Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp4151086pxv;
        Mon, 19 Jul 2021 18:32:41 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwq/8IYlLuEF007/Du/JN3um/qEDXsVLQwuVboQoaREILkp6x4VZc92D4DpOYTDIIJ1F544
X-Received: by 2002:a5d:8453:: with SMTP id w19mr20586422ior.105.1626744761363;
        Mon, 19 Jul 2021 18:32:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1626744761; cv=none;
        d=google.com; s=arc-20160816;
        b=Vul5/NwiXdqzfvPb3NMlmKjYn+uRcU/lbNWZSDxmFLoi7miUeGHsrzjvuWTBGUVdGA
         xNXrWWgSgVIUPd8CpElqQcMdgPDxplVwuqTRXtEaFuLyINrGTNLBCasBxMpA/7tMdpfa
         q7MUQxYaDUYI3ZkjsHdnl4rjHZC+RZ5TA/RWPkC/1U++5MVYgXl0jeGgZ29Kdiz1AVaY
         nOIyQyKV7tzE861BEEIbSjL+vbt2SOcZ84ukB7PaWWF3nsZCNt3xyvc22zMowH6dpE57
         Vp9izqqZmTgo3YwWYWQ0g0tbi507B7XP+pq/U9FJGELOKFE1QItfCWATpTREiOL3zmhN
         qU0A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=WFfMq51X/xcZOoh4lPsYD7yH69HGSr7RBaTV7JSwBM0=;
        b=iVyRmxqqeQIYWLAhI3ZELQrMnHaL9YOo+Uk4Yie0+SXa3f40XWhaV02hIT6oCbDg+i
         yH0Vx/dHEO0t+IuokC14S9bjzsnjb6MXq1mVhv0ejKy/rpz5tTnkDTn+1HmxJfNEyYyP
         mLL3b6SfdUTKzu9tdcPyvfvuuN0x49Sj7vtGEcF5kME5cCHR7y7ifs37Ssk33jODPUuB
         6VMbslDAJX0eU0RU+r6xuD73s86P1Lon12v6qtbQqYnmvailcVR3521wv06dmLZ3iT0K
         ZGwyK2FSy4BQWzisIQvcBRA0pHdc/DKSXGkoKlxk174jKzCtvCOZH/VGrh5QWM2bAbsb
         ZQvg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=P9pIxb9v;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id x5si2087188ilq.85.2021.07.19.18.32.29;
        Mon, 19 Jul 2021 18:32:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=P9pIxb9v;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237799AbhGSOwS (ORCPT <rfc822;manjupatil.rnr@gmail.com>
        + 99 others); Mon, 19 Jul 2021 10:52:18 -0400
Received: from mail.kernel.org ([198.145.29.99]:46720 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S245520AbhGSOen (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 19 Jul 2021 10:34:43 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 3DAD16128C;
        Mon, 19 Jul 2021 15:14:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1626707644;
        bh=Z1n8wsZv+jOd5MN9VkohCRg6WHiM6xigm4+S3agCXjg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=P9pIxb9vCGbWD51BMd6N3lVContrwRmRvnzLhzTrrEhyCVDdtFwdAqocl8lBW7qQK
         KN/B585SUsQES8euAgMC4K2MW8HLKRWrnI2U6p7fH92EFjVJpxPBRMXnTejUNqwLi1
         OfOanq4zbDY9DQw5FCYHF3BDsW6vk6RJuniYNRV0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Hulk Robot <hulkci@huawei.com>,
        Zou Wei <zou_wei@huawei.com>,
        Guenter Roeck <linux@roeck-us.net>,
        Wim Van Sebroeck <wim@linux-watchdog.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 213/245] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff()
Date:   Mon, 19 Jul 2021 16:52:35 +0200
Message-Id: <20210719144947.280808156@linuxfoundation.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20210719144940.288257948@linuxfoundation.org>
References: <20210719144940.288257948@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit 90b7c141132244e8e49a34a4c1e445cce33e07f4 ]

This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/1620716691-108460-1-git-send-email-zou_wei@huawei.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/watchdog/sc520_wdt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/watchdog/sc520_wdt.c b/drivers/watchdog/sc520_wdt.c
index 1cfd3f6a13d5..08500db8324f 100644
--- a/drivers/watchdog/sc520_wdt.c
+++ b/drivers/watchdog/sc520_wdt.c
@@ -190,7 +190,7 @@ static int wdt_startup(void)
 static int wdt_turnoff(void)
 {
 	/* Stop the timer */
-	del_timer(&timer);
+	del_timer_sync(&timer);
 
 	/* Stop the watchdog */
 	wdt_config(0);
-- 
2.30.2