Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4204405pxj;
        Tue, 11 May 2021 23:42:28 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwdtc9jbPMc55gK/bNUCGJGr4Blv9XdB012mWEBPqOxKBc1R/3Dks+Q8XnyzwGb0EkXT55Q
X-Received: by 2002:a02:cac6:: with SMTP id f6mr30488071jap.118.1620801748778;
        Tue, 11 May 2021 23:42:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620801748; cv=none;
        d=google.com; s=arc-20160816;
        b=qEwYhqbzgcAaMetATVIwM7NGOR71An6JyIDeldWzGkG7KXiSJzGp93bdaw03IK6aC1
         539tf52c7SVS8zJlxgDAPeuJCsI2X0J+XO/fSnmjSKlokpKdTZTbrCHBRyIUe2L6TwhY
         9MTJSXitnBDzd8MGYSOPIhKoJcWotfzZgf2paZLiG+PWK5XMIRU9ciNGT8ESa5EAu521
         ZFE4RN291GF0MBUl/KMGeHr8B/XZJEON8kZFLreUfx15OozvhSDbtZYB0DSvOR5/MNjz
         f26p17tL200xF7vCCY2A8z5dFTu7zHB2QnC9f9KsVcRBT+Tu8cbwXNlGHZFWHxKk++Z3
         ALhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from;
        bh=c/YSaG3Y7xw6avJxC4u7c5HPwata7hjDMFCN6vxS+oA=;
        b=rofR8NxRmfWImhYZx3kP45QRKJV+ThxXWJUwGHK/vBBJ8ZANEJA5PbRZxxh0Jpuc2i
         UZJZQlHZKWm6xgvSgaDaBo/z2KmwbiFO2xFzRcU5SbkEMy/Vki0qzpoKoYVwJOSnCjxW
         mr07di6S/gJArftwKGL6QP9RhxNe+DpTefNYwE2eBR5TmYGTtRbD8NoKBHJaYtLarxlS
         iUCpZjnDpUFjq7imDTWbkTV31+Y0wSgj9uQCm7sMGL/OpOLyykxyb2ssUoJDzNoYo2YJ
         Afl6b3alEC6vRigvWDlHcmjWgTTcfOw9sS0CxnXmM1F816gLlEGI8WlG9O2JEVN9SqPe
         7hXQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y21si23175668jao.90.2021.05.11.23.42.15;
        Tue, 11 May 2021 23:42:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230070AbhELGmF (ORCPT <rfc822;lkmlinbox@gmail.com> + 99 others);
        Wed, 12 May 2021 02:42:05 -0400
Received: from szxga03-in.huawei.com ([45.249.212.189]:2363 "EHLO
        szxga03-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230018AbhELGmF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 May 2021 02:42:05 -0400
Received: from dggeml709-chm.china.huawei.com (unknown [172.30.72.56])
        by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4Fg4pj3r2vz5tTn;
        Wed, 12 May 2021 14:37:33 +0800 (CST)
Received: from dggemi762-chm.china.huawei.com (10.1.198.148) by
 dggeml709-chm.china.huawei.com (10.3.17.139) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.2176.2; Wed, 12 May 2021 14:40:55 +0800
Received: from linux-lmwb.huawei.com (10.175.103.112) by
 dggemi762-chm.china.huawei.com (10.1.198.148) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.2176.2; Wed, 12 May 2021 14:40:54 +0800
From:   Zou Wei <zou_wei@huawei.com>
To:     <wim@linux-watchdog.org>, <linux@roeck-us.net>, <vz@mleia.com>
CC:     <linux-watchdog@vger.kernel.org>,
        <linux-arm-kernel@lists.infradead.org>,
        <linux-kernel@vger.kernel.org>, Zou Wei <zou_wei@huawei.com>
Subject: [PATCH -next] watchdog: Fix possible use-after-free by calling del_timer_sync()
Date:   Wed, 12 May 2021 14:57:56 +0800
Message-ID: <1620802676-19701-1-git-send-email-zou_wei@huawei.com>
X-Mailer: git-send-email 2.6.2
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.175.103.112]
X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To
 dggemi762-chm.china.huawei.com (10.1.198.148)
X-CFilter-Loop: Reflected
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This driver's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
---
 drivers/watchdog/lpc18xx_wdt.c | 2 +-
 drivers/watchdog/w83877f_wdt.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/watchdog/lpc18xx_wdt.c b/drivers/watchdog/lpc18xx_wdt.c
index 78cf11c..60b6d74 100644
--- a/drivers/watchdog/lpc18xx_wdt.c
+++ b/drivers/watchdog/lpc18xx_wdt.c
@@ -292,7 +292,7 @@ static int lpc18xx_wdt_remove(struct platform_device *pdev)
 	struct lpc18xx_wdt_dev *lpc18xx_wdt = platform_get_drvdata(pdev);
 
 	dev_warn(&pdev->dev, "I quit now, hardware will probably reboot!\n");
-	del_timer(&lpc18xx_wdt->timer);
+	del_timer_sync(&lpc18xx_wdt->timer);
 
 	return 0;
 }
diff --git a/drivers/watchdog/w83877f_wdt.c b/drivers/watchdog/w83877f_wdt.c
index 5772cc5..f265086 100644
--- a/drivers/watchdog/w83877f_wdt.c
+++ b/drivers/watchdog/w83877f_wdt.c
@@ -166,7 +166,7 @@ static void wdt_startup(void)
 static void wdt_turnoff(void)
 {
 	/* Stop the timer */
-	del_timer(&timer);
+	del_timer_sync(&timer);
 
 	wdt_change(WDT_DISABLE);
 
-- 
2.6.2