Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp700112ybv; Thu, 13 Feb 2020 08:00:37 -0800 (PST) X-Google-Smtp-Source: APXvYqz95Uf5PrakE092d1HmifDQriFzNPs8v/2UrtlbDzB+xr3MddIb4s3rUrKoutIBGbjVn5Zn X-Received: by 2002:a54:458d:: with SMTP id z13mr3473518oib.32.1581609637436; Thu, 13 Feb 2020 08:00:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581609637; cv=none; d=google.com; s=arc-20160816; b=SODpO54CyXhxFi0UILwaP69Sc/YL74qWw3hjPB91mg7OJW0B3PhTOi3r+IisyZ+zzN wGCpVLhwfr2f5IBcr1GiNHTb0P2CleHRxVAzXYXAVyx0jN4fbO8NdlbTrDA7NN1hfp30 k6PJSbaV4V17CI5ViaDQ2wqVsfcpLtHd4c9teOBfkKY1J0VN0H01tJwWqtcIfzZSStIi xXPsjNN21AGMEIlIvO4eFZZhFgf035yI1lhkxDapbymk+yYjwxLg8SPbEAcEvCpdhhIL bu7ZTsEg5WZQr6cHT+QsDHF6c8QsbVEehRL+EjOma26gYmV7x7Q3IGz0Pt6Vhq8sbcr+ 7J9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=S/0+kwxUkU4qktU3JYPw3+haksXkxqq/K6OvwL//kwo=; b=NVWzRgqcyn7XK8qeW0TuARN8+hf8sfrU6YZoSiNfnD0qI/ID09424TC92ydkiQ68ht nFg3cP40mzl+xyhaG8WaFN8kQ1zsf0GLR+wvQWf4AOSipMZQXGAao9ZhOA2NAppg4wlT vpPOcucNx9y+alG4u+G1/xX9L4154R9lgWoW8lC3AkUmfZkyVlgCTyLBU75q4bvJYGMK Ek4o5XSC2Og+W9kDfdDi3mmv/DzHvmF2R3E6fA5iuf0axh2vm/YG8LzZZio1m0v1359n 3ajujgpAduOx6bV97WrK/KoKypgDkdj/kSvCg6EkdKuCI8OwkiRNAMtkfG4KtdymTOZS dYSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="iudQ/gwA"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j13si1208858otq.146.2020.02.13.08.00.24; Thu, 13 Feb 2020 08:00:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="iudQ/gwA"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728851AbgBMPYz (ORCPT + 99 others); Thu, 13 Feb 2020 10:24:55 -0500 Received: from mail.kernel.org ([198.145.29.99]:34842 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728406AbgBMPXb (ORCPT ); Thu, 13 Feb 2020 10:23:31 -0500 Received: from localhost (unknown [104.132.1.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AA8152469A; Thu, 13 Feb 2020 15:23:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581607410; bh=95I4fJrY2I/63Omufoh19gK8kES5AAcYBHMGTpzeQKs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iudQ/gwA9h0SfiEm+r0tAItG/FHABZwRPUHPdpNGrFVoCT9ezCMN96nAoryVc9NZg PAGeCevnzGq68qMb2cYLYUtvq3tnM2xuvl4ro7H0y0EjZ3lQZTKr2bT/ka2svxFvHq juWn15JSP27qcoEgHYkrLTS1jV+5vIjQJvCpw+TQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sven Van Asbroeck , Sebastian Reichel Subject: [PATCH 4.9 032/116] power: supply: ltc2941-battery-gauge: fix use-after-free Date: Thu, 13 Feb 2020 07:19:36 -0800 Message-Id: <20200213151855.452948924@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200213151842.259660170@linuxfoundation.org> References: <20200213151842.259660170@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sven Van Asbroeck commit a60ec78d306c6548d4adbc7918b587a723c555cc upstream. This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This could mean that the work function is still running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that that the work is properly cancelled, no longer running, and unable to re-schedule itself. This issue was detected with the help of Coccinelle. Cc: stable Signed-off-by: Sven Van Asbroeck Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman --- drivers/power/supply/ltc2941-battery-gauge.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/power/supply/ltc2941-battery-gauge.c +++ b/drivers/power/supply/ltc2941-battery-gauge.c @@ -364,7 +364,7 @@ static int ltc294x_i2c_remove(struct i2c { struct ltc294x_info *info = i2c_get_clientdata(client); - cancel_delayed_work(&info->work); + cancel_delayed_work_sync(&info->work); power_supply_unregister(info->supply); return 0; }