Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp404575pxj; Thu, 20 May 2021 12:02:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxLnuEV/MBSUTnu5u5myrdGHn2SanjKD95dxl0cxynPKGofqroMxvQpx3vsFWfBbaKx8lpl X-Received: by 2002:a05:6e02:ee1:: with SMTP id j1mr6690287ilk.105.1621537361067; Thu, 20 May 2021 12:02:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621537361; cv=none; d=google.com; s=arc-20160816; b=tisQnW3u5F19TkT4JAdBF6ND22HeVBeLTNNIDz24ekxKLlWc4zDx2gYjbeCEnfuteD Uuh3xEs02G/ya8IUQrbkjnyixSOeXcWLhMugx03LSDhs/jJQtPKV/zPikE7NPMcUl+f3 c4xe5pa6Y6r+wUXltl19vtuzVywSygo2vG87llrMShAII+vJqk+7gSBgpjQyZan3PsJ+ eVaHitmuFymN6DLw1oruhVQDY0tHO4gJUFvC7KKjmmnwVyL3gQd0H4Lfn8VcEtal3pJc IVX1qtEUyQbF5Oa1XRK4p+fyVzWBII4O4BUtIJxOtcOq0fm6mHmG4CrdKKK/tIwLGSZV 41fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xc9hzh7AGfrBz+kmtl79OrDyNzgkrG8NSjBuCb44ti4=; b=fsxo1q45SnrNlWZBDhTMVbpTcr4mDP6gw+oQuH9hetN/J/GeCoL0mZZy4XHb5/2XQe 52KKwhgQOhx5DOEccMVXCYNaS9sf2vVRKfUVC6tHCmFnVaKJB3YtOReMcYJGwwmpZELi K8sEmD4muAYeBrY6iZ0eK+ZMYr8GYq+kwFRM1gTFI0SMLuGXc+Kjz3k7W6MWQkhE4cXy MJREtaqstZOfU8oTN1i6yompsJ2D8tMR+X34ddVtS6JF9Bb1tjxOTiJNmOsCRchFGmGt nMX5tarRqNGcjTnrFcmmSRXFMIevO5hKmujjfpw5p38Xcr3ycd5Npxy2s7lP0hL0GCXD AF6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=F3eFZyM+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i127si2030693iof.95.2021.05.20.12.02.27; Thu, 20 May 2021 12:02:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=F3eFZyM+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236285AbhETKaG (ORCPT + 99 others); Thu, 20 May 2021 06:30:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:48100 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235833AbhETKR2 (ORCPT ); Thu, 20 May 2021 06:17:28 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 4CC0C61459; Thu, 20 May 2021 09:46:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621503987; bh=QAT7/DpyHeJMZMdN80nWXT2iJv4L2bS1nhzR0FOK+k8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=F3eFZyM+JEdMJkoo5+aU2H6kDez5gcpecjMpCTjGox9m6qagNXk7bG1uesZTvdxzr qKqIZ4suuiFH1vAL5y6lHYR85BQH+3agdIOnC3pgEPTw8sdEEBo/3/zrklDe5vfYhE gP7HHTHwxl43Q5N8hWCnRrxK6SB8f4TYgzLT43P4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Yang Yingliang , Vinod Koul , Sasha Levin Subject: [PATCH 4.14 043/323] phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() Date: Thu, 20 May 2021 11:18:55 +0200 Message-Id: <20210520092121.579762186@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092120.115153432@linuxfoundation.org> References: <20210520092120.115153432@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yang Yingliang [ Upstream commit e1723d8b87b73ab363256e7ca3af3ddb75855680 ] This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20210407092716.3270248-1-yangyingliang@huawei.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/phy/ti/phy-twl4030-usb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/phy/ti/phy-twl4030-usb.c b/drivers/phy/ti/phy-twl4030-usb.c index c267afb68f07..ea7564392108 100644 --- a/drivers/phy/ti/phy-twl4030-usb.c +++ b/drivers/phy/ti/phy-twl4030-usb.c @@ -801,7 +801,7 @@ static int twl4030_usb_remove(struct platform_device *pdev) usb_remove_phy(&twl->phy); pm_runtime_get_sync(twl->dev); - cancel_delayed_work(&twl->id_workaround_work); + cancel_delayed_work_sync(&twl->id_workaround_work); device_remove_file(twl->dev, &dev_attr_vbus); /* set transceiver mode to power on defaults */ -- 2.30.2