Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp5001098pxj; Wed, 12 May 2021 19:03:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw8W+2DsyYB8sZclerFOJxgggO921r7UPWdigxwfZ74Njq58013Acm10K5tJMfCwibj7feJ X-Received: by 2002:aa7:c610:: with SMTP id h16mr46514465edq.202.1620871398338; Wed, 12 May 2021 19:03:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620871398; cv=none; d=google.com; s=arc-20160816; b=xc6CkjxmCw51Zf2t+xdpIs+RiZR2ouj0/c/zqQ0FkwpIIqsixaKXg8+wG7Muvw/9gD buueao7tKpHKZy6FiLwswND81xPhAII+gJTWyBVptnuBOJNa5ihVUtwZzwNvT3dVlLq4 8UzockC7xYVh+QKgVn/h0asOxSMbOWbf6lKVlwUh5iqIFbXe6+cz+6u9Z4dAkT7ai+Ug SO1aB7Kd09NCzzP9OFPJ+rSuP+FoNTke8l0UEH95PNQl2jm6UwjTG1DHznI7i6HDnsFE pRA360PBvHqlA8eKoGhaO6CD2H3jPJCo+L36j7JrfZaUMHBu5yX7g56qR1jh47I9YZVI aIxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=I617nO1fA75E2f1/9VDhOyWLZWDMgSEj3XyOhLzIS2s=; b=lHak7R1DOqjVCADA44Dj6l3WYuMsiGzkZ5QMXXLqiGczcFmUcRwEgXereuVvEh7W/V GiLBifgCLUx+eleC6iLfO78UEolVl1EbNYXUQoClgZXT13Kh5WqMxYyZfUlACTWI4tXL TehdB188ZhlCgKp35AdOZgColsE0aaBjLtuSZ0/J417YP+V6V2aEk7ckKLXmSKq7c+SS JlFDfzbudJLM9OsgrZJKgrCa554EAz6yFaNVBUzLG7qeJUyh7L271IBr68WP8GdB3E3x hpwfdWFL1Bo3ZpO/Krv7U379SR0fh+4wstP1hBdN3o9u00T7OXA2UbbYhN/15wtw48Zy FTgA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y14si1542337edd.373.2021.05.12.19.02.55; Wed, 12 May 2021 19:03:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230149AbhEMCCu (ORCPT + 99 others); Wed, 12 May 2021 22:02:50 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:2718 "EHLO szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229819AbhEMCCs (ORCPT ); Wed, 12 May 2021 22:02:48 -0400 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.59]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4FgZZn1jbDz1BHsb; Thu, 13 May 2021 09:58:57 +0800 (CST) Received: from [10.174.178.208] (10.174.178.208) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.498.0; Thu, 13 May 2021 10:01:36 +0800 Subject: Re: [PATCH -next] watchdog: Fix possible use-after-free by calling del_timer_sync() To: Guenter Roeck CC: , , , , References: <1620802676-19701-1-git-send-email-zou_wei@huawei.com> <20210512140636.GK1333995@roeck-us.net> From: Samuel Zou Message-ID: Date: Thu, 13 May 2021 10:01:35 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <20210512140636.GK1333995@roeck-us.net> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.178.208] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Guenter, Thanks for your review. If there are similar issues in the future, I will collect them together and submit as one patch. On 2021/5/12 22:06, Guenter Roeck wrote: > On Wed, May 12, 2021 at 02:57:56PM +0800, Zou Wei wrote: >> This driver's remove path calls del_timer(). However, that function >> does not wait until the timer handler finishes. This means that the >> timer handler may still be running after the driver's remove function >> has finished, which would result in a use-after-free. >> >> Fix by calling del_timer_sync(), which makes sure the timer handler >> has finished, and unable to re-schedule itself. >> >> Reported-by: Hulk Robot >> Signed-off-by: Zou Wei > > If you have more of those, _please_ submit them together to save review time. > > Reviewed-by: Guenter Roeck > > Guenter > >> --- >> drivers/watchdog/lpc18xx_wdt.c | 2 +- >> drivers/watchdog/w83877f_wdt.c | 2 +- >> 2 files changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/watchdog/lpc18xx_wdt.c b/drivers/watchdog/lpc18xx_wdt.c >> index 78cf11c..60b6d74 100644 >> --- a/drivers/watchdog/lpc18xx_wdt.c >> +++ b/drivers/watchdog/lpc18xx_wdt.c >> @@ -292,7 +292,7 @@ static int lpc18xx_wdt_remove(struct platform_device *pdev) >> struct lpc18xx_wdt_dev *lpc18xx_wdt = platform_get_drvdata(pdev); >> >> dev_warn(&pdev->dev, "I quit now, hardware will probably reboot!\n"); >> - del_timer(&lpc18xx_wdt->timer); >> + del_timer_sync(&lpc18xx_wdt->timer); >> >> return 0; >> } >> diff --git a/drivers/watchdog/w83877f_wdt.c b/drivers/watchdog/w83877f_wdt.c >> index 5772cc5..f265086 100644 >> --- a/drivers/watchdog/w83877f_wdt.c >> +++ b/drivers/watchdog/w83877f_wdt.c >> @@ -166,7 +166,7 @@ static void wdt_startup(void) >> static void wdt_turnoff(void) >> { >> /* Stop the timer */ >> - del_timer(&timer); >> + del_timer_sync(&timer); >> >> wdt_change(WDT_DISABLE); >> >> -- >> 2.6.2 >> > . >