmzgeZfT5IKUEAM//8e2dB0i4LjYJ/1g1FyvcNIbvrkP14s5ANkUmxdVAJ/4 ROXHEAje96qDCfYNzjw032Nb7Lun+76wmJZoxVPUa/zH5gsjzykSwSWFKnIBGPplTyoU ofeKhWn2IUiLPjKaMuZ5LWfIMbd7lKtk+QRvNSR98Tu7M6+EjOhpbgVEJkm9BrirGNja KSlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=XggsLnkmq9eFvX40c5Ts8sC0GNXJ5eOMbPch1+L71OY=; b=PvtbCDHCwmm28ioBNmsXPOfWzdGVRXCifPDhj0XURUKnRuXoPtGw8ytyiCCcO0TPsD Za5+4FNJSN19Px2NKFZWaAnwySBHK6DoALtxPWQ9MtOAjToY4itRz/Uxi+ZW+ZGiLw4F oQhBy80LHvSdI7MkuvKyJJpMT9EDMqkWlMWrfL/N1j5vzvofHBqaAeJR66K9ZpvTAtsd A6n/SV/98k59zNcqRlBU3L3Hfwb6bJSW9SQv0iFD6slRLVPGKE3k3fF/jjfdMw8hEie5 TpN5xI9hAsOUXdjzl1sihEbrE7gJHkuCtHrd77NFsOSOtxz7H6IP/jMBQeEMmCVT5S7k M3Cw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KlodvgAq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id go14si7516929plb.380.2019.03.08.10.02.10; Fri, 08 Mar 2019 10:02:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KlodvgAq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727096AbfCHR7u (ORCPT + 99 others); Fri, 8 Mar 2019 12:59:50 -0500 Received: from mail-it1-f194.google.com ([209.85.166.194]:52190 "EHLO mail-it1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726694AbfCHR7u (ORCPT ); Fri, 8 Mar 2019 12:59:50 -0500 Received: by mail-it1-f194.google.com with SMTP id e24so22178304itl.1; Fri, 08 Mar 2019 09:59:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=XggsLnkmq9eFvX40c5Ts8sC0GNXJ5eOMbPch1+L71OY=; b=KlodvgAqzWhz3dkXP0+PfYzKir26fDk1osmK8HqSGUBEfYqg7NwSFfsX4E1u4BtvV8 0cd29R8oQ7BNILqpwim729nrrzq7H+R9+lQfn1E3qiyZz3r5LOEZsc3qxDJ8CJw+NmSI jRrM/yQcOl+6sjU5369e1jgf7RQRyCVGe6OAkv0OfQpO32+MF9cIniosUDs7tpjnJdCQ Gx98+y1+/XnPeRojP8OH5Nc8jFzCCV/SubTtTzEsL4Mt01sdToy0UVKq9ZdlC5/GyYl/ 9Wap8hdYT+6w68YdRysgL48q8my+Gdewye81Mxi09ybFzr4R9C1s/tr1wJY+348WToAn gSzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=XggsLnkmq9eFvX40c5Ts8sC0GNXJ5eOMbPch1+L71OY=; b=JGbr8EK/AsvvQgliha4tKvA61BvXPPQU+qr3B1is+yYMPfm3FjgKUxBhnzyjYXj8EW IMsfts1O0B/0vmCz0xPQtpOZ3YHDuQHeOWVNgSQt06QIea8o5VZtvA0tl02q0mpr9bF8 doj1yIr0EuNKMKhlMlrnUF6gqiSWnZyyfCGSZntQig8pbVCyU0/1obbRfV/zDJleMlHZ 8ozOZJd50JslenNG0d1svevJObeUSzaOHG+d38nsgtQvVPgCF6pb5ghjERG4V2VvZY2K +aIYuH+/Eyaxvs1taJvzv7lX6qaPnNLagvVkAHUfmmiCMO2+89/C+nUWwZqz4nuJhIDV g29g== X-Gm-Message-State: APjAAAWl1+N2/gmhE/PvHOQ7+NL9Z3NNC7NgqwYF8n7kIwkaTRHAF58N oCVGElJ6d7d+F3SY45RRTaE= X-Received: by 2002:a24:79d1:: with SMTP id z200mr9873111itc.53.1552067988790; Fri, 08 Mar 2019 09:59:48 -0800 (PST) Received: from svens-asus.arcx.com ([184.94.50.30]) by smtp.gmail.com with ESMTPSA id z10sm3331758iol.30.2019.03.08.09.59.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Mar 2019 09:59:48 -0800 (PST) From: Sven Van Asbroeck X-Google-Original-From: Sven Van Asbroeck To: Jonathan Cameron Cc: Jonathan Cameron , Hartmut Knaack , Lars-Peter Clausen , Peter Meerwald-Stadler , linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org, Matt Ranostay Subject: [PATCH v2] iio: proximity: as3935: fix use-after-free on device remove Date: Fri, 8 Mar 2019 12:59:35 -0500 Message-Id: <20190308175935.21904-1-TheSven73@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This driver's probe() uses a mix of devm_ and non-devm_ functions. This means that the remove order will not be the exact opposite of the probe order. Remove order: 1. remove() executes: iio_device_unregister iio_triggered_buffer_cleanup iio_trigger_unregister (A) 2. core frees devm resources in reverse order: free_irq iio_trigger_free iio_device_free In (A) the trigger has been unregistered, but the irq handler is still registered and active, so the trigger may still be touched via interrupt -> as3935_event_work. This is a potential use-after-unregister. Given that the delayed work is never canceled explicitly, it may run even after iio_device_free. This is a potential use-after-free. Solution: convert all probe functions to their devm_ equivalents. Add a devm callback, called by the core on remove right after irq_free, which explicitly cancels the delayed work. This will guarantee that all resources are freed in the correct order. As an added bonus, some boilerplate code can be removed. Signed-off-by: Sven Van Asbroeck --- drivers/iio/proximity/as3935.c | 49 ++++++++++++++-------------------- 1 file changed, 20 insertions(+), 29 deletions(-) diff --git a/drivers/iio/proximity/as3935.c b/drivers/iio/proximity/as3935.c index f130388a16a0..6e366e772164 100644 --- a/drivers/iio/proximity/as3935.c +++ b/drivers/iio/proximity/as3935.c @@ -345,6 +345,14 @@ static SIMPLE_DEV_PM_OPS(as3935_pm_ops, as3935_suspend, as3935_resume); #define AS3935_PM_OPS NULL #endif +static void as3935_stop_work(void *data) +{ + struct iio_dev *indio_dev = data; + struct as3935_state *st = iio_priv(indio_dev); + + cancel_delayed_work_sync(&st->work); +} + static int as3935_probe(struct spi_device *spi) { struct iio_dev *indio_dev; @@ -368,7 +376,6 @@ static int as3935_probe(struct spi_device *spi) spi_set_drvdata(spi, indio_dev); mutex_init(&st->lock); - INIT_DELAYED_WORK(&st->work, as3935_event_work); ret = of_property_read_u32(np, "ams,tuning-capacitor-pf", &st->tune_cap); @@ -414,22 +421,27 @@ static int as3935_probe(struct spi_device *spi) iio_trigger_set_drvdata(trig, indio_dev); trig->ops = &iio_interrupt_trigger_ops; - ret = iio_trigger_register(trig); + ret = devm_iio_trigger_register(&spi->dev, trig); if (ret) { dev_err(&spi->dev, "failed to register trigger\n"); return ret; } - ret = iio_triggered_buffer_setup(indio_dev, iio_pollfunc_store_time, - &as3935_trigger_handler, NULL); + ret = devm_iio_triggered_buffer_setup(&spi->dev, indio_dev, + iio_pollfunc_store_time, as3935_trigger_handler, NULL); if (ret) { dev_err(&spi->dev, "cannot setup iio trigger\n"); - goto unregister_trigger; + return ret; } calibrate_as3935(st); + INIT_DELAYED_WORK(&st->work, as3935_event_work); + ret = devm_add_action(&spi->dev, as3935_stop_work, indio_dev); + if (ret) + return ret; + ret = devm_request_irq(&spi->dev, spi->irq, &as3935_interrupt_handler, IRQF_TRIGGER_RISING, @@ -438,35 +450,15 @@ static int as3935_probe(struct spi_device *spi) if (ret) { dev_err(&spi->dev, "unable to request irq\n"); - goto unregister_buffer; + return ret; } - ret = iio_device_register(indio_dev); + ret = devm_iio_device_register(&spi->dev, indio_dev); if (ret < 0) { dev_err(&spi->dev, "unable to register device\n"); - goto unregister_buffer; + return ret; } return 0; - -unregister_buffer: - iio_triggered_buffer_cleanup(indio_dev); - -unregister_trigger: - iio_trigger_unregister(st->trig); - - return ret; -} - -static int as3935_remove(struct spi_device *spi) -{ - struct iio_dev *indio_dev = spi_get_drvdata(spi); - struct as3935_state *st = iio_priv(indio_dev); - - iio_device_unregister(indio_dev); - iio_triggered_buffer_cleanup(indio_dev); - iio_trigger_unregister(st->trig); - - return 0; } static const struct of_device_id as3935_of_match[] = { @@ -488,7 +480,6 @@ static struct spi_driver as3935_driver = { .pm = AS3935_PM_OPS, }, .probe = as3935_probe, - .remove = as3935_remove, .id_table = as3935_id, }; module_spi_driver(as3935_driver); -- 2.17.1