Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp567468pxj; Thu, 20 May 2021 16:25:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzKVRswE8eP2Q/l7THqx43w7LtGhnjTrct68hDjMff4SrDCVqRo7ErJZ4rWFHA9BUjaTkTk X-Received: by 2002:aa7:ca0d:: with SMTP id y13mr7685401eds.307.1621553150156; Thu, 20 May 2021 16:25:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621553150; cv=none; d=google.com; s=arc-20160816; b=d6kzOQ3JbhWupxqhwv/Od45oodVxpLSUFXtZ+Hv0cPhHbguEKOLx0Lmmnyjea5ew/F ml67uVRVMyisyE/qn8QKss95IB62WmFwR2cVAdUBidYBMzFKQrBpcR1lvLTnh3NxJrI6 48JwZde6z7GHaR5RnMbHE972hhS7weA4rxO0u+EA0eKBq0nhnqAzuznmmZSb4KApk9QG P8gP5oezFiitfZPL0bYYqgPWrrYFPM+Ypz7albF2ndNiB/l2/+tBa+H27+EkeDq86A1p rREmBOQPvqmW3nfrnYVwiQ+vbTO7J9PF27pHreoKP1Sy+w3i1xOHARP6jZSsdl4847k9 Mcwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0OKbGM2Rot9Jg0syV2KwfYETGP0BMiTr10jWTUEDSDc=; b=gbJKfqu4XK6LyDsN1d/S0/TvNIrVAQBCfrAQ4Y3VIW6UaC/Y9JjVeczmU1XdLccQND Le6rrx4ui7LolhuZxhz+oFAZCWgCQ1rsFrBECF40DZQu31IIeNMS/wTm1z3Kn5W0mCKu Pk0XhcJTGI22fjEHVF+f31Z+r/W9TJcAl5t/q+40T5PdYppcN7rdB/gs8Q0dOZ/UEPx4 w3INr7ik+WbVQ1A8kOXgJitwLC2ev/0+yrxi26/uPIoCgnYRwukXNa2UcyrT+dFv4PwU hi4zU4dSZMoUSkIz4i+4SsPli0cPbyE+/NrYV+W6k4Gff2/0sGUVnh7kDB1VUAEdgTpp iAdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=PKRCqx0p; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a15si1712911edr.48.2021.05.20.16.25.26; Thu, 20 May 2021 16:25:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=PKRCqx0p; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241375AbhETLaK (ORCPT + 99 others); Thu, 20 May 2021 07:30:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:56404 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240368AbhETLKC (ORCPT ); Thu, 20 May 2021 07:10:02 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7F76761D3E; Thu, 20 May 2021 10:06:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621505210; bh=DKurEqkRn6cfph3aDC6+V3HTGwnsta1k7RlNAI8lM5Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PKRCqx0pPJqgA60N+y962YwKEaNS7CctKZPn0cpL+5z94urGF/SSzeevFN9CVVVav 376FsUZVsRcDs1z0iIXpBrrTdLhTyHq3CgSaL1BiBD3z2zmECaQ/qOaBTo4E4tInRW AcF4QLACA5sHHfzVTZpqUAbkvpJ24LeD0ywdygYw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Yang Yingliang , Sebastian Reichel , Sasha Levin Subject: [PATCH 4.4 030/190] power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() Date: Thu, 20 May 2021 11:21:34 +0200 Message-Id: <20210520092103.167885303@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092102.149300807@linuxfoundation.org> References: <20210520092102.149300807@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yang Yingliang [ Upstream commit b6cfa007b3b229771d9588970adb4ab3e0487f49 ] This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin --- drivers/power/generic-adc-battery.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/power/generic-adc-battery.c b/drivers/power/generic-adc-battery.c index fedc5818fab7..86289f9da85a 100644 --- a/drivers/power/generic-adc-battery.c +++ b/drivers/power/generic-adc-battery.c @@ -379,7 +379,7 @@ static int gab_remove(struct platform_device *pdev) } kfree(adc_bat->psy_desc.properties); - cancel_delayed_work(&adc_bat->bat_work); + cancel_delayed_work_sync(&adc_bat->bat_work); return 0; } -- 2.30.2