Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4206385pxj;
        Tue, 11 May 2021 23:46:13 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxv5jnvY+ce6vIlBGh3idavPTrAidMz9Mb00h2MoQFps09fgGqfD8+Wi8z/LHh9R0bwKIN5
X-Received: by 2002:a02:cb0c:: with SMTP id j12mr30361498jap.92.1620801973060;
        Tue, 11 May 2021 23:46:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620801973; cv=none;
        d=google.com; s=arc-20160816;
        b=oyxDFYt5ue17w6p+GKDyoTfINSO/NboF/jg8aUdSu0a5zP2KisMeTMuMjPkHh3cHmW
         zU/ks+4RmjaXcTDtJfAjrC3vi8hp+hEtvfQ+sbKk94ypK63iHRmnHiwJ5frBca7A3wT1
         8SsMSqdoEF8yOnoImzjtZ3KRWYizlBaiM91ZmEbD7Qjlbe0ARbP4b84c5lqDufjtGNkS
         qg1i/NdkDemaYyL1qHp2eAnNBdfQQIvafXQzIFV4t7FKv3e/ExTNiGMNza9mM7JB4xYI
         hXRJmPXEPBofGBlynAjt9DTbyGI4jHmFvFBxX8bO9jpwauEb5xKZpYjAqVboAtsY80/c
         S9Sw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from;
        bh=B/1E1HHJJv6lq5ax5M9F9zqEMFVN+IB2SS9YyB9F1wY=;
        b=flXHguoiFsSYY41NIqiyNqVwzH/GmgMtmKtVrAAROeRQpqOeun1GayaxFOeFEWmyD2
         zRrdufDa99eb7SFmArlaI6rgBHhiiGkHO7lE3KusxoKlVlnh0eELOpDZlwnIzdisI9C3
         oxm95utKwAwjqvgz6PFpNsvQvMY7/icDcPOhfRdTqzHxNKEcTwFZiNoSJ6WLEduuzGkg
         GofLzzAOEtLeu2vIx06x9x/Mi/6ZuRTQNr/82Nc7/grs9VdmHxIlS4GiZuG2Ma2JLIsb
         lfR1bHzwpAXeH3WaDOODvgqcUml4N17QLRaCkYCHLfJIM6byMNqdYK4QxsicUTnIQP1L
         hlOA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id f4si24029379ilq.17.2021.05.11.23.46.00;
        Tue, 11 May 2021 23:46:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230172AbhELGof (ORCPT <rfc822;lkmlinbox@gmail.com> + 99 others);
        Wed, 12 May 2021 02:44:35 -0400
Received: from szxga01-in.huawei.com ([45.249.212.187]:5103 "EHLO
        szxga01-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229803AbhELGoc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 May 2021 02:44:32 -0400
Received: from dggeml706-chm.china.huawei.com (unknown [172.30.72.54])
        by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4Fg4tZ6hgYzYd6g;
        Wed, 12 May 2021 14:40:54 +0800 (CST)
Received: from dggemi762-chm.china.huawei.com (10.1.198.148) by
 dggeml706-chm.china.huawei.com (10.3.17.144) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.2176.2; Wed, 12 May 2021 14:43:22 +0800
Received: from linux-lmwb.huawei.com (10.175.103.112) by
 dggemi762-chm.china.huawei.com (10.1.198.148) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.2176.2; Wed, 12 May 2021 14:43:22 +0800
From:   Zou Wei <zou_wei@huawei.com>
To:     <3chas3@gmail.com>
CC:     <linux-atm-general@lists.sourceforge.net>,
        <netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        Zou Wei <zou_wei@huawei.com>
Subject: [PATCH -next] atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
Date:   Wed, 12 May 2021 15:00:24 +0800
Message-ID: <1620802824-19916-1-git-send-email-zou_wei@huawei.com>
X-Mailer: git-send-email 2.6.2
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.175.103.112]
X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To
 dggemi762-chm.china.huawei.com (10.1.198.148)
X-CFilter-Loop: Reflected
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
---
 drivers/atm/nicstar.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
index 5c7e4df..b015c3e 100644
--- a/drivers/atm/nicstar.c
+++ b/drivers/atm/nicstar.c
@@ -299,7 +299,7 @@ static void __exit nicstar_cleanup(void)
 {
 	XPRINTK("nicstar: nicstar_cleanup() called.\n");
 
-	del_timer(&ns_timer);
+	del_timer_sync(&ns_timer);
 
 	pci_unregister_driver(&nicstar_driver);
 
-- 
2.6.2