From patchwork Sun Jun 6 15:37:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Manivannan Sadhasivam X-Patchwork-Id: 455066 Delivered-To: patch@linaro.org Received: by 2002:a02:735a:0:0:0:0:0 with SMTP id a26csp2074710jae; Sun, 6 Jun 2021 08:39:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx4hizk22Xae2bIxg7G3qONEbD7SOYHxz+uxvP9mMKcSt01BnCWkiSgq2QzLnkDGIwM6bTI X-Received: by 2002:a17:906:5293:: with SMTP id c19mr13871262ejm.245.1622993966017; Sun, 06 Jun 2021 08:39:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622993966; cv=none; d=google.com; s=arc-20160816; b=wfJLMO+Lio+sy4nId4hmD+6b6LE894NMzccN4UTxGyB7anQ8sThdGiv6SXQcrN3qiB 9LGsBHNA6qR1hrp17dQAWJDwkAIFp59OexfY69Tjui+QIqbw8YVimCwNCB1mT2kUgrYh OYRuydRlia9YtKLiuNdCA51WUsUgRp+wZINx51iHcBSxrGMV8Okbtbo1jneGL5ZUacXk EQGxrCzCAc6owRYxxW80T4M/fUzVVyG/7N0xeqqewnW9CRN+KhhwqDM3uOj171Ato/tm 5PWMsmNv3gj9pJDX8zUMq/e/Y1gWVNEvE+UM5jk25NoCi7R2cYliUQoNKfKnvdm1zbjr lbhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=YsOV+D3j4skh61Wm0zDVfF8WisFizCBafqzZoQKmbdg=; b=hi8y9Sz3wJ2pzFhQFW5YlMfgP685gdTrEb2E5R5xxofRuELqCzdWRQ8ZqE2QfqrNml q7zfQfnHFiljBRTA2YSfoWDN07x+khWhwQOCMRUVPCarQtWd3yhJGdEdPLpLSr3UN/Wc qq0XmV5esNL673gv9i9Nd8PvaWjNTkZJa1hJlqF69fnERzzEcwvUII8Zi/lxP80DQqKA XYVfVXiW6D3BQp8P0D44rG3iikVYvaZwzZR9zIZ01b5tboNW/C6RDDCRB0uwxpi2RvQ0 cDYOEQLuY9UhHicGKD+FpAU1HxsdAc/FDcv0YUsN4VtWf40LIaSZPOGpq56LLuTysyD4 oMBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=lk23dNiF; spf=pass (google.com: domain of linux-arm-msm-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-arm-msm-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u6si10961498eju.564.2021.06.06.08.39.25; Sun, 06 Jun 2021 08:39:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-arm-msm-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=lk23dNiF; spf=pass (google.com: domain of linux-arm-msm-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-arm-msm-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230200AbhFFPks (ORCPT + 17 others); Sun, 6 Jun 2021 11:40:48 -0400 Received: from mail-pl1-f181.google.com ([209.85.214.181]:36492 "EHLO mail-pl1-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230173AbhFFPkp (ORCPT ); Sun, 6 Jun 2021 11:40:45 -0400 Received: by mail-pl1-f181.google.com with SMTP id x10so7257720plg.3 for ; Sun, 06 Jun 2021 08:38:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=YsOV+D3j4skh61Wm0zDVfF8WisFizCBafqzZoQKmbdg=; b=lk23dNiFfCDT0MgIbsrESUnFqezRoKBrEo5JoYh95Bd2gHW/WegHopl0MpUIoTtUkv cTTk/vsURhVee7MK7F8Ew5pHTneg23J98qBF8dEXQ1ebCR50GuzF/wbjT/rzIPzNtg4B 4wyAgyhP6GV2Py0NpnwuC7Zxl0W0yT5y+Rubobf1gQre36+LCHCrDjyDlbnEZelFJohg KZUySPA1plE8ZmsApVN1xcYbh5092/v2VENK3XkJE8HkgTOW3COMVybo3Xf6Lmi0olas T+GpYuWI+2jbeFe21B5xHa++39tRmtamlqPlZnS0SXD8ugQndXNghJw/UPvjEfS5Sozb qyTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YsOV+D3j4skh61Wm0zDVfF8WisFizCBafqzZoQKmbdg=; b=aFX9kd2DEPVej1VerW6YH0w9nq4a2forvHExcD28bL8DGezO7qFM42hISa9A5E3Hqg IXdaEOQWsx+EWUjSeiL4xBKPOUCpEpRCb/qP2ZwqLJbiudyhzjTyBOhVnnlsWqSG6jlb OqtkvezQXnKjq6e2/kcVnoB5WhPlqK60DMNl3lA544ATnUwhwO9EfjK9/8mlwoiQPNJw bBKoYDKb5nW8cpPFcLYc8sAlCUbgU7cxzMbaKs1LffgxirZMbuGeZ7p3OSVEiW8ytMFY /ju1O0FqDbP4OGoeBGBJG8xQCxW3yu6VV5AC0enwc+fxEPD4qSLx3cNWiwFhOUyjI+Y2 TvqQ== X-Gm-Message-State: AOAM531GUVwQcgqXUsKIiT+vtmTeFkNuDa2OrlbOFlFwisFp0y2TDBSr MGpvi9hv0ZS1hlwBPS4jZodkorbU6yFY X-Received: by 2002:a17:902:f688:b029:112:7c0e:d027 with SMTP id l8-20020a170902f688b02901127c0ed027mr1086773plg.34.1622993875709; Sun, 06 Jun 2021 08:37:55 -0700 (PDT) Received: from localhost.localdomain ([120.138.12.59]) by smtp.gmail.com with ESMTPSA id g29sm6497919pgm.11.2021.06.06.08.37.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 06 Jun 2021 08:37:55 -0700 (PDT) From: Manivannan Sadhasivam To: gregkh@linuxfoundation.org Cc: hemantk@codeaurora.org, bbhatt@codeaurora.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, jarvis.w.jiang@gmail.com, loic.poulain@linaro.org, Wei Yongjun , Hulk Robot , Manivannan Sadhasivam Subject: [PATCH 2/3] bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove() Date: Sun, 6 Jun 2021 21:07:40 +0530 Message-Id: <20210606153741.20725-3-manivannan.sadhasivam@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210606153741.20725-1-manivannan.sadhasivam@linaro.org> References: <20210606153741.20725-1-manivannan.sadhasivam@linaro.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org From: Wei Yongjun This driver's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Fixes: 8562d4fe34a3 ("mhi: pci_generic: Add health-check") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Reviewed-by: Hemant kumar Reviewed-by: Manivannan Sadhasivam Reviewed-by: Loic Poulain Link: https://lore.kernel.org/r/20210413160318.2003699-1-weiyongjun1@huawei.com Signed-off-by: Manivannan Sadhasivam --- drivers/bus/mhi/pci_generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.25.1 diff --git a/drivers/bus/mhi/pci_generic.c b/drivers/bus/mhi/pci_generic.c index 8c7f6576e421..0a6619ad292c 100644 --- a/drivers/bus/mhi/pci_generic.c +++ b/drivers/bus/mhi/pci_generic.c @@ -708,7 +708,7 @@ static void mhi_pci_remove(struct pci_dev *pdev) struct mhi_pci_device *mhi_pdev = pci_get_drvdata(pdev); struct mhi_controller *mhi_cntrl = &mhi_pdev->mhi_cntrl; - del_timer(&mhi_pdev->health_check_timer); + del_timer_sync(&mhi_pdev->health_check_timer); cancel_work_sync(&mhi_pdev->recovery_work); if (test_and_clear_bit(MHI_PCI_DEV_STARTED, &mhi_pdev->status)) {