From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 792C1C74A4B for ; Fri, 10 Mar 2023 09:14:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=w8Tievadg1Yk3eGvAYZS9Odpt8D89OTccSO2GkU5DHg=; b=tHu/2F1PnXFoMI POxQkOiahjZxtZ/su5XnM/W23X9VjZ0/kBrbNzmWTSLAgBoOE+/CCYxYc3OvSUB+R2YaCtRVs+eiB 7UXxjDXms83R3L0e9x1vT0FpDzeUl9FagvOrEW0VH/C66OEQSL7H04q1q72zAfjvQ7z6Xt9Ixn5Bu Xzu53Bn1IYKsJzHTM+Uoq5l/s3vm4xPS5Yj1IJzYBo52OrgpCjKHg0mdAGPSgnHXSZC9Bq/j9zeDj nzhapfd7tGFq6EH8r+/EDhSwKIo3OjFYiRC8caR1ZVq4z7WDPJM9cAfybGTe3I6TYIryJbEg6/sKB HduN+x7PjiuL0EefHpvA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1paYoO-00Dqhd-H4; Fri, 10 Mar 2023 09:13:16 +0000 Received: from m12.mail.163.com ([220.181.12.197]) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1paYoK-00DqeN-VH for linux-arm-kernel@lists.infradead.org; Fri, 10 Mar 2023 09:13:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=y8znz v8EogzdwmgG5+xhB25PTiRTxgErQ92Q7uiUT9o=; b=jxTSZ8spskYRjkBy3BupA T6GOPeknXjQlZLWEjGDogJb4h4jDqzEu2KwONowyqwxW5f8twLSzMula8L0//fce mRrDMyv6JPV3h5PJOk+FTlO63Hk6Rh7TMwdG281UGJM5dfyOWoln3+4unHbDNVq8 AJu/q4JqQY0rufwYmoJeGA= Received: from leanderwang-LC2.localdomain (unknown [111.206.145.21]) by zwqz-smtp-mta-g2-1 (Coremail) with SMTP id _____wD3_5uI9Apkyr5QCw--.41643S2; Fri, 10 Mar 2023 17:12:40 +0800 (CST) From: Zheng Wang To: eugen.hristev@collabora.com Subject: [PATCH] iio: at91-sama5d2_adc: Fix use after free bug in at91_adc_remove due to race condition Date: Fri, 10 Mar 2023 17:12:39 +0800 Message-Id: <20230310091239.1440279-1-zyytlz.wz@163.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CM-TRANSID: _____wD3_5uI9Apkyr5QCw--.41643S2 X-Coremail-Antispam: 1Uf129KBjvJXoWxJr17XrWUCFW3ur1DtF4Dtwb_yoW8GF4Dpa na9FWDCFW7WF10qa1UA34jyFy8t3W5Kw10grZxua43uw45ZryYvr15Ka48XFW5tFyjyFsr XFy8Kw45KF1jyrJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zRnmRUUUUUU= X-Originating-IP: [111.206.145.21] X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/1tbiXQ4uU1WBo3P3ewABsn X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230310_011313_443350_AB41AF55 X-CRM114-Status: GOOD ( 11.72 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: alexandre.belloni@bootlin.com, lars@metafoo.de, linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Zheng Wang , claudiu.beznea@microchip.com, jic23@kernel.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org In at91_adc_probe, &st->touch_st.workq is bound with at91_adc_workq_handler. Then it will be started by irq handler at91_adc_touch_data_handler If we remove the driver which will call at91_adc_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows: Fix it by finishing the work before cleanup in the at91_adc_remove CPU0 CPU1 |at91_adc_workq_handler at91_adc_remove | iio_device_unregister| iio_dev_release | kfree(iio_dev_opaque);| | |iio_push_to_buffers |&iio_dev_opaque->buffer_list |//use Fixes: 23ec2774f1cc ("iio: adc: at91-sama5d2_adc: add support for position and pressure channels") Signed-off-by: Zheng Wang --- drivers/iio/adc/at91-sama5d2_adc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c index 50d02e5fc6fc..1b95d18d9e0b 100644 --- a/drivers/iio/adc/at91-sama5d2_adc.c +++ b/drivers/iio/adc/at91-sama5d2_adc.c @@ -2495,6 +2495,8 @@ static int at91_adc_remove(struct platform_device *pdev) struct iio_dev *indio_dev = platform_get_drvdata(pdev); struct at91_adc_state *st = iio_priv(indio_dev); + disable_irq_nosync(st->irq); + cancel_work_sync(&st->touch_st.workq); iio_device_unregister(indio_dev); at91_adc_dma_disable(st); -- 2.25.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel