diff mbox series

[2/3] bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove()

Message ID 20210606153741.20725-3-manivannan.sadhasivam@linaro.org
State New
Headers show
Series MHI fixes for v5.13 | expand

Commit Message

Manivannan Sadhasivam June 6, 2021, 3:37 p.m. UTC
From: Wei Yongjun <weiyongjun1@huawei.com>


This driver's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Fixes: 8562d4fe34a3 ("mhi: pci_generic: Add health-check")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>

Reviewed-by: Hemant kumar <hemantk@codeaurora.org>

Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

Reviewed-by: Loic Poulain <loic.poulain@linaro.org>

Link: https://lore.kernel.org/r/20210413160318.2003699-1-weiyongjun1@huawei.com
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

---
 drivers/bus/mhi/pci_generic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.25.1

Comments

Greg KH June 9, 2021, 4:59 p.m. UTC | #1
On Sun, Jun 06, 2021 at 09:07:40PM +0530, Manivannan Sadhasivam wrote:
> From: Wei Yongjun <weiyongjun1@huawei.com>

> 

> This driver's remove path calls del_timer(). However, that function

> does not wait until the timer handler finishes. This means that the

> timer handler may still be running after the driver's remove function

> has finished, which would result in a use-after-free.

> 

> Fix by calling del_timer_sync(), which makes sure the timer handler

> has finished, and unable to re-schedule itself.

> 

> Fixes: 8562d4fe34a3 ("mhi: pci_generic: Add health-check")

> Reported-by: Hulk Robot <hulkci@huawei.com>

> Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>

> Reviewed-by: Hemant kumar <hemantk@codeaurora.org>

> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

> Reviewed-by: Loic Poulain <loic.poulain@linaro.org>

> Link: https://lore.kernel.org/r/20210413160318.2003699-1-weiyongjun1@huawei.com

> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

> ---

>  drivers/bus/mhi/pci_generic.c | 2 +-

>  1 file changed, 1 insertion(+), 1 deletion(-)


No Cc: stable on this?  I'll go add it...
diff mbox series

Patch

diff --git a/drivers/bus/mhi/pci_generic.c b/drivers/bus/mhi/pci_generic.c
index 8c7f6576e421..0a6619ad292c 100644
--- a/drivers/bus/mhi/pci_generic.c
+++ b/drivers/bus/mhi/pci_generic.c
@@ -708,7 +708,7 @@  static void mhi_pci_remove(struct pci_dev *pdev)
 	struct mhi_pci_device *mhi_pdev = pci_get_drvdata(pdev);
 	struct mhi_controller *mhi_cntrl = &mhi_pdev->mhi_cntrl;
 
-	del_timer(&mhi_pdev->health_check_timer);
+	del_timer_sync(&mhi_pdev->health_check_timer);
 	cancel_work_sync(&mhi_pdev->recovery_work);
 
 	if (test_and_clear_bit(MHI_PCI_DEV_STARTED, &mhi_pdev->status)) {