From: Manivannan Sadhasivam <mani@kernel.org>
To: Wei Yongjun <weiyongjun1@huawei.com>
Cc: Loic Poulain <loic.poulain@linaro.org>,
Hemant Kumar <hemantk@codeaurora.org>,
linux-arm-msm@vger.kernel.org, kernel-janitors@vger.kernel.org,
Hulk Robot <hulkci@huawei.com>
Subject: Re: [PATCH -next] bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove()
Date: Fri, 21 May 2021 23:07:59 +0530 [thread overview]
Message-ID: <20210521173759.GR70095@thinkpad> (raw)
In-Reply-To: <20210413160318.2003699-1-weiyongjun1@huawei.com>
On Tue, Apr 13, 2021 at 04:03:18PM +0000, Wei Yongjun wrote:
> This driver's remove path calls del_timer(). However, that function
> does not wait until the timer handler finishes. This means that the
> timer handler may still be running after the driver's remove function
> has finished, which would result in a use-after-free.
>
> Fix by calling del_timer_sync(), which makes sure the timer handler
> has finished, and unable to re-schedule itself.
>
> Fixes: 8562d4fe34a3 ("mhi: pci_generic: Add health-check")
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Applied to mhi-fixes!
Thanks,
Mani
> ---
> drivers/bus/mhi/pci_generic.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/bus/mhi/pci_generic.c b/drivers/bus/mhi/pci_generic.c
> index 7c810f02a2ef..5b19e877d17a 100644
> --- a/drivers/bus/mhi/pci_generic.c
> +++ b/drivers/bus/mhi/pci_generic.c
> @@ -708,7 +708,7 @@ static void mhi_pci_remove(struct pci_dev *pdev)
> struct mhi_pci_device *mhi_pdev = pci_get_drvdata(pdev);
> struct mhi_controller *mhi_cntrl = &mhi_pdev->mhi_cntrl;
>
> - del_timer(&mhi_pdev->health_check_timer);
> + del_timer_sync(&mhi_pdev->health_check_timer);
> cancel_work_sync(&mhi_pdev->recovery_work);
>
> if (test_and_clear_bit(MHI_PCI_DEV_STARTED, &mhi_pdev->status)) {
>
prev parent reply other threads:[~2021-05-21 17:38 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-13 16:03 Wei Yongjun
2021-04-16 15:38 ` Loic Poulain
2021-05-03 22:41 ` Hemant Kumar
2021-05-21 12:17 ` Manivannan Sadhasivam
2021-05-21 12:19 ` Manivannan Sadhasivam
2021-05-21 17:37 ` Manivannan Sadhasivam [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210521173759.GR70095@thinkpad \
--to=mani@kernel.org \
--cc=hemantk@codeaurora.org \
--cc=hulkci@huawei.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=loic.poulain@linaro.org \
--cc=weiyongjun1@huawei.com \
--subject='Re: [PATCH -next] bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove()' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).