Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3778882pxv; Mon, 19 Jul 2021 08:32:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy4Sh3Qiyyb30ehtB/wiF/FIZ0M4rllgUxPRd17JOzP1nZ6x0q8MfrFyW4zWbkZJxMNbZJ3 X-Received: by 2002:a05:6402:58:: with SMTP id f24mr36192782edu.234.1626708755041; Mon, 19 Jul 2021 08:32:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626708755; cv=none; d=google.com; s=arc-20160816; b=DtswAZdi430XjDiGB5c+RHrIopoAZeXqi2arR5B4XKoX2i+JqbR2V39DwmWqHITGrG pYT8J0wcCGRIFOcm5T0rkzIUTR48VdQ/X4GGU7TqXcEDdn0lT7J8fZrodedQhmzKun7d XYXCUEhwKQqzwaHkGjuUqpv2O39ajM2BAWadnL3zqmL3q3hQ98zD0xwTeoS9J0A3XX/G 0IwmVoRHvy+FlTaYdtEKSCWBb3ja1Cqxdva071UqIa5HOBFjdEo5rr0i3EsTHnqnaD7N Pui5JWera7QY26kJmz9WOfMD7q3eiVF9MYKYOrUZLBoAZMUZZFV2leKhToKtDrYGRot3 UW4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rzfRCSIWDcRDjawvMRpRMhnPdGRD6L4pAoLUIwk8qEc=; b=lEjTBN8v2vlJYtlupqEBGYyIaw9FQfZOEUIFVaDgCtKukl4kvGRQK0dNCmo9NdHB7l Kz/mwjl6isYhPgmq+7HSvNzg6807IPKD1lNDwKwjR+YGPKrWz1g3BOOw28UsKrAbW52u id4eJ0Jk7nQfLuaNc1V4gbkbCYY+cAQH5UhwFowgFhodb37p0o9goWcmUMrOxcYmqE06 XAl3wSERSzj6A4FyMMDQI9OJQA8AyPAvja87VKYKlSJ+h00DhQ34CbYqIRhKNrnrFML0 e8n/bxI3zbWdWez/g7BKy/W8igYgklEVzzKGzi00yexbOK5IKjQcdGSD9fv2BV6ZDWz5 x1vA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=sRBBb7Si; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gt34si20469693ejc.285.2021.07.19.08.32.12; Mon, 19 Jul 2021 08:32:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=sRBBb7Si; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238466AbhGSOtn (ORCPT + 99 others); Mon, 19 Jul 2021 10:49:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:47840 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244824AbhGSOeZ (ORCPT ); Mon, 19 Jul 2021 10:34:25 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id ECA29610A5; Mon, 19 Jul 2021 15:13:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626707626; bh=8vf89cqAEiEpOFAna+3saqsBdZd00cUqtRl2GaRnTcw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sRBBb7Si+HoW/oeXWWI1+vnd4dtSFGm04CQH1osxFR6yhYmCP/k98GRBbbEHyNB4w wxb1EkDjYntSlzjXdmvPJV3Ha09P2Adwamt0jVAf4cWH1PCW9cssmi32ZaSOa6io3H NKPdFJp2w+HFOf0Shz9XUN+Fnz/fgisbJe9O+GZQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Zou Wei , Guenter Roeck , Wim Van Sebroeck , Sasha Levin Subject: [PATCH 4.9 212/245] watchdog: Fix possible use-after-free in wdt_startup() Date: Mon, 19 Jul 2021 16:52:34 +0200 Message-Id: <20210719144947.249709474@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210719144940.288257948@linuxfoundation.org> References: <20210719144940.288257948@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zou Wei [ Upstream commit c08a6b31e4917034f0ed0cb457c3bb209576f542 ] This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/1620716495-108352-1-git-send-email-zou_wei@huawei.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin --- drivers/watchdog/sbc60xxwdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/watchdog/sbc60xxwdt.c b/drivers/watchdog/sbc60xxwdt.c index 2eef58a0cf05..152db059d5aa 100644 --- a/drivers/watchdog/sbc60xxwdt.c +++ b/drivers/watchdog/sbc60xxwdt.c @@ -152,7 +152,7 @@ static void wdt_startup(void) static void wdt_turnoff(void) { /* Stop the timer */ - del_timer(&timer); + del_timer_sync(&timer); inb_p(wdt_stop); pr_info("Watchdog timer is now disabled...\n"); } -- 2.30.2