From: Zheng Hacker <hackerzheng666@gmail.com>
To: Sebastian Reichel <sebastian.reichel@collabora.com>
Cc: Zheng Wang <zyytlz.wz@163.com>,
njavali@marvell.com, mrangankar@marvell.com,
GR-QLogic-Storage-Upstream@marvell.com, jejb@linux.ibm.com,
martin.petersen@oracle.com, linux-pm@vger.kernel.org,
linux-kernel@vger.kernel.org, 1395428693sheep@gmail.com,
alex000young@gmail.com
Subject: Re: [PATCH v2] power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition
Date: Mon, 13 Mar 2023 10:50:13 +0800 [thread overview]
Message-ID: <CAJedcCy7-pNmHFC1VinXWUwvzh4cQ1yi4CSSEjgdfB1iidyjQw@mail.gmail.com> (raw)
In-Reply-To: <1fdf00a0-4830-465a-801c-147472fdcd22@mercury.local>
Sebastian Reichel <sebastian.reichel@collabora.com> 于2023年3月13日周一 06:31写道:
>
> Hi,
>
> On Sun, Mar 12, 2023 at 01:46:50AM +0800, Zheng Wang wrote:
> > In da9150_charger_probe, &charger->otg_work is bound with
> > da9150_charger_otg_work. da9150_charger_otg_ncb may be
> > called to start the work.
> >
> > If we remove the module which will call da9150_charger_remove
> > to make cleanup, there may be a unfinished work. The possible
> > sequence is as follows:
> >
> > Fix it by canceling the work before cleanup in the da9150_charger_remove
> >
> > CPU0 CPUc1
> >
> > |da9150_charger_otg_work
> > da9150_charger_remove |
> > power_supply_unregister |
> > device_unregister |
> > power_supply_dev_release|
> > kfree(psy) |
> > |
> > | power_supply_changed(charger->usb);
> > | //use
> >
> > Fixes: c1a281e34dae ("power: Add support for DA9150 Charger")
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > ---
> > v2:
> > - fix wrong description in commit message and mov cancel_work_sync
> > after usb_unregister_notifier suggested by Sebastian Reichel
> > ---
>
> Thanks, queued to power-supply's fixes branch. Please make sure you
> send your patches to the correct destination next time (linux-scsi
> should be linux-pm).
Thanks for your effort. I'll keep that in mind :)
Best regards,
Zheng
>
> > drivers/power/supply/da9150-charger.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/power/supply/da9150-charger.c b/drivers/power/supply/da9150-charger.c
> > index 14da5c595dd9..a87aeaea38e1 100644
> > --- a/drivers/power/supply/da9150-charger.c
> > +++ b/drivers/power/supply/da9150-charger.c
> > @@ -657,6 +657,7 @@ static int da9150_charger_remove(struct platform_device *pdev)
> >
> > if (!IS_ERR_OR_NULL(charger->usb_phy))
> > usb_unregister_notifier(charger->usb_phy, &charger->otg_nb);
> > + cancel_work_sync(&charger->otg_work);
> >
> > power_supply_unregister(charger->battery);
> > power_supply_unregister(charger->usb);
> > --
> > 2.25.1
> >
next prev parent reply other threads:[~2023-03-13 2:50 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-09 22:50 [PATCHv1 00/11] Add DT support for generic ADC battery Sebastian Reichel
2023-03-09 22:50 ` [PATCHv1 01/11] dt-bindings: power: supply: adc-battery: add binding Sebastian Reichel
2023-03-10 8:14 ` Linus Walleij
2023-03-11 17:54 ` Sebastian Reichel
2023-03-13 23:17 ` [PATCHv1 04/11] power: supply: generic-adc-battery: fix unit scaling Sebastian Reichel
2023-03-12 22:50 ` [PATCH] power: supply: bq256xx: Support to disable charger Sebastian Reichel
2023-03-12 22:46 ` drivers/power/supply/qcom_battmgr.c:357:31: sparse: sparse: incorrect type in initializer (different base types) Sebastian Reichel
2023-03-12 22:36 ` [PATCH] power: supply: charger-manager: Use of_property_read_bool() for boolean properties Sebastian Reichel
2023-03-12 22:33 ` [PATCH] power: reset: qcom-pon: drop of_match_ptr for ID table Sebastian Reichel
2023-03-12 22:31 ` [PATCH v2] power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition Sebastian Reichel
2023-03-12 22:27 ` [PATCH 1/6] power: supply: rt9455_charger: mark OF related data as maybe unused Sebastian Reichel
2023-03-12 17:07 ` [PATCHv1 02/11] power: supply: core: auto-exposure of simple-battery data Sebastian Reichel
2023-03-13 2:50 ` Zheng Hacker [this message]
2023-03-14 8:14 ` [PATCHv1 04/11] power: supply: generic-adc-battery: fix unit scaling Linus Walleij
2023-03-12 11:29 ` [PATCHv1 01/11] dt-bindings: power: supply: adc-battery: add binding Krzysztof Kozlowski
2023-03-13 6:13 ` Matti Vaittinen
2023-03-09 22:50 ` [PATCHv1 02/11] power: supply: core: auto-exposure of simple-battery data Sebastian Reichel
2023-03-10 1:36 ` kernel test robot
2023-03-10 5:10 ` kernel test robot
2023-03-10 8:20 ` Linus Walleij
2023-03-13 6:45 ` Matti Vaittinen
2023-03-09 22:50 ` [PATCHv1 03/11] power: supply: generic-adc-battery: convert to managed resources Sebastian Reichel
2023-03-10 8:21 ` Linus Walleij
2023-03-13 7:14 ` Matti Vaittinen
2023-03-09 22:50 ` [PATCHv1 04/11] power: supply: generic-adc-battery: fix unit scaling Sebastian Reichel
2023-03-10 8:23 ` Linus Walleij
2023-03-13 7:52 ` Matti Vaittinen
2023-03-09 22:50 ` [PATCHv1 05/11] power: supply: generic-adc-battery: drop jitter delay support Sebastian Reichel
2023-03-10 8:24 ` Linus Walleij
2023-03-09 22:50 ` [PATCHv1 06/11] power: supply: generic-adc-battery: drop charge now support Sebastian Reichel
2023-03-10 8:29 ` Linus Walleij
2023-03-13 7:49 ` Matti Vaittinen
2023-03-13 8:33 ` Linus Walleij
2023-03-09 22:50 ` [PATCHv1 07/11] power: supply: generic-adc-battery: drop memory alloc error message Sebastian Reichel
2023-03-10 8:29 ` Linus Walleij
2023-03-13 7:50 ` Matti Vaittinen
2023-03-09 22:50 ` [PATCHv1 08/11] power: supply: generic-adc-battery: use simple-battery API Sebastian Reichel
2023-03-10 8:30 ` Linus Walleij
2023-03-09 22:50 ` [PATCHv1 09/11] power: supply: generic-adc-battery: simplify read_channel logic Sebastian Reichel
2023-03-10 8:31 ` Linus Walleij
2023-03-13 8:19 ` Matti Vaittinen
2023-03-09 22:50 ` [PATCHv1 10/11] power: supply: generic-adc-battery: add DT support Sebastian Reichel
2023-03-10 8:32 ` Linus Walleij
2023-03-13 8:22 ` Matti Vaittinen
2023-03-09 22:50 ` [PATCHv1 11/11] power: supply: generic-adc-battery: update copyright info Sebastian Reichel
2023-03-10 8:33 ` Linus Walleij
2023-03-13 8:25 ` Matti Vaittinen
-- strict thread matches above, loose matches on Subject: below --
2023-03-11 17:46 [PATCH v2] power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition Zheng Wang
2023-03-11 11:15 [PATCH 1/6] power: supply: rt9455_charger: mark OF related data as maybe unused Krzysztof Kozlowski
2023-03-11 11:15 ` [PATCH 2/6] power: supply: twl4030_charger: " Krzysztof Kozlowski
2023-03-11 11:15 ` [PATCH 3/6] power: supply: lp8727_charger: " Krzysztof Kozlowski
2023-03-11 11:15 ` [PATCH 4/6] power: supply: ltc4162-l-charger: " Krzysztof Kozlowski
2023-03-11 11:15 ` [PATCH 5/6] power: supply: bq24257_charger: " Krzysztof Kozlowski
2023-03-11 11:15 ` [PATCH 6/6] power: supply: bq25890_charger: " Krzysztof Kozlowski
2023-03-10 20:06 [PATCH] power: reset: qcom-pon: drop of_match_ptr for ID table Krzysztof Kozlowski
2023-03-10 20:10 ` Konrad Dybcio
2023-03-10 20:48 ` Marijn Suijten
2023-03-10 20:54 ` Krzysztof Kozlowski
2023-03-10 17:04 drivers/power/supply/qcom_battmgr.c:357:31: sparse: sparse: incorrect type in initializer (different base types) kernel test robot
2023-03-10 14:47 [PATCH] power: supply: charger-manager: Use of_property_read_bool() for boolean properties Rob Herring
2023-03-09 6:41 [PATCH] power: supply: bq256xx: Support to disable charger Hermes Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJedcCy7-pNmHFC1VinXWUwvzh4cQ1yi4CSSEjgdfB1iidyjQw@mail.gmail.com \
--to=hackerzheng666@gmail.com \
--cc=1395428693sheep@gmail.com \
--cc=GR-QLogic-Storage-Upstream@marvell.com \
--cc=alex000young@gmail.com \
--cc=jejb@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mrangankar@marvell.com \
--cc=njavali@marvell.com \
--cc=sebastian.reichel@collabora.com \
--cc=zyytlz.wz@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.