From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4FA52C636CB for ; Thu, 15 Jul 2021 18:41:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3CB85613D2 for ; Thu, 15 Jul 2021 18:41:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234399AbhGOSoq (ORCPT ); Thu, 15 Jul 2021 14:44:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:45082 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233411AbhGOSon (ORCPT ); Thu, 15 Jul 2021 14:44:43 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 28FCE613F8; Thu, 15 Jul 2021 18:41:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626374509; bh=hwQiKcNGE0Xio6rSiYQJxLTcOiPsZ+b0zJLF94n8MdQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=toS24g4mT/sW66WDuTRuZfuRXEmNfoFOycsmZkE4KRAabc5v3cNsHF3dNp5WvYmJ9 nJaPfikDsdJjONappd0TupccKnwbdx8EJqdqrrsA2fM7u9izCD28htSdtZW/LdMjZz VxuUSpMf1Yt7sQofbVv+fXGIpqIKaFMnfkSdnV1c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Zou Wei , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 008/122] atm: iphase: fix possible use-after-free in ia_module_exit() Date: Thu, 15 Jul 2021 20:37:35 +0200 Message-Id: <20210715182450.482705296@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210715182448.393443551@linuxfoundation.org> References: <20210715182448.393443551@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Zou Wei [ Upstream commit 1c72e6ab66b9598cac741ed397438a52065a8f1f ] This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/atm/iphase.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c index 8c7a996d1f16..46990352b5d3 100644 --- a/drivers/atm/iphase.c +++ b/drivers/atm/iphase.c @@ -3295,7 +3295,7 @@ static void __exit ia_module_exit(void) { pci_unregister_driver(&ia_driver); - del_timer(&ia_timer); + del_timer_sync(&ia_timer); } module_init(ia_module_init); -- 2.30.2