linux-watchdog.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH AUTOSEL 4.4 05/12] watchdog: Fix possible use-after-free in wdt_startup()
       [not found] <20210710235302.3222809-1-sashal@kernel.org>
@ 2021-07-10 23:52 ` Sasha Levin
  2021-07-10 23:52 ` [PATCH AUTOSEL 4.4 06/12] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() Sasha Levin
  2021-07-10 23:52 ` [PATCH AUTOSEL 4.4 07/12] watchdog: Fix possible use-after-free by calling del_timer_sync() Sasha Levin
  2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2021-07-10 23:52 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Zou Wei, Hulk Robot, Guenter Roeck, Wim Van Sebroeck,
	Sasha Levin, linux-watchdog

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit c08a6b31e4917034f0ed0cb457c3bb209576f542 ]

This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/1620716495-108352-1-git-send-email-zou_wei@huawei.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/watchdog/sbc60xxwdt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/watchdog/sbc60xxwdt.c b/drivers/watchdog/sbc60xxwdt.c
index 2eef58a0cf05..152db059d5aa 100644
--- a/drivers/watchdog/sbc60xxwdt.c
+++ b/drivers/watchdog/sbc60xxwdt.c
@@ -152,7 +152,7 @@ static void wdt_startup(void)
 static void wdt_turnoff(void)
 {
 	/* Stop the timer */
-	del_timer(&timer);
+	del_timer_sync(&timer);
 	inb_p(wdt_stop);
 	pr_info("Watchdog timer is now disabled...\n");
 }
-- 
2.30.2


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH AUTOSEL 4.4 06/12] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff()
       [not found] <20210710235302.3222809-1-sashal@kernel.org>
  2021-07-10 23:52 ` [PATCH AUTOSEL 4.4 05/12] watchdog: Fix possible use-after-free in wdt_startup() Sasha Levin
@ 2021-07-10 23:52 ` Sasha Levin
  2021-07-10 23:52 ` [PATCH AUTOSEL 4.4 07/12] watchdog: Fix possible use-after-free by calling del_timer_sync() Sasha Levin
  2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2021-07-10 23:52 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Zou Wei, Hulk Robot, Guenter Roeck, Wim Van Sebroeck,
	Sasha Levin, linux-watchdog

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit 90b7c141132244e8e49a34a4c1e445cce33e07f4 ]

This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/1620716691-108460-1-git-send-email-zou_wei@huawei.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/watchdog/sc520_wdt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/watchdog/sc520_wdt.c b/drivers/watchdog/sc520_wdt.c
index 1cfd3f6a13d5..08500db8324f 100644
--- a/drivers/watchdog/sc520_wdt.c
+++ b/drivers/watchdog/sc520_wdt.c
@@ -190,7 +190,7 @@ static int wdt_startup(void)
 static int wdt_turnoff(void)
 {
 	/* Stop the timer */
-	del_timer(&timer);
+	del_timer_sync(&timer);
 
 	/* Stop the watchdog */
 	wdt_config(0);
-- 
2.30.2


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH AUTOSEL 4.4 07/12] watchdog: Fix possible use-after-free by calling del_timer_sync()
       [not found] <20210710235302.3222809-1-sashal@kernel.org>
  2021-07-10 23:52 ` [PATCH AUTOSEL 4.4 05/12] watchdog: Fix possible use-after-free in wdt_startup() Sasha Levin
  2021-07-10 23:52 ` [PATCH AUTOSEL 4.4 06/12] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() Sasha Levin
@ 2021-07-10 23:52 ` Sasha Levin
  2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2021-07-10 23:52 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Zou Wei, Hulk Robot, Guenter Roeck, Vladimir Zapolskiy,
	Wim Van Sebroeck, Sasha Levin, linux-watchdog, linux-arm-kernel

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit d0212f095ab56672f6f36aabc605bda205e1e0bf ]

This driver's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://lore.kernel.org/r/1620802676-19701-1-git-send-email-zou_wei@huawei.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/watchdog/lpc18xx_wdt.c | 2 +-
 drivers/watchdog/w83877f_wdt.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/watchdog/lpc18xx_wdt.c b/drivers/watchdog/lpc18xx_wdt.c
index ab7b8b185d99..fbdc0f32e666 100644
--- a/drivers/watchdog/lpc18xx_wdt.c
+++ b/drivers/watchdog/lpc18xx_wdt.c
@@ -309,7 +309,7 @@ static int lpc18xx_wdt_remove(struct platform_device *pdev)
 	unregister_restart_handler(&lpc18xx_wdt->restart_handler);
 
 	dev_warn(&pdev->dev, "I quit now, hardware will probably reboot!\n");
-	del_timer(&lpc18xx_wdt->timer);
+	del_timer_sync(&lpc18xx_wdt->timer);
 
 	watchdog_unregister_device(&lpc18xx_wdt->wdt_dev);
 	clk_disable_unprepare(lpc18xx_wdt->wdt_clk);
diff --git a/drivers/watchdog/w83877f_wdt.c b/drivers/watchdog/w83877f_wdt.c
index f0483c75ed32..4b52cf321747 100644
--- a/drivers/watchdog/w83877f_wdt.c
+++ b/drivers/watchdog/w83877f_wdt.c
@@ -170,7 +170,7 @@ static void wdt_startup(void)
 static void wdt_turnoff(void)
 {
 	/* Stop the timer */
-	del_timer(&timer);
+	del_timer_sync(&timer);
 
 	wdt_change(WDT_DISABLE);
 
-- 
2.30.2


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-07-10 23:58 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20210710235302.3222809-1-sashal@kernel.org>
2021-07-10 23:52 ` [PATCH AUTOSEL 4.4 05/12] watchdog: Fix possible use-after-free in wdt_startup() Sasha Levin
2021-07-10 23:52 ` [PATCH AUTOSEL 4.4 06/12] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() Sasha Levin
2021-07-10 23:52 ` [PATCH AUTOSEL 4.4 07/12] watchdog: Fix possible use-after-free by calling del_timer_sync() Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).