Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3258028pxj; Mon, 10 May 2021 23:48:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyLeklm9OHBbTVHLpO3HNUVVOvOXUWyEIdFKAs5RezP9TttFy/JHiyBYEtMmqvhO7zm39zU X-Received: by 2002:aa7:cb06:: with SMTP id s6mr26520472edt.284.1620715688596; Mon, 10 May 2021 23:48:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620715688; cv=none; d=google.com; s=arc-20160816; b=sAaq5HKoJtSAkkaW84oqF0xYVrSytlVHlKYvU7UnU5Bmj/HLqiqri2Fg7VS2wVULVb LaUVpwTqFMSyXWdSFUJ7/frqwAp38BXZdeS36w2xUg6YB9yOHGh3oWh34C7LFFVjCZVR f7jNtI0a/oIlKQ+KnArLxc3DwJcFmi6V/uBF/oP5yL+zRTEVAL6PJhi1mGmyCloSnb+c GMisgaO+BHMldoRpaCYWh8cczF5yu2QtuPW0Fv+VxvYjhPgIMlRxp0a/9HO+PP5F96Rf 1fDKr3BqHL6GW1Y/AeViVPhZvRwOomCNHiSbP89s9U21PsFYg9U46YJ0/Pnbm/mHhpIw 94bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=D++WbvkLheXVojSl4Z7MIyQ2T7kdG8a7VM6Ax99Vhq4=; b=Nsatket/g2KFKnnsrZb5ERHHX6K9e2mNBDOw3LPrWX198RFfoVQ9BxMWtm8gKHFBrO eElvAAU2H6G7F+gLq96zcJpW+r5ukkHAF5JOpn+Inppv6Wv0rtvKSnf0t/lMlGjrBM+D pukoeZMh2PGrnTHr0jOAZfZ3PdEZHnM3Xj+PxUAfJ86dDFJX+alElhgggQ8kIBpQ0tBC Bk9zKrYsE8Viw9CsVH9qalCJRNiaKGJfR+ZxX08VnVyqxZeotlJGu3uoHANb1ckUTBER PKF5XvG+5IOFxUUO8/5T2nfUqa0BoqFfpULJZrU8zf2mlxmvFxnbSLDeZHlYPNppfTgg K6WQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gs19si15456077ejc.707.2021.05.10.23.47.44; Mon, 10 May 2021 23:48:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230130AbhEKGps (ORCPT + 99 others); Tue, 11 May 2021 02:45:48 -0400 Received: from szxga05-in.huawei.com ([45.249.212.191]:2558 "EHLO szxga05-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229807AbhEKGps (ORCPT ); Tue, 11 May 2021 02:45:48 -0400 Received: from DGGEMS413-HUB.china.huawei.com (unknown [172.30.72.58]) by szxga05-in.huawei.com (SkyGuard) with ESMTP id 4FfSyK0NM3zkWRZ; Tue, 11 May 2021 14:42:01 +0800 (CST) Received: from linux-lmwb.huawei.com (10.175.103.112) by DGGEMS413-HUB.china.huawei.com (10.3.19.213) with Microsoft SMTP Server id 14.3.498.0; Tue, 11 May 2021 14:44:32 +0800 From: Zou Wei To: , CC: , , Zou Wei Subject: [PATCH -next] watchdog: Fix possible use-after-free in wdt_startup() Date: Tue, 11 May 2021 15:01:35 +0800 Message-ID: <1620716495-108352-1-git-send-email-zou_wei@huawei.com> X-Mailer: git-send-email 2.6.2 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.175.103.112] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei --- drivers/watchdog/sbc60xxwdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/watchdog/sbc60xxwdt.c b/drivers/watchdog/sbc60xxwdt.c index a947a63..7b97480 100644 --- a/drivers/watchdog/sbc60xxwdt.c +++ b/drivers/watchdog/sbc60xxwdt.c @@ -146,7 +146,7 @@ static void wdt_startup(void) static void wdt_turnoff(void) { /* Stop the timer */ - del_timer(&timer); + del_timer_sync(&timer); inb_p(wdt_stop); pr_info("Watchdog timer is now disabled...\n"); } -- 2.6.2