Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3258890pxj; Mon, 10 May 2021 23:50:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxNJDfAbu3fNI1xLZFv0uPLGi7sr4F+8wClKa7YB2SkipdQMwoWj8q74jXGcq8Qqikg6y9F X-Received: by 2002:a17:906:71d8:: with SMTP id i24mr29930103ejk.444.1620715808045; Mon, 10 May 2021 23:50:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620715808; cv=none; d=google.com; s=arc-20160816; b=Y27ujyi5hWsoLDam+3kFDNrsbZfnyTLMwPQroDL+Wioa48odUp+bUeRyMh1R6X+iob gjILRaP4c4heksU+u2NHiFvailEZ3yGGIRq+ciilCMkBwUs+DqEJO5aKhC8TB3h5XpwS SjDlsfJgqeNtII5T1WS9C9kGUyKjw/9/PEzBQbyl6PE9AgyaEC3gxkbyJd4/CeBa+HuI 9qTHR6XGeQHRFQX5bf6Iwcg7fkGVxEKbeU7cFbbC8BPnvtfGMKdBj2u4q2wjkAYzDN2d Vny9b0ZBntH1nFq4zWgz5d539LRJ89Jrja08cUEesTSpfexhQR1x3WqAcmBT4tULALZL Jipw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=QNgqDKfjJM306nGJfgxfPYy+svTA1ARo2z3giDNryOM=; b=mTZk4MijYodhDWhDNf1M2+8e3Y3b2EQm/LmdRaU8HDurGDfpHV7gWDpVGUS6ptAU3q yosqWkwJLeC6o1NMYIy/npJexl3mkq5tu3TbYE1W2SOur2caAkkk7EeeCKC6+JOVhR5J Fk3hY9d6zjfoI6Xf5QvzOfrLnGlKj46w1CfjiPTSQgFGJZrP4m1T4qngba3aehK+rdIO WEbiD9cZ1l5ZJheik/SLaQDxKKCbNcNOwRFsB4PHfzOGOC5SAjm1c6UrilIi/9sdN9f9 RcKdsqFKtEJ56Q4V93mlYWxEctSZVhC1AOv5PcxKxVF5rYOWtKh+pQrEgQ+lXtg4CtM4 7p6A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gs19si15456077ejc.707.2021.05.10.23.49.44; Mon, 10 May 2021 23:50:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230410AbhEKGtG (ORCPT + 99 others); Tue, 11 May 2021 02:49:06 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:2692 "EHLO szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230251AbhEKGtG (ORCPT ); Tue, 11 May 2021 02:49:06 -0400 Received: from DGGEMS401-HUB.china.huawei.com (unknown [172.30.72.59]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4FfT28183Jz1BKx5; Tue, 11 May 2021 14:45:20 +0800 (CST) Received: from linux-lmwb.huawei.com (10.175.103.112) by DGGEMS401-HUB.china.huawei.com (10.3.19.201) with Microsoft SMTP Server id 14.3.498.0; Tue, 11 May 2021 14:47:49 +0800 From: Zou Wei To: , CC: , , Zou Wei Subject: [PATCH -next] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() Date: Tue, 11 May 2021 15:04:51 +0800 Message-ID: <1620716691-108460-1-git-send-email-zou_wei@huawei.com> X-Mailer: git-send-email 2.6.2 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.175.103.112] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei --- drivers/watchdog/sc520_wdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/watchdog/sc520_wdt.c b/drivers/watchdog/sc520_wdt.c index e66e6b9..ca65468 100644 --- a/drivers/watchdog/sc520_wdt.c +++ b/drivers/watchdog/sc520_wdt.c @@ -186,7 +186,7 @@ static int wdt_startup(void) static int wdt_turnoff(void) { /* Stop the timer */ - del_timer(&timer); + del_timer_sync(&timer); /* Stop the watchdog */ wdt_config(0); -- 2.6.2