[PATCH v2] power: supply: ds2782: fix possible use-after-free on remove

[PATCH v2] power: supply: ds2782: fix possible use-after-free on remove

[Sven Van Asbroeck]

In remove(), use cancel_delayed_work_sync() to cancel the
delayed work. Otherwise there's a chance that this work
will continue to run until after the device has been removed.

While we're here, fix the deallocation order in remove(),
to correspond to the inverse of the probe() allocation
order. This guarantees that any remaining work can run
to completion with all driver structures still intact.

This issue was detected with the help of Coccinelle.

Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
---

v2: fix silly use-after-free in remove()

 drivers/power/supply/ds2782_battery.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/power/supply/ds2782_battery.c b/drivers/power/supply/ds2782_battery.c
index 019c58493e3d..04b0fe7d7d62 100644
--- a/drivers/power/supply/ds2782_battery.c
+++ b/drivers/power/supply/ds2782_battery.c
@@ -319,17 +319,17 @@ static void ds278x_power_supply_init(struct power_supply_desc *battery)
 static int ds278x_battery_remove(struct i2c_client *client)
 {
 	struct ds278x_info *info = i2c_get_clientdata(client);
+	int id = info->id;
 
 	power_supply_unregister(info->battery);
+	cancel_delayed_work_sync(&info->bat_work);
 	kfree(info->battery_desc.name);
+	kfree(info);
 
 	mutex_lock(&battery_lock);
-	idr_remove(&battery_id, info->id);
+	idr_remove(&battery_id, id);
 	mutex_unlock(&battery_lock);
 
-	cancel_delayed_work(&info->bat_work);
-
-	kfree(info);
 	return 0;
 }
 
-- 
2.17.1

Re: [PATCH v2] power: supply: ds2782: fix possible use-after-free on remove

[Sebastian Reichel]

[-- Attachment #1: Type: text/plain, Size: 1758 bytes --]

Hi,

On Tue, Feb 12, 2019 at 11:21:49AM -0500, Sven Van Asbroeck wrote:
> In remove(), use cancel_delayed_work_sync() to cancel the
> delayed work. Otherwise there's a chance that this work
> will continue to run until after the device has been removed.
> 
> While we're here, fix the deallocation order in remove(),
> to correspond to the inverse of the probe() allocation
> order. This guarantees that any remaining work can run
> to completion with all driver structures still intact.
> 
> This issue was detected with the help of Coccinelle.
> 
> Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
> ---

Thanks, queued to power-supply's linux-next branch.

-- Sebastian

> v2: fix silly use-after-free in remove()
> 
>  drivers/power/supply/ds2782_battery.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/power/supply/ds2782_battery.c b/drivers/power/supply/ds2782_battery.c
> index 019c58493e3d..04b0fe7d7d62 100644
> --- a/drivers/power/supply/ds2782_battery.c
> +++ b/drivers/power/supply/ds2782_battery.c
> @@ -319,17 +319,17 @@ static void ds278x_power_supply_init(struct power_supply_desc *battery)
>  static int ds278x_battery_remove(struct i2c_client *client)
>  {
>  	struct ds278x_info *info = i2c_get_clientdata(client);
> +	int id = info->id;
>  
>  	power_supply_unregister(info->battery);
> +	cancel_delayed_work_sync(&info->bat_work);
>  	kfree(info->battery_desc.name);
> +	kfree(info);
>  
>  	mutex_lock(&battery_lock);
> -	idr_remove(&battery_id, info->id);
> +	idr_remove(&battery_id, id);
>  	mutex_unlock(&battery_lock);
>  
> -	cancel_delayed_work(&info->bat_work);
> -
> -	kfree(info);
>  	return 0;
>  }
>  
> -- 
> 2.17.1
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]