From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Zou Wei <zou_wei@huawei.com>, Hulk Robot <hulkci@huawei.com>,
Guenter Roeck <linux@roeck-us.net>,
Vladimir Zapolskiy <vz@mleia.com>,
Wim Van Sebroeck <wim@linux-watchdog.org>,
Sasha Levin <sashal@kernel.org>,
linux-watchdog@vger.kernel.org,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH AUTOSEL 5.12 17/43] watchdog: Fix possible use-after-free by calling del_timer_sync()
Date: Sat, 10 Jul 2021 19:48:49 -0400 [thread overview]
Message-ID: <20210710234915.3220342-17-sashal@kernel.org> (raw)
In-Reply-To: <20210710234915.3220342-1-sashal@kernel.org>
From: Zou Wei <zou_wei@huawei.com>
[ Upstream commit d0212f095ab56672f6f36aabc605bda205e1e0bf ]
This driver's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.
Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://lore.kernel.org/r/1620802676-19701-1-git-send-email-zou_wei@huawei.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/lpc18xx_wdt.c | 2 +-
drivers/watchdog/w83877f_wdt.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/watchdog/lpc18xx_wdt.c b/drivers/watchdog/lpc18xx_wdt.c
index 78cf11c94941..60b6d74f267d 100644
--- a/drivers/watchdog/lpc18xx_wdt.c
+++ b/drivers/watchdog/lpc18xx_wdt.c
@@ -292,7 +292,7 @@ static int lpc18xx_wdt_remove(struct platform_device *pdev)
struct lpc18xx_wdt_dev *lpc18xx_wdt = platform_get_drvdata(pdev);
dev_warn(&pdev->dev, "I quit now, hardware will probably reboot!\n");
- del_timer(&lpc18xx_wdt->timer);
+ del_timer_sync(&lpc18xx_wdt->timer);
return 0;
}
diff --git a/drivers/watchdog/w83877f_wdt.c b/drivers/watchdog/w83877f_wdt.c
index 5772cc5d3780..f2650863fd02 100644
--- a/drivers/watchdog/w83877f_wdt.c
+++ b/drivers/watchdog/w83877f_wdt.c
@@ -166,7 +166,7 @@ static void wdt_startup(void)
static void wdt_turnoff(void)
{
/* Stop the timer */
- del_timer(&timer);
+ del_timer_sync(&timer);
wdt_change(WDT_DISABLE);
--
2.30.2
next prev parent reply other threads:[~2021-07-10 23:49 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-10 23:48 [PATCH AUTOSEL 5.12 01/43] power: supply: sc27xx: Add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 02/43] power: supply: sc2731_charger: " Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 03/43] f2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 04/43] pwm: spear: Don't modify HW state in .remove callback Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 05/43] PCI: ftpci100: Rename macro name collision Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 06/43] power: supply: ab8500: Avoid NULL pointers Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 07/43] PCI: hv: Fix a race condition when removing the device Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 08/43] power: supply: max17042: Do not enforce (incorrect) interrupt trigger type Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 09/43] power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 10/43] ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1 Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 11/43] PCI/P2PDMA: Avoid pci_get_slot(), which may sleep Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 12/43] NFSv4: Fix delegation return in cases where we have to retry Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 13/43] PCI: pciehp: Ignore Link Down/Up caused by DPC Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 14/43] PCI: Dynamically map ECAM regions Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 15/43] watchdog: Fix possible use-after-free in wdt_startup() Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 16/43] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() Sasha Levin
2021-07-10 23:48 ` Sasha Levin [this message]
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 18/43] watchdog: imx_sc_wdt: fix pretimeout Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 19/43] watchdog: iTCO_wdt: Account for rebooting on second timeout Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 20/43] x86/fpu: Return proper error codes from user access functions Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 21/43] remoteproc: core: Fix cdev remove and rproc del Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 22/43] PCI: tegra: Add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 23/43] orangefs: fix orangefs df output Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 24/43] ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 25/43] drm/gma500: Add the missed drm_gem_object_put() in psb_user_framebuffer_create() Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 26/43] NFS: nfs_find_open_context() may only select open files Sasha Levin
2021-07-10 23:48 ` [PATCH AUTOSEL 5.12 27/43] power: reset: regulator-poweroff: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 28/43] power: supply: charger-manager: " Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 29/43] power: supply: ab8500: " Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 30/43] power: supply: axp288_fuel_gauge: Make "T3 MRD" no_battery_list DMI entry more generic Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 31/43] drm/amdgpu: fix Navi1x tcp power gating hang when issuing lightweight invalidaiton Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 32/43] drm/amdkfd: fix sysfs kobj leak Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 33/43] pwm: img: Fix PM reference leak in img_pwm_enable() Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 34/43] pwm: tegra: Don't modify HW state in .remove callback Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 35/43] ACPI: AMBA: Fix resource name in /proc/iomem Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 36/43] ACPI: video: Add quirk for the Dell Vostro 3350 Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 37/43] PCI: rockchip: Register IRQ handlers after device and data are ready Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 38/43] ext4: fix WARN_ON_ONCE(!buffer_uptodate) after an error writing the superblock Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 39/43] virtio-blk: Fix memory leak among suspend/resume procedure Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 40/43] virtio_net: Fix error handling in virtnet_restore() Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 41/43] virtio_console: Assure used length from device is limited Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 42/43] virtio: fix up virtio_disable_cb Sasha Levin
2021-07-11 4:23 ` Michael S. Tsirkin
2021-07-18 1:41 ` Sasha Levin
2021-07-10 23:49 ` [PATCH AUTOSEL 5.12 43/43] block: fix the problem of io_ticks becoming smaller Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210710234915.3220342-17-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=hulkci@huawei.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-watchdog@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=stable@vger.kernel.org \
--cc=vz@mleia.com \
--cc=wim@linux-watchdog.org \
--cc=zou_wei@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox