Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3759091pxv; Mon, 19 Jul 2021 08:07:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxVW/suC2CjKnubPWy97zX9fI2YP+nlNu/4WWmubf0eMrKiEvFWx8kEh8LP6qDXov4C7RDn X-Received: by 2002:a02:8529:: with SMTP id g38mr21940478jai.88.1626707221899; Mon, 19 Jul 2021 08:07:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626707221; cv=none; d=google.com; s=arc-20160816; b=u2pxAiwsif90+lMYpqF7M7V+HFxbN28r8nMTMYJhlV6cbEbTRog3kqOFEk8OHh8zxG 3+PGhG6plXN5H0jtqJtPH3KjWhItfjFuWJBg4iTkW/U0J88gxE31XBSeVb0hL3Hiteis J1X4kgPIKBewWMskHJMOaV6QNKW7IsRllRwYniX+xVfrcS/ONdUmvc6/NVTsQfEO7/ng hbgH1tgNS1rwOmMJqj+MTucKyioMQqzXiWi37oDVpxHrF6zDPf3XiPM0cPnqGg58cuyJ T6VzwBUqUUGLuAtB1MwhwPUo44FzMncJpVIrZC4BYAqFWoZViG0JvfMZeEbl9FNUs4DX 2acg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=WFfMq51X/xcZOoh4lPsYD7yH69HGSr7RBaTV7JSwBM0=; b=h0Y5cQ7ZZzC/a23jYR/43D/3IfeV/oBH/VfVqXJSTYELrUwjN1bqS4hVsYWPUFxBsV mHJYgO/apeRES+0/TSyf3dagjRlNtTqY6obdtWrnnk4EypIk00X6XTk51f9Kdv9XLnCU ozo51orHd4GXVXXLdzjeUJBuafGQylDRB4sbGsGK9ecwdhHYIVF4npAOZQf5SjO0MJ2x VknKQgGb1yC9wrK6uaBtZPfPCW6neo/g+blCCExT8p1x2m2e9iJa88gfUBatU+1kGCG1 Cp1D3HpNkIOCvtVPg+BQSqW5fvbxdHsPSMOgGaReNmcIZwvwzAl1qynJpc2ayXJV3N1J gF9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VbQI8yH+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x29si20415496jap.52.2021.07.19.08.06.50; Mon, 19 Jul 2021 08:07:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VbQI8yH+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242954AbhGSOZ3 (ORCPT + 99 others); Mon, 19 Jul 2021 10:25:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:56252 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242691AbhGSOWm (ORCPT ); Mon, 19 Jul 2021 10:22:42 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 32BB761165; Mon, 19 Jul 2021 15:02:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626706968; bh=Z1n8wsZv+jOd5MN9VkohCRg6WHiM6xigm4+S3agCXjg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VbQI8yH+3RyhSsBwnWxOfK8J98FYSI/N12ui++ETn8spp18ArMbr4vLZ5lEFO8Ok9 kXsv2VCFSi1JJ6OWi0IFH7+MgjIQZjeE/Ed+dQ+s8AS4ysO7j/i97nP5u+AlYQjBfF nabG7HNciHW9upSTLuaAQvgYsQ1QnGamjl0KxRF0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Zou Wei , Guenter Roeck , Wim Van Sebroeck , Sasha Levin Subject: [PATCH 4.4 169/188] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() Date: Mon, 19 Jul 2021 16:52:33 +0200 Message-Id: <20210719144942.020394029@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210719144913.076563739@linuxfoundation.org> References: <20210719144913.076563739@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zou Wei [ Upstream commit 90b7c141132244e8e49a34a4c1e445cce33e07f4 ] This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/1620716691-108460-1-git-send-email-zou_wei@huawei.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin --- drivers/watchdog/sc520_wdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/watchdog/sc520_wdt.c b/drivers/watchdog/sc520_wdt.c index 1cfd3f6a13d5..08500db8324f 100644 --- a/drivers/watchdog/sc520_wdt.c +++ b/drivers/watchdog/sc520_wdt.c @@ -190,7 +190,7 @@ static int wdt_startup(void) static int wdt_turnoff(void) { /* Stop the timer */ - del_timer(&timer); + del_timer_sync(&timer); /* Stop the watchdog */ wdt_config(0); -- 2.30.2