From: Tomasz Duszynski <tduszyns@gmail.com>
To: Sven Van Asbroeck <thesven73@gmail.com>
Cc: Peter Rosin <peda@axentia.se>,
Jonathan Cameron <jic23@kernel.org>,
Hartmut Knaack <knaack.h@gmx.de>,
Lars-Peter Clausen <lars@metafoo.de>,
Peter Meerwald-Stadler <pmeerw@pmeerw.net>,
linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] iio: envelope-detector: fix use-after-free on device remove
Date: Mon, 11 Mar 2019 19:00:44 +0100 [thread overview]
Message-ID: <20190311180042.GA17880@arch> (raw)
In-Reply-To: <20190310193246.31761-1-TheSven73@gmail.com>
On Sun, Mar 10, 2019 at 03:32:46PM -0400, Sven Van Asbroeck wrote:
> This driver's remove path never explicitly cancels the
> delayed work. So it is possible for the delayed work to
> run after the core has freed the private structure
> (struct envelope). This is a potential use-after-free.
>
> Fix by adding a devm_add_action callback to the remove
> path, called right after iio_device_unregister(), which
> explicitly cancels the delayed work.
>
> This issue was detected with the help of Coccinelle.
>
> Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
> ---
> drivers/iio/adc/envelope-detector.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/drivers/iio/adc/envelope-detector.c b/drivers/iio/adc/envelope-detector.c
> index 2f2b563c1162..2f1c78b3ff44 100644
> --- a/drivers/iio/adc/envelope-detector.c
> +++ b/drivers/iio/adc/envelope-detector.c
> @@ -321,6 +321,14 @@ static const struct iio_info envelope_detector_info = {
> .read_raw = &envelope_detector_read_raw,
> };
>
> +static void envelope_detector_stop_work(void *data)
> +{
> + struct iio_dev *indio_dev = data;
> + struct envelope *env = iio_priv(indio_dev);
> +
> + cancel_delayed_work_sync(&env->comp_timeout);
> +}
> +
> static int envelope_detector_probe(struct platform_device *pdev)
> {
> struct device *dev = &pdev->dev;
> @@ -395,6 +403,10 @@ static int envelope_detector_probe(struct platform_device *pdev)
> return ret;
> }
>
> + ret = devm_add_action(dev, envelope_detector_stop_work, indio_dev);
> + if (ret)
> + return ret;
Just a random thought. Wouldn't devm_add_action_or_reset() be a better fit?
In case adding action results in failure we will not get the chance to cancel
work.
> +
> return devm_iio_device_register(dev, indio_dev);
> }
>
> --
> 2.17.1
>
next prev parent reply other threads:[~2019-03-11 18:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-10 19:32 [PATCH] iio: envelope-detector: fix use-after-free on device remove Sven Van Asbroeck
2019-03-11 18:00 ` Tomasz Duszynski [this message]
2019-03-11 18:41 ` Peter Rosin
2019-03-11 18:47 ` Sven Van Asbroeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190311180042.GA17880@arch \
--to=tduszyns@gmail.com \
--cc=jic23@kernel.org \
--cc=knaack.h@gmx.de \
--cc=lars@metafoo.de \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peda@axentia.se \
--cc=pmeerw@pmeerw.net \
--cc=thesven73@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.