Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp909923rwi; Thu, 13 Oct 2022 06:51:49 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5BfEdfb+tQb393ge0bJe+6sB8fARTWy2KxB6bn4Lm3h7rA66aj6j0Rn42PQzhMmiwKTB5f X-Received: by 2002:a17:907:743:b0:740:ef93:2ffc with SMTP id xc3-20020a170907074300b00740ef932ffcmr26642747ejb.514.1665669108703; Thu, 13 Oct 2022 06:51:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665669108; cv=none; d=google.com; s=arc-20160816; b=ARSPLi7I77SXZDDgoaU4Ie5ys945twEm8nZxZ490Z8iMEUGnUxrE4NvNECD0pg87sF wtbZEK+jaUJxa5aPxCrOsf6IDzAaJxXBTzJqXY/r5BOyRB69ZU0uttiRrYCnYqiXUyvf tCdbZ0SOs6jP28JuCRYcyGPc8EWSpBTYs6uh1jGdtxXYzKcCaPDTO4yNHnq4Eit55WzM fMU4pN46x08IMRPpTs4muWGyNgscrU+2ao6diyExIPod83hnCRd1g1wF4dGZng3HxZBY dyHs3qDhdODPmBMZb44Avmj6T0q7YJP/L0NH8aKeerdT882BXxRu7GwSa3CaGZrwRevn q9MA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=Belux7y/KLGasxDfKVpRph3rJkHIdePIgurSdscwpuw=; b=H4pm02ylSx9+/sdQlSg9NjNQnusWw2lkxVCyDZvbVpK8HTNm9BDthFh8OjuOPMOpTr IFLKJEr46+AVIi9bNNOI/lDPY0SX4hrykgd8t5lEU5vgh39gHGB/cbhTnrl8EuEoXCNI p9rLG8oErvPGm6O57Uz3Vz6vTQhk1Du/f9UJFxx2bJTmWHihPdjC342Ev0eZUmtC5Vil YDgHz/pPnfsNm0FhFfH/jRa8kQL59UowD16VTR7pWylJu2dzlJV0SuNzYVEA8W3+jCoI L2zE5yRwROhDkmom0fHtSqqnSAsswkD3z0+QOwYFimuXG8uMZFhgS88hV6aVt27FevC4 o8AA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TaWO7Scm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cs9-20020a170906dc8900b00732fa9d3df0si19188372ejc.795.2022.10.13.06.51.22; Thu, 13 Oct 2022 06:51:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TaWO7Scm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229986AbiJMNT1 (ORCPT + 99 others); Thu, 13 Oct 2022 09:19:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229825AbiJMNTY (ORCPT ); Thu, 13 Oct 2022 09:19:24 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4EB1C4E182; Thu, 13 Oct 2022 06:19:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6791D617A7; Thu, 13 Oct 2022 13:19:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2E08FC433B5; Thu, 13 Oct 2022 13:19:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665667161; bh=TF5evexQCaWAnM8YqzbvcWgQx5Wx+FEnE7540Ug803s=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=TaWO7ScmXh3c3WWSOR26mewtnUfpG9v/itOPFv6aRGbb7g3Hpc4WhqbqB+TRGr83p LrT8uuESh3245oABML5gTUadnj6sD4Ek26FkkiWhv9Qnxg5PEGR9+cKvzA8J6ScZm0 vX3z7oNQaKI4XutNSDVa0LXQRj8HoAIe3LHiXg/Y= Date: Thu, 13 Oct 2022 15:20:05 +0200 From: Greg KH To: Duoming Zhou Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, isdn@linux-pingi.de, kuba@kernel.org, andrii@kernel.org, davem@davemloft.net, axboe@kernel.dk Subject: Re: [PATCH] mISDN: hfcpci: Fix use-after-free bug in hfcpci_Timer Message-ID: References: <20221013125729.105652-1-duoming@zju.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221013125729.105652-1-duoming@zju.edu.cn> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 13, 2022 at 08:57:29PM +0800, Duoming Zhou wrote: > If the timer handler hfcpci_Timer() is running, the > del_timer(&hc->hw.timer) in release_io_hfcpci() could > not stop it. As a result, the use-after-free bug will > happen. The process is shown below: > > (cleanup routine) | (timer handler) > release_card() | hfcpci_Timer() > release_io_hfcpci | > del_timer(&hc->hw.timer) | > ... | ... > kfree(hc) //[1]FREE | > | hc->hw.timer.expires //[2]USE > > The hfc_pci is deallocated in position [1] and used in > position [2]. > > Fix by changing del_timer() in release_io_hfcpci() to > del_timer_sync(), which makes sure the hfcpci_Timer() > have finished before the hfc_pci is deallocated. > > Fixes: 1700fe1a10dc ("Add mISDN HFC PCI driver") > Signed-off-by: Duoming Zhou > --- > drivers/isdn/hardware/mISDN/hfcpci.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c > index af17459c1a5..5cf37fe7de2 100644 > --- a/drivers/isdn/hardware/mISDN/hfcpci.c > +++ b/drivers/isdn/hardware/mISDN/hfcpci.c > @@ -157,7 +157,7 @@ release_io_hfcpci(struct hfc_pci *hc) > { > /* disable memory mapped ports + busmaster */ > pci_write_config_word(hc->pdev, PCI_COMMAND, 0); > - del_timer(&hc->hw.timer); > + del_timer_sync(&hc->hw.timer); Nice, how did you test that this will work properly? Do you have this hardware for testing? How was this issue found and verified that this is the correct resolution? thanks, greg k-h