From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Yang Yingliang <yangyingliang@huawei.com>,
Hulk Robot <hulkci@huawei.com>,
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>,
Sebastian Reichel <sebastian.reichel@collabora.com>,
Sasha Levin <sashal@kernel.org>,
linux-samsung-soc@vger.kernel.org, linux-pm@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 22/35] power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove()
Date: Mon, 3 May 2021 12:40:56 -0400 [thread overview]
Message-ID: <20210503164109.2853838-22-sashal@kernel.org> (raw)
In-Reply-To: <20210503164109.2853838-1-sashal@kernel.org>
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 68ae256945d2abe9036a7b68af4cc65aff79d5b7 ]
This driver's remove path calls cancel_delayed_work(). However, that
function does not wait until the work function finishes. This means
that the callback function may still be running after the driver's
remove function has finished, which would result in a use-after-free.
Fix by calling cancel_delayed_work_sync(), which ensures that
the work is properly cancelled, no longer running, and unable
to re-schedule itself.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/s3c_adc_battery.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/power/supply/s3c_adc_battery.c b/drivers/power/supply/s3c_adc_battery.c
index 3d00b35cafc9..8be31f80035c 100644
--- a/drivers/power/supply/s3c_adc_battery.c
+++ b/drivers/power/supply/s3c_adc_battery.c
@@ -394,7 +394,7 @@ static int s3c_adc_bat_remove(struct platform_device *pdev)
gpio_free(pdata->gpio_charge_finished);
}
- cancel_delayed_work(&bat_work);
+ cancel_delayed_work_sync(&bat_work);
if (pdata->exit)
pdata->exit();
--
2.30.2
prev parent reply other threads:[~2021-05-03 16:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20210503164109.2853838-1-sashal@kernel.org>
2021-05-03 16:40 ` [PATCH AUTOSEL 4.19 06/35] power: supply: bq27xxx: fix power_avg for newer ICs Sasha Levin
2021-05-03 16:40 ` [PATCH AUTOSEL 4.19 11/35] power: supply: Use IRQF_ONESHOT Sasha Levin
2021-05-03 16:40 ` [PATCH AUTOSEL 4.19 21/35] power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() Sasha Levin
2021-05-03 16:40 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210503164109.2853838-22-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=hulkci@huawei.com \
--cc=krzysztof.kozlowski@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=sebastian.reichel@collabora.com \
--cc=stable@vger.kernel.org \
--cc=yangyingliang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).