Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp530765imc;
        Sun, 10 Mar 2019 13:05:47 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzg7Ul/CojVEs2c5mLzWO63qt1YaFK7/AkjLz86oeFZs2jLpNWfgY6M8cnUerbrDtCvqcNt
X-Received: by 2002:a63:4550:: with SMTP id u16mr8747030pgk.73.1552248347182;
        Sun, 10 Mar 2019 13:05:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552248347; cv=none;
        d=google.com; s=arc-20160816;
        b=lFE39mW1wiKyrKU69cK4HJ+gXlBEsICyll5Dj/TID820Wh97zrrRT+gvR6EG/ctntR
         /ydBFD3h2C/79LDkUFLQ88GuulF+lumdOZ+wdSa6Zcwob6oqa+p23GDmkMLp1d1O/Kvn
         81joaOZi4C1Kpq6nPf90j/Pmq3a3FVvOV0JJpw4Ecc2zUmBDAHDN2eX7Uhu1NP7l5OYM
         wZlQNGVdBSrRY6VAmMaOYoylWPFlNI93lq/4oBBADtwxl61CTlsLqN0Y6lV2rcqkjJ2X
         snSYdrf5W7yu7i+6UocHMgdOlMsrQnsFEEbpvyy0Wgri8F3u9e6vlIayZ/Polgq22Dmt
         vUmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=u+DoI4sI+hMVW166TNGuic0psX3hAbOUaR7E0HZK7I0=;
        b=0i8pnH9vcRTIXaJ9RfcG5bHSXEF8Hy0DBhjz2MeENzvEG6b6R7msN5fxYVR7bVbBPc
         O6/EMih+YjeXUqAbFQWLy6JjFt4GPgawjcI9dOJV8yWkbRWct+3LHNlYqRlYD/orh2h9
         G9BtJE5wxPDVQJRxOEmtmjqxRNVI/WNWjKT11oAVWzx7T/o+h1Y4NInVV5OhtJN69DGQ
         qrF2gnIgKZ6p2meucyRjiDmJPKjMZcC+emsfi3jQDrH4aCoVkACa+fBm/DQMwA3jQtmI
         8A0qBKTOMl/Z3oh2UfmnIAx4MrpAn0qwTYMrVRnmVfCNuvBzS3Aj0m3+bNWZ4EWR/6+/
         IgwA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=CefmRJ5j;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z62si3305189pgd.22.2019.03.10.13.05.31;
        Sun, 10 Mar 2019 13:05:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=CefmRJ5j;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726816AbfCJTdA (ORCPT <rfc822;jekfish0@gmail.com> + 99 others);
        Sun, 10 Mar 2019 15:33:00 -0400
Received: from mail-it1-f195.google.com ([209.85.166.195]:36745 "EHLO
        mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726658AbfCJTdA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 10 Mar 2019 15:33:00 -0400
Received: by mail-it1-f195.google.com with SMTP id v83so4034880itf.1;
        Sun, 10 Mar 2019 12:32:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=u+DoI4sI+hMVW166TNGuic0psX3hAbOUaR7E0HZK7I0=;
        b=CefmRJ5jnqnTC6+suGK+V3lL5Fdyf3x20xpF2m1h0Yp/4na6BEJsEVwe0c+ReE88TJ
         ePoMYjY0fpr/4IePni2vJFisQPxx5t+FiHG9S2yJXODhIDY5nr17Qiln+EY1pYKUhOws
         wWe/+PCSXV1O8DnAK9P/+HC2LussSXnDVGFVwkWUtKP9zmWkBca1WKHKSxIpLI4DvMsT
         fN+o0mF48unpUnzO0qWh7TUA5C7hr48KoaDkOTr6z99mCV3/1BBNjSTEaO53ZU5VHXQi
         rotkgR4rjtPtlW+nobzBHp+/oe3cc7Q1+2fKoVjqv0xAlQEKuTfIYDpAQJqB85UtX4rW
         vXhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=u+DoI4sI+hMVW166TNGuic0psX3hAbOUaR7E0HZK7I0=;
        b=nrTMph6DntEqGyMenog4KKrehjpvJCxnmgn6OcWjIJfAvCiEtENn1F1OahLCB0G5hb
         guBJi4mLtQCgCtY9Dj+26KHdUXpm28aTMYpyGyphBubr1JhszsPaxZ7mH9uz+Kxi+rJ/
         bdF5GF6K1INpt1Li3t7QataEDe9WEtnfrfmpwsu5fyTnxXgp2bc1FTmHHE8b8iD/idGD
         eMmtFwzQq41P9OZWwYn4vjZKKtlJ27lOkz7O2kjp+mRE6UGztVc/nTRr9KcXJBjdCBxg
         DraYbN/dY5QCDbs1vA2sJa/wDgnY4anfJVx2ckiU0c9jWEz8yvGO+v8j21AHaK55GI9K
         UDtA==
X-Gm-Message-State: APjAAAXqmTpvHdm/eI2BvNmhdUi7592sPpm8ny8RWfLnI/bNedLugd+h
        vpySIi4JDpKpZZ4WgPeWpVs=
X-Received: by 2002:a24:21d5:: with SMTP id e204mr14309614ita.56.1552246379241;
        Sun, 10 Mar 2019 12:32:59 -0700 (PDT)
Received: from localhost.localdomain ([198.52.185.227])
        by smtp.gmail.com with ESMTPSA id w74sm7160856itb.44.2019.03.10.12.32.58
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 10 Mar 2019 12:32:58 -0700 (PDT)
From:   Sven Van Asbroeck <thesven73@gmail.com>
X-Google-Original-From: Sven Van Asbroeck <TheSven73@gmail.com>
To:     Peter Rosin <peda@axentia.se>, Jonathan Cameron <jic23@kernel.org>
Cc:     Hartmut Knaack <knaack.h@gmx.de>,
        Lars-Peter Clausen <lars@metafoo.de>,
        Peter Meerwald-Stadler <pmeerw@pmeerw.net>,
        linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] iio: envelope-detector: fix use-after-free on device remove
Date:   Sun, 10 Mar 2019 15:32:46 -0400
Message-Id: <20190310193246.31761-1-TheSven73@gmail.com>
X-Mailer: git-send-email 2.17.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This driver's remove path never explicitly cancels the
delayed work. So it is possible for the delayed work to
run after the core has freed the private structure
(struct envelope). This is a potential use-after-free.

Fix by adding a devm_add_action callback to the remove
path, called right after iio_device_unregister(), which
explicitly cancels the delayed work.

This issue was detected with the help of Coccinelle.

Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
---
 drivers/iio/adc/envelope-detector.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/iio/adc/envelope-detector.c b/drivers/iio/adc/envelope-detector.c
index 2f2b563c1162..2f1c78b3ff44 100644
--- a/drivers/iio/adc/envelope-detector.c
+++ b/drivers/iio/adc/envelope-detector.c
@@ -321,6 +321,14 @@ static const struct iio_info envelope_detector_info = {
 	.read_raw = &envelope_detector_read_raw,
 };
 
+static void envelope_detector_stop_work(void *data)
+{
+	struct iio_dev *indio_dev = data;
+	struct envelope *env = iio_priv(indio_dev);
+
+	cancel_delayed_work_sync(&env->comp_timeout);
+}
+
 static int envelope_detector_probe(struct platform_device *pdev)
 {
 	struct device *dev = &pdev->dev;
@@ -395,6 +403,10 @@ static int envelope_detector_probe(struct platform_device *pdev)
 		return ret;
 	}
 
+	ret = devm_add_action(dev, envelope_detector_stop_work, indio_dev);
+	if (ret)
+		return ret;
+
 	return devm_iio_device_register(dev, indio_dev);
 }
 
-- 
2.17.1