Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp4161570pxv; Mon, 19 Jul 2021 18:54:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxuQv8ysPTuylhVCU2ezkHM4TmMVv5zjsbgfES1DnvhcE6mScEJD061EvihyiFdrEkdlBCh X-Received: by 2002:a17:906:851:: with SMTP id f17mr30087639ejd.244.1626746069728; Mon, 19 Jul 2021 18:54:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626746069; cv=none; d=google.com; s=arc-20160816; b=hofixZ5YMQ6fcFDfXa+D2WMzGoQD0sBXFQViO3B0/ZGzVdD8RfCXaVPMvDnHzebrHH GJ8kPM6LClBgh2/XrMTh67pp1Do2IlvZVq7TxAABz+lULcGjjv3ULKXkDemKhoyfiRn4 MxxUZQWCBZC7VftgxQQ4KYd4gM6sOU5KwOR1ZVCkO+CCisoAUb1sZ24pKLtmLyBCVUBo NBUu9qhV6xk9uHcT6xiZLaGIbz2MnuCn0pp6YTEuRRrZFT9r/Ke39Ndl4/zO8ywR2/8s U7AyoTiZCz7uO51MYcD/og7+Vx/CDfN7G7rzgVFtp1HHNmNSgSakH3pVQRrcC4XOZqSJ cfYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2ub5zJDKZrxU1qgm6sLw4LGin25S5alc9cG1ZrUlPYY=; b=cSgjb8+qhRXt1B23+JI1FsUvlb0MlwgDeRu/0I8lMsnZApxJlCwbqafL6IAXtd2E7W zYbBoyMBm9O852PctILhy5mQHHy6EWXuc+UaH7Nbmlx4LodOtsXWWuwyEfTIy3AqS+6b +q85pIJY74dWdHZ06X92lV89y6C2zbxhjkrAdtD3G8Yw2NNeTXFFh3QRdqD5GsDZF2pv XMzQaqjB2GyheukrgRQ3PDDs+qrRIUHv9hSVmbO0Wn55HWJuqoECLWwYCQsuU4SWhem1 nXr1iZ8EGImazoRsprb7mMGNXMpp0oHy8riJXmV+u+eECQUO859JHkMlbo2kRTTrfdUH o7yg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zEGIUluy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l27si21885339eja.265.2021.07.19.18.54.07; Mon, 19 Jul 2021 18:54:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zEGIUluy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344488AbhGSPLQ (ORCPT + 99 others); Mon, 19 Jul 2021 11:11:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:40450 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343972AbhGSOsh (ORCPT ); Mon, 19 Jul 2021 10:48:37 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 41F796128D; Mon, 19 Jul 2021 15:25:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626708340; bh=R0K2ru8SwBXcnmYkkqAkC/oTg8Hmjm3VREYbCa1ftno=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zEGIUluyjz7ViZHKjHTgnPPGbU0Cvy9Lxs4lRwxkf7RNNXSnc3X3O9IhC/6XxBNXP jfhTom8+HRl4GKq7SIPWwr+Wcqi/4+hoKjcO1hNVDyPFDgk/5SNHa02FLWXuwEQwjz QTfTChm89EF9vYmvuDmf/0FnhqkYbyZBJj0RGZx4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Zou Wei , Guenter Roeck , Vladimir Zapolskiy , Wim Van Sebroeck , Sasha Levin Subject: [PATCH 4.14 273/315] watchdog: Fix possible use-after-free by calling del_timer_sync() Date: Mon, 19 Jul 2021 16:52:42 +0200 Message-Id: <20210719144952.397962386@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210719144942.861561397@linuxfoundation.org> References: <20210719144942.861561397@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zou Wei [ Upstream commit d0212f095ab56672f6f36aabc605bda205e1e0bf ] This driver's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei Reviewed-by: Guenter Roeck Acked-by: Vladimir Zapolskiy Link: https://lore.kernel.org/r/1620802676-19701-1-git-send-email-zou_wei@huawei.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin --- drivers/watchdog/lpc18xx_wdt.c | 2 +- drivers/watchdog/w83877f_wdt.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/watchdog/lpc18xx_wdt.c b/drivers/watchdog/lpc18xx_wdt.c index 3b8bb59adf02..e9deeda1fdbf 100644 --- a/drivers/watchdog/lpc18xx_wdt.c +++ b/drivers/watchdog/lpc18xx_wdt.c @@ -300,7 +300,7 @@ static int lpc18xx_wdt_remove(struct platform_device *pdev) struct lpc18xx_wdt_dev *lpc18xx_wdt = platform_get_drvdata(pdev); dev_warn(&pdev->dev, "I quit now, hardware will probably reboot!\n"); - del_timer(&lpc18xx_wdt->timer); + del_timer_sync(&lpc18xx_wdt->timer); watchdog_unregister_device(&lpc18xx_wdt->wdt_dev); clk_disable_unprepare(lpc18xx_wdt->wdt_clk); diff --git a/drivers/watchdog/w83877f_wdt.c b/drivers/watchdog/w83877f_wdt.c index f0483c75ed32..4b52cf321747 100644 --- a/drivers/watchdog/w83877f_wdt.c +++ b/drivers/watchdog/w83877f_wdt.c @@ -170,7 +170,7 @@ static void wdt_startup(void) static void wdt_turnoff(void) { /* Stop the timer */ - del_timer(&timer); + del_timer_sync(&timer); wdt_change(WDT_DISABLE); -- 2.30.2