Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp4159395pxv; Mon, 19 Jul 2021 18:49:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz7y2nQfuMlG9hEhfyD/BtWAh0PG3zGphUHsCcNgMI75iTYBYP34vvjC7KL7t+zptvQGcfw X-Received: by 2002:a17:906:c097:: with SMTP id f23mr28813634ejz.194.1626745783026; Mon, 19 Jul 2021 18:49:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626745783; cv=none; d=google.com; s=arc-20160816; b=IG0VcIO1HxiCCCck2r/utqxhn9qHAwYxSVzbWB3TeuFhgduZh682pXH1CO3TJsF4GE crIh256iL5yhk6xYabwErzcgrc6phWvDDA14Ov47uU1zC3CY9PG3J5JqkKritjdC/Y2E XbxD0PYNTsR2+6YEfzePrbd4CGHWiIuJl72xomU3zjxm+UvjOs8gcpbahCnBFAox6/p4 P/ojWvkKHzqEBdeqz7G0W7aGLtTjqor2d+v8RFCwuQlXDNdE/GZelJpeK8jmCgJ2pg7d beF6GV0zDCEWJvyir0wEZborhbONw5qxi6J2LZE/Fr2FC+z/CvGMi4Iz1SUfwbCFZUWU yWCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=WFfMq51X/xcZOoh4lPsYD7yH69HGSr7RBaTV7JSwBM0=; b=zH5cPbQydskhz5+dYZkbafR9yNku2eYvwE4dgwWid/O1NBA3Ypc1O56YuSBmF8cRKB kIgMEHeO02glfxUVBdaQCBK03lr9Zibme9UuZ8Flh8rxnmtnlFJlOHexXOFzZTlQqtY0 r/5QjylCf3q60m5D8m9uczSij25/OAMqsdxmMddK8HHayPjdBs1L4YjACg7RurswZ7tT IWMNdqg70zRtgXYh+w67VI+rqEZjNlt4ZqEcSsrbbnV4VSsGSNYGmaV/4XdLez5/v03n VcHdCC59sjnr40FjT7msUmHbUtEafKsBPYI5z4vpBCF0WEB4WoJO/6hkvMRUd6zv5IUI 8qnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YjuraogH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a17si21742473edv.499.2021.07.19.18.49.20; Mon, 19 Jul 2021 18:49:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YjuraogH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345344AbhGSPJN (ORCPT + 99 others); Mon, 19 Jul 2021 11:09:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:40438 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343932AbhGSOsg (ORCPT ); Mon, 19 Jul 2021 10:48:36 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C63D66128C; Mon, 19 Jul 2021 15:25:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626708338; bh=Z1n8wsZv+jOd5MN9VkohCRg6WHiM6xigm4+S3agCXjg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YjuraogHLw7r3B4Mb0rKjOSUuoR1dWI0I+J2hh/yRi8zKbmwD3zuKDibm8zhsjrlu 5H/q9ZBDPxoSkCLdqNA0Q6ImbFvf+T37bCrbo8AqMOlHbB8YEYkAGtbM8a1J9Otok7 ihJXG7bzDjqCmszTSKh7pICPe6fFPDN4QmmDs86I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Zou Wei , Guenter Roeck , Wim Van Sebroeck , Sasha Levin Subject: [PATCH 4.14 272/315] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() Date: Mon, 19 Jul 2021 16:52:41 +0200 Message-Id: <20210719144952.364081229@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210719144942.861561397@linuxfoundation.org> References: <20210719144942.861561397@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zou Wei [ Upstream commit 90b7c141132244e8e49a34a4c1e445cce33e07f4 ] This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/1620716691-108460-1-git-send-email-zou_wei@huawei.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin --- drivers/watchdog/sc520_wdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/watchdog/sc520_wdt.c b/drivers/watchdog/sc520_wdt.c index 1cfd3f6a13d5..08500db8324f 100644 --- a/drivers/watchdog/sc520_wdt.c +++ b/drivers/watchdog/sc520_wdt.c @@ -190,7 +190,7 @@ static int wdt_startup(void) static int wdt_turnoff(void) { /* Stop the timer */ - del_timer(&timer); + del_timer_sync(&timer); /* Stop the watchdog */ wdt_config(0); -- 2.30.2