From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66541C48BCF for ; Wed, 9 Jun 2021 16:59:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 52772613C8 for ; Wed, 9 Jun 2021 16:59:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229734AbhFIRBO (ORCPT ); Wed, 9 Jun 2021 13:01:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:47616 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231132AbhFIRBO (ORCPT ); Wed, 9 Jun 2021 13:01:14 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id DCA5A6139A; Wed, 9 Jun 2021 16:59:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623257959; bh=j+9ZvgFzt2Oi5vNAUO87QSrR/HuRPT3TeK8NyQbv1y0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=OL9oD4VJfBeYxSMSMijst/dZ0Sf6NRTAA60it+ghUGTkdbxMvtB0gMq2Mk2G0bXku Mb6XihEHsYy1m9LnzmwHNHHgrfM6jpkv6MJZgCYKNIpThjEuxtOHU768KxAPHxDcee ZKD1zhZMZMFynxUSrLphahiaetluzR1+K+91lDSw= Date: Wed, 9 Jun 2021 18:59:16 +0200 From: Greg KH To: Manivannan Sadhasivam Cc: hemantk@codeaurora.org, bbhatt@codeaurora.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, jarvis.w.jiang@gmail.com, loic.poulain@linaro.org, Wei Yongjun , Hulk Robot Subject: Re: [PATCH 2/3] bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove() Message-ID: References: <20210606153741.20725-1-manivannan.sadhasivam@linaro.org> <20210606153741.20725-3-manivannan.sadhasivam@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210606153741.20725-3-manivannan.sadhasivam@linaro.org> Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org On Sun, Jun 06, 2021 at 09:07:40PM +0530, Manivannan Sadhasivam wrote: > From: Wei Yongjun > > This driver's remove path calls del_timer(). However, that function > does not wait until the timer handler finishes. This means that the > timer handler may still be running after the driver's remove function > has finished, which would result in a use-after-free. > > Fix by calling del_timer_sync(), which makes sure the timer handler > has finished, and unable to re-schedule itself. > > Fixes: 8562d4fe34a3 ("mhi: pci_generic: Add health-check") > Reported-by: Hulk Robot > Signed-off-by: Wei Yongjun > Reviewed-by: Hemant kumar > Reviewed-by: Manivannan Sadhasivam > Reviewed-by: Loic Poulain > Link: https://lore.kernel.org/r/20210413160318.2003699-1-weiyongjun1@huawei.com > Signed-off-by: Manivannan Sadhasivam > --- > drivers/bus/mhi/pci_generic.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) No Cc: stable on this? I'll go add it...