Received: by 2002:a25:b323:0:0:0:0:0 with SMTP id l35csp66783ybj; Thu, 19 Sep 2019 10:47:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqyR7uoK+7slgi5fu7INRN8gqFUeXWTyB4rkDtpqvIpD756GfTLdN0eqmSUhurfX+GnPouke X-Received: by 2002:a50:ec81:: with SMTP id e1mr17476083edr.107.1568915224316; Thu, 19 Sep 2019 10:47:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568915224; cv=none; d=google.com; s=arc-20160816; b=Lb5mKsL1ra4eOPLTl32wFI+guOMxjQuAnLWzJW8Pfc8Oj8WPH2yGGxMrsjsXrk2Bww kyVvy5J/DKLHrkzE2Gd+FTIpVukU8fs7qSSpsOmE+EwwcLl7IXm21VSKygFH0dbGGoXJ /8fsWraS7aIjzQvtp/qYpQKoIyc9nt8MqMfCAKzeh1qrY2OBH6fKKAn8DZ05adjYiI1I ie8zrxqaXlZIHcy7XOgj3i+wgRuC2MtcLYrh/Ab+mZOy/Q2fHe1yWX3cw7t3Xl/CyDJR bunzEUtHVRyFJ83OTrBvNEGUNsr9vWdDfDwBezfJQrpP+9tMhw02dRuSCXpyTItyYPTO FRGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=G1RgniGBhHx+ePsQxRnB8cqCywBk5uIA9l0Oj05OQJ8=; b=GjQvV6sFC+g9ADYFEHTZgblKXOd+AZFVl7elSZT3ob58YAvuHaDbb+2tBH+FnYkNFf zk5GGuZNS0UvhoKz28eXVjRGC21WbR2BDHUpMPOfqS2l8vrrwLwsYfi+rFEBvp8YWAoR CCdCvwVUBECwuaxcY0kmke4zEfWlT66dEI5ERu8tHAIipjJxhgbQul6G3k2aMwpOwoaH URrbpKyoKsIPoDeq5FpUDMuboP0DLatzJvSdzifC+ieQQgObbkRvaZue9uhqMEt5klsQ 7/p7IXO7E3qBw38DxDofHBZyL6u9dI/0SvbzDkJW8DruVgevW6Gj3r8sIs15bepsWf79 bckQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=lluivDNT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id oe23si4951550ejb.199.2019.09.19.10.46.39; Thu, 19 Sep 2019 10:47:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=lluivDNT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391119AbfISPLq (ORCPT + 99 others); Thu, 19 Sep 2019 11:11:46 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:42670 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388084AbfISPLp (ORCPT ); Thu, 19 Sep 2019 11:11:45 -0400 Received: by mail-io1-f65.google.com with SMTP id n197so8495478iod.9; Thu, 19 Sep 2019 08:11:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=G1RgniGBhHx+ePsQxRnB8cqCywBk5uIA9l0Oj05OQJ8=; b=lluivDNTjH/IK8vsfViEiPYr0Do1I8vpk22HCMZYTG+ILPHBGU/1bjqSnlsio3o37p Ffgn/qq/9VwzZpCrEg1P03b2tFPYaipfRcfhiFSITFaEZ+PlQJMUsPeAXBMS28HxWRhc M3/1S0G6S39YYXZ5hOy5jxg5wfjGZQja/lkJlLMO+f6UZ8YZ3c6a/Vl9KYdWes3EIz0/ CCCypwbbE7qjzKS3woIujH9Orz2G35LUbA7mNeOL5iOld4X39RBhn6VRKzJR8k+BnmtW vDZFVr1uSEVqB6hMFYZ6fTZi1lCTigZQU4tp4WZOCzChM0S7xDJu0eZDW2P0zPnkydIn E9Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=G1RgniGBhHx+ePsQxRnB8cqCywBk5uIA9l0Oj05OQJ8=; b=KJXTc2mAv2b8kIs2+8ZKIOStWt1JJNPnsl95QROqgqWsCn3GGCDFYkLDBBd2vD3g76 1ocDzKTxnG+TxyI+XVCcigQyceEBDygtMvfEK/J9ZniG0DgSy2cX3xU/CqjZbnNMsplx YRvQl0PZTYoNoUkvEAVY7Is46L/kfthcCQFwsV9HlcGA2JRdH+Bn7ReKf61kAzpzIIng 5oc4dA5Jwd2297cUij7AaWN+iV52d0D3QJ7adTWDTMB4/gjEZlw3+14pqySYHn4wcwSq PuQ2w/mC5MsoVPKIf844l9kuoOARq53C+VEjdmI3yO087pmfHxS2Gu5CpoHHWCNPGrOa rIwA== X-Gm-Message-State: APjAAAWoX8CygWF7ZAPfN4NybTf5g0lb77iZk+YXAvrRiiUFanpvkyCF N05J5DnBs6viXj0A+LQ7Vc8= X-Received: by 2002:a6b:fa07:: with SMTP id p7mr12316093ioh.164.1568905904288; Thu, 19 Sep 2019 08:11:44 -0700 (PDT) Received: from svens-asus.arcx.com ([184.94.50.30]) by smtp.gmail.com with ESMTPSA id e15sm6422625ioe.33.2019.09.19.08.11.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Sep 2019 08:11:43 -0700 (PDT) From: Sven Van Asbroeck X-Google-Original-From: Sven Van Asbroeck To: Sebastian Reichel Cc: linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org, stable Subject: [PATCH v1] power: supply: ltc2941-battery-gauge: fix use-after-free Date: Thu, 19 Sep 2019 11:11:37 -0400 Message-Id: <20190919151137.9960-1-TheSven73@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This could mean that the work function is still running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that that the work is properly cancelled, no longer running, and unable to re-schedule itself. This issue was detected with the help of Coccinelle. Cc: stable Signed-off-by: Sven Van Asbroeck --- drivers/power/supply/ltc2941-battery-gauge.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/power/supply/ltc2941-battery-gauge.c b/drivers/power/supply/ltc2941-battery-gauge.c index da49436176cd..30a9014b2f95 100644 --- a/drivers/power/supply/ltc2941-battery-gauge.c +++ b/drivers/power/supply/ltc2941-battery-gauge.c @@ -449,7 +449,7 @@ static int ltc294x_i2c_remove(struct i2c_client *client) { struct ltc294x_info *info = i2c_get_clientdata(client); - cancel_delayed_work(&info->work); + cancel_delayed_work_sync(&info->work); power_supply_unregister(info->supply); return 0; } -- 2.17.1