Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3255691pxj; Mon, 10 May 2021 23:43:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwuOdLj716PUaDy8zjh5j/JmMF7zf3cYCKPwL/7sXTNG2/X/19h+LzTouE1RHdeV9MTXBIq X-Received: by 2002:aa7:db0c:: with SMTP id t12mr33925070eds.72.1620715403545; Mon, 10 May 2021 23:43:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620715403; cv=none; d=google.com; s=arc-20160816; b=GultThF5/HsIZn6BGCdgpGeNO4F8A2AZ+aHVqckJIT2alTU5Q5VmKK15uYWKlCvxXB cCGNYdtfn9b9ChsgCQ5gPzQedxZPrjdVrW/ElXN9JxB33P+HOqLYAJUUq8nEqPAEI2zV j1fsDcrcMbjgwb09PTNakPRmo5WN94HNRt+9it+25WZ8hAlmyVe0RLIDOWYx76e9CMxD BSr9kRQRqTs1kDxwpqvzJU4U1TeGmQ0sP48wMLA5UrhYCOAApvKseTNoNM2nKWeYZHhy ac/rclLHk6vpFVKCwttvZKd0aapZY0r9IKAg6D23DGbp9XxkthgZP/NFAQM4qLgFDRcP eWrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=Bl2VPNJKmAqZgu18MMuz2I/q4+GkEJ8PZeAamIOtvwc=; b=caIDm20fy0CLCC3trpvuNvZ1jXXmD2kA4ageKw5r9+RRkK8v93d8RrDRl79q7AFXBl sabeH9NLoUyEPFiPGkHf4RDHs37Bi5zWZVSc0353oLrF26lIupBa1+yZ1IbxT5UWgLXp SsTEK8cs4dpIeeZh8c2mH31p7ib7P2WReWM02I63BxWb3K7K3lA1gK8ccP+TbuMGrv2h VY+E1pZwkLRUYgARAB1xtrxm0he5k7eO3XFogKvCwG0vmCH5+9t9VfV5HTDvhJbIKK8a Ia31pl+EYWUJocc0+nLxDrAXDxwLgf2IzCL4lubH/8yWOoUxQRA0Q9pyJsMogFeeRF2u gC6w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gs19si15456077ejc.707.2021.05.10.23.43.00; Mon, 10 May 2021 23:43:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230182AbhEKGnF (ORCPT + 99 others); Tue, 11 May 2021 02:43:05 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:2691 "EHLO szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229807AbhEKGnE (ORCPT ); Tue, 11 May 2021 02:43:04 -0400 Received: from DGGEMS406-HUB.china.huawei.com (unknown [172.30.72.60]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4FfSv959Dxz1BKkF; Tue, 11 May 2021 14:39:17 +0800 (CST) Received: from linux-lmwb.huawei.com (10.175.103.112) by DGGEMS406-HUB.china.huawei.com (10.3.19.206) with Microsoft SMTP Server id 14.3.498.0; Tue, 11 May 2021 14:41:51 +0800 From: Zou Wei To: , , , CC: , , Zou Wei Subject: [PATCH -next] mISDN: fix possible use-after-free in HFC_cleanup() Date: Tue, 11 May 2021 14:58:53 +0800 Message-ID: <1620716333-108153-1-git-send-email-zou_wei@huawei.com> X-Mailer: git-send-email 2.6.2 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.175.103.112] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei --- drivers/isdn/hardware/mISDN/hfcpci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c index 56bd2e9..e501cb0 100644 --- a/drivers/isdn/hardware/mISDN/hfcpci.c +++ b/drivers/isdn/hardware/mISDN/hfcpci.c @@ -2342,7 +2342,7 @@ static void __exit HFC_cleanup(void) { if (timer_pending(&hfc_tl)) - del_timer(&hfc_tl); + del_timer_sync(&hfc_tl); pci_unregister_driver(&hfc_driver); } -- 2.6.2