Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3769520pxv;
        Mon, 19 Jul 2021 08:19:57 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzd8nsfrfGEW5gQh3VpXf420H2bX6fCi9YujpBnTpRjCIhU4suwg0ZHrOcwTDa77S1MLxZe
X-Received: by 2002:aa7:cc92:: with SMTP id p18mr19647480edt.365.1626707996891;
        Mon, 19 Jul 2021 08:19:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1626707996; cv=none;
        d=google.com; s=arc-20160816;
        b=o6uCCi8oFSB6U5jeb2UCYqeP0q4/iVI3xgytrCKD8BxoPzSdi2dwtyGR7PuzEoAQeJ
         by2098P00VVi1h4u4r6VG5zDbjsg4QoA/kgGX/i9/JG1uDeL64w5xNriMl4kIObza3cB
         DFInEWMUdXdcX0GdV5suBHKQlsXLSXmji/Q9zIzG/ngJLDPKYjh0mxkjIVg8hDrCFrmJ
         iUWOwO4ujZ0jDIgyG7FBDewQdYgfCFudggWR1TUfYrKmz2vy6GWhUEqpA0VGBMU4mFVX
         e4oZUEcEuvnF6Eezu+Q+v9N3+RRI3CLvr9pviyRHtnueESeEjd+mr2C8a5ucZDP13YEN
         d8wg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=JjXNnUxNnwFwp6G1WvzkUECRyudPCHTTyroyLjHPI3g=;
        b=wME0pW5yMLZXnX65giBH6NRlSqpX7G4h92tqIVPTjryfe0gssr1LWldPvUfStcINoT
         9R3+WOST91gsLgLaGG5OREjXq7fqyc/tWsfcjV/QXxgFrvA4NqtPZUJ3zh/L1xVKIfy8
         3zcVBuwesNndDo/4CTtEmOkVNp+xUiY5n1584xIGZk3N8ZGFDZl9+I3rcj33dfDUBmHP
         gH8FjFoAnCRq5u5i+f9sES3yf8XTyF2Z64tSvDMDwyimNvjEpEmLIQ/V7eV+RP3HnEIQ
         2x4Z2FBvUTfdUFPMp5kKBtAkPhPyXFcmrHkx1JT4hHvNRAGAEr1hAY5lMpJD+fSan2zX
         TsSg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GYxx1SgK;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ko14si13264449ejc.179.2021.07.19.08.19.34;
        Mon, 19 Jul 2021 08:19:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GYxx1SgK;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244058AbhGSOh5 (ORCPT <rfc822;manjupatil.rnr@gmail.com>
        + 99 others); Mon, 19 Jul 2021 10:37:57 -0400
Received: from mail.kernel.org ([198.145.29.99]:38286 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S244325AbhGSO3f (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 19 Jul 2021 10:29:35 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 9A77E61175;
        Mon, 19 Jul 2021 15:09:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1626707356;
        bh=74C5aP2MRQm3l9T1LtY5KYwJPaw49ai4Asw0Zt0nA3A=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=GYxx1SgKu+oZx6PzT3we34I/Ra2PcEe8F9qU+5mCsOgN8TT3EdbC2jsVJ3MyUfV5Y
         4/AIXjCPNfSxn6Y2vtZLnwpqtJGCORFeP7WP6C/GwVpzpuW6sQmz+7SMPHXQOTga34
         BJaqayKPbSdI08WUikS4qDY2dhPaag70tuYDmroI=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Hulk Robot <hulkci@huawei.com>,
        Zou Wei <zou_wei@huawei.com>,
        "David S. Miller" <davem@davemloft.net>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 128/245] atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
Date:   Mon, 19 Jul 2021 16:51:10 +0200
Message-Id: <20210719144944.543748013@linuxfoundation.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20210719144940.288257948@linuxfoundation.org>
References: <20210719144940.288257948@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit 34e7434ba4e97f4b85c1423a59b2922ba7dff2ea ]

This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/atm/nicstar.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
index 8bcd09fb0feb..b2bae94ffe4d 100644
--- a/drivers/atm/nicstar.c
+++ b/drivers/atm/nicstar.c
@@ -298,7 +298,7 @@ static void __exit nicstar_cleanup(void)
 {
 	XPRINTK("nicstar: nicstar_cleanup() called.\n");
 
-	del_timer(&ns_timer);
+	del_timer_sync(&ns_timer);
 
 	pci_unregister_driver(&nicstar_driver);
 
-- 
2.30.2