From: Sven Van Asbroeck <thesven73@gmail.com>
To: Sebastian Reichel <sre@kernel.org>
Cc: linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2] power: supply: ds2782: fix possible use-after-free on remove
Date: Tue, 12 Feb 2019 11:21:49 -0500 [thread overview]
Message-ID: <20190212162149.21583-1-TheSven73@gmail.com> (raw)
In remove(), use cancel_delayed_work_sync() to cancel the
delayed work. Otherwise there's a chance that this work
will continue to run until after the device has been removed.
While we're here, fix the deallocation order in remove(),
to correspond to the inverse of the probe() allocation
order. This guarantees that any remaining work can run
to completion with all driver structures still intact.
This issue was detected with the help of Coccinelle.
Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
---
v2: fix silly use-after-free in remove()
drivers/power/supply/ds2782_battery.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/power/supply/ds2782_battery.c b/drivers/power/supply/ds2782_battery.c
index 019c58493e3d..04b0fe7d7d62 100644
--- a/drivers/power/supply/ds2782_battery.c
+++ b/drivers/power/supply/ds2782_battery.c
@@ -319,17 +319,17 @@ static void ds278x_power_supply_init(struct power_supply_desc *battery)
static int ds278x_battery_remove(struct i2c_client *client)
{
struct ds278x_info *info = i2c_get_clientdata(client);
+ int id = info->id;
power_supply_unregister(info->battery);
+ cancel_delayed_work_sync(&info->bat_work);
kfree(info->battery_desc.name);
+ kfree(info);
mutex_lock(&battery_lock);
- idr_remove(&battery_id, info->id);
+ idr_remove(&battery_id, id);
mutex_unlock(&battery_lock);
- cancel_delayed_work(&info->bat_work);
-
- kfree(info);
return 0;
}
--
2.17.1
next reply other threads:[~2019-02-12 16:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-12 16:21 Sven Van Asbroeck [this message]
2019-02-12 22:30 ` [PATCH v2] power: supply: ds2782: fix possible use-after-free on remove Sebastian Reichel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190212162149.21583-1-TheSven73@gmail.com \
--to=thesven73@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=sre@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox