Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp609544pxj; Thu, 20 May 2021 17:46:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz1L66xlP0Y4Ls+1H2rMceUDB9iJ2mw9l2f/6FYOC56r2rcnLuVVZZ3UAq2IvT9p//f+Cwe X-Received: by 2002:aa7:ca0c:: with SMTP id y12mr7752430eds.380.1621557991944; Thu, 20 May 2021 17:46:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621557991; cv=none; d=google.com; s=arc-20160816; b=zoYthVtygMh+kEMZ/ncbXgArcErdZJ/Be2x+RGTp1VcvDH9XghKBMNUjAENICYeSdM SxB12kJnoOxuEaVw2oIemPlK8qMzIy0nEHM/8W8tZAJMUEeYK5cps+4dt7Zq4xRGDkcG IOn4JBmPWxK1V+iFhnWqJjpkshIwngNDtFHKCvse0EcmYWIhMwqRFMexE9flHNhizspL 8L65pMW7mhuTIjoLfPscauYI9qcad4N3AmMSqGAjrxxwh8vV2EK49OD1RjT+8N3RFzRH cO9a+uYTotIAxVpLypsEcZrMbxoShtUAUpdHVRk3SXXZUnWYPPn4ccbTVY1Mi9hNNZ4J kLPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=DFw2vf0Fws30VQP8g9yDBURGdR1p1Zo+EfKv/Acpyv0=; b=NNIBmS7nUrnd3Fe+dWuPNo3Jait7gK6XBuNhLaBy8VspCKgWodG+hcAIcB+X+GLSCD 9Ili07Ck3YSdkyYkpdhrAiEtb04cj9tDvVIauruz/QtnegVBojTwXoK4biro1csBLqDc t7BHn94GxR27ydto2mxNlxdBMfq5Ow//Cxyo9G5414ZHaWXZXmLpbi96wBSgmjP/C8Yo Awd1npIXPytDX+XHCWFh6ZNnXgZKZplCtIeQz2t8HH2erhd2INs7Eh7vaLgvgXJ0zfNp 7HzMel3/gv6glbrMx8LrQzV6vv+0sk7EHe3U2LGZvecxWvUK1diBJMnbC9YZHJ6YYg9i N9DA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Q4TCE+YM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h20si3436783edv.406.2021.05.20.17.46.08; Thu, 20 May 2021 17:46:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Q4TCE+YM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238819AbhETLaN (ORCPT + 99 others); Thu, 20 May 2021 07:30:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:56406 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240367AbhETLKC (ORCPT ); Thu, 20 May 2021 07:10:02 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id B093861D33; Thu, 20 May 2021 10:06:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621505212; bh=zIV/X3RDGm+3ThlybYosjhW5l3vnZrve28LxP00O7n4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Q4TCE+YMyN0R1yCxnhKIUvPVmVKJs+PiMdeEofvjemasvdYDkKeY0DJ7DZWuUHfa0 CMA6JPqnTKsQkjrui1wkiyexUqp/T0pFYgEqf3DDXO31VAgpJ87MrSrrj+Y6HtGoZw bvvVXrN6HS4MoV7Rz5Xm2lmdsC1y0DEmoFTVE3EE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Yang Yingliang , Krzysztof Kozlowski , Sebastian Reichel , Sasha Levin Subject: [PATCH 4.4 031/190] power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() Date: Thu, 20 May 2021 11:21:35 +0200 Message-Id: <20210520092103.197561824@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092102.149300807@linuxfoundation.org> References: <20210520092102.149300807@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yang Yingliang [ Upstream commit 68ae256945d2abe9036a7b68af4cc65aff79d5b7 ] This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Reviewed-by: Krzysztof Kozlowski Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin --- drivers/power/s3c_adc_battery.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/power/s3c_adc_battery.c b/drivers/power/s3c_adc_battery.c index 0ffe5cd3abf6..06b412c43aa7 100644 --- a/drivers/power/s3c_adc_battery.c +++ b/drivers/power/s3c_adc_battery.c @@ -392,7 +392,7 @@ static int s3c_adc_bat_remove(struct platform_device *pdev) gpio_free(pdata->gpio_charge_finished); } - cancel_delayed_work(&bat_work); + cancel_delayed_work_sync(&bat_work); if (pdata->exit) pdata->exit(); -- 2.30.2