From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hulk Robot <hulkci@huawei.com>,
Zou Wei <zou_wei@huawei.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 010/122] atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
Date: Thu, 15 Jul 2021 20:37:37 +0200 [thread overview]
Message-ID: <20210715182450.976392699@linuxfoundation.org> (raw)
In-Reply-To: <20210715182448.393443551@linuxfoundation.org>
From: Zou Wei <zou_wei@huawei.com>
[ Upstream commit 34e7434ba4e97f4b85c1423a59b2922ba7dff2ea ]
This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.
Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/atm/nicstar.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
index bb9835c62641..5ec7b6a60145 100644
--- a/drivers/atm/nicstar.c
+++ b/drivers/atm/nicstar.c
@@ -297,7 +297,7 @@ static void __exit nicstar_cleanup(void)
{
XPRINTK("nicstar: nicstar_cleanup() called.\n");
- del_timer(&ns_timer);
+ del_timer_sync(&ns_timer);
pci_unregister_driver(&nicstar_driver);
--
2.30.2
next prev parent reply other threads:[~2021-07-15 18:41 UTC|newest]
Thread overview: 131+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-15 18:37 [PATCH 5.4 000/122] 5.4.133-rc1 review Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 001/122] drm/mxsfb: Dont select DRM_KMS_FB_HELPER Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 002/122] drm/zte: " Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 003/122] drm/amd/amdgpu/sriov disable all ip hw status by default Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 004/122] drm/vc4: fix argument ordering in vc4_crtc_get_margins() Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 005/122] net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 006/122] drm/amd/display: fix use_max_lb flag for 420 pixel formats Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 007/122] hugetlb: clear huge pte during flush function on mips platform Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 008/122] atm: iphase: fix possible use-after-free in ia_module_exit() Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 009/122] mISDN: fix possible use-after-free in HFC_cleanup() Greg Kroah-Hartman
2021-07-15 18:37 ` Greg Kroah-Hartman [this message]
2021-07-15 18:37 ` [PATCH 5.4 011/122] net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 012/122] drm/mediatek: Fix PM reference leak in mtk_crtc_ddp_hw_init() Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 013/122] reiserfs: add check for invalid 1st journal block Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 014/122] drm/virtio: Fix double free on probe failure Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 015/122] drm/sched: Avoid data corruptions Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 016/122] udf: Fix NULL pointer dereference in udf_symlink function Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 017/122] e100: handle eeprom as little endian Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 018/122] igb: handle vlan types with checker enabled Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 019/122] drm/bridge: cdns: Fix PM reference leak in cdns_dsi_transfer() Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 020/122] clk: renesas: r8a77995: Add ZA2 clock Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 021/122] clk: tegra: Ensure that PLLU configuration is applied properly Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 022/122] ipv6: use prandom_u32() for ID generation Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 023/122] RDMA/cxgb4: Fix missing error code in create_qp() Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 024/122] dm space maps: dont reset space map allocation cursor when committing Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 025/122] pinctrl: mcp23s08: fix race condition in irq handler Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 026/122] ice: set the value of global config lock timeout longer Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 027/122] virtio_net: Remove BUG() to avoid machine dead Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 028/122] net: bcmgenet: check return value after calling platform_get_resource() Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 029/122] net: mvpp2: " Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 030/122] net: micrel: " Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 031/122] net: moxa: Use devm_platform_get_and_ioremap_resource() Greg Kroah-Hartman
2021-07-15 21:26 ` Sudip Mukherjee
2021-07-16 1:37 ` Yang Yingliang
2021-07-16 17:57 ` Greg Kroah-Hartman
2021-07-15 18:37 ` [PATCH 5.4 032/122] drm/amd/display: Update scaling settings on modeset Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 033/122] drm/amd/display: Release MST resources on switch from MST to SST Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 034/122] drm/amd/display: Set DISPCLK_MAX_ERRDET_CYCLES to 7 Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 035/122] drm/amdkfd: use allowed domain for vmbo validation Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 036/122] fjes: check return value after calling platform_get_resource() Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 037/122] selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 038/122] r8169: avoid link-up interrupt issue on RTL8106e if user enables ASPM Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 039/122] drm/amd/display: Verify Gamma & Degamma LUT sizes in amdgpu_dm_atomic_check Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 040/122] xfrm: Fix error reporting in xfrm_state_construct Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 041/122] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 042/122] wl1251: Fix possible buffer overflow in wl1251_cmd_scan Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 043/122] cw1200: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 044/122] bpf: Fix up register-based shifts in interpreter to silence KUBSAN Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 045/122] mt76: mt7615: fix fixed-rate tx status reporting Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 046/122] net: fix mistake path for netdev_features_strings Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 047/122] net: sched: fix error return code in tcf_del_walker() Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 048/122] drm/amdkfd: Walk through list with dqm lock hold Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 049/122] rtl8xxxu: Fix device info for RTL8192EU devices Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 050/122] MIPS: add PMD table accounting into MIPSpmd_alloc_one Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 051/122] atm: nicstar: use dma_free_coherent instead of kfree Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 052/122] atm: nicstar: register the interrupt handler in the right place Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 053/122] vsock: notify server to shutdown when client has pending signal Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 054/122] RDMA/rxe: Dont overwrite errno from ib_umem_get() Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 055/122] iwlwifi: mvm: dont change band on bound PHY contexts Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 056/122] iwlwifi: pcie: free IML DMA memory allocation Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 057/122] iwlwifi: pcie: fix context info freeing Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 058/122] sfc: avoid double pci_remove of VFs Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 059/122] sfc: error code if SRIOV cannot be disabled Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 060/122] wireless: wext-spy: Fix out-of-bounds warning Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 061/122] media, bpf: Do not copy more entries than user space requested Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 062/122] net: ip: avoid OOM kills with large UDP sends over loopback Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 063/122] RDMA/cma: Fix rdma_resolve_route() memory leak Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 064/122] Bluetooth: btusb: Fixed too many in-token issue for Mediatek Chip Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 065/122] Bluetooth: Fix the HCI to MGMT status conversion table Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 066/122] Bluetooth: Shutdown controller after workqueues are flushed or cancelled Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 067/122] Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 068/122] sctp: validate from_addr_param return Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 069/122] sctp: add size validation when walking chunks Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 070/122] MIPS: loongsoon64: Reserve memory below starting pfn to prevent Oops Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 071/122] MIPS: set mips32r5 for virt extensions Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 072/122] fscrypt: dont ignore minor_hash when hash is 0 Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 073/122] crypto: ccp - Annotate SEV Firmware file names Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 074/122] perf bench: Fix 2 memory sanitizer warnings Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 075/122] powerpc/mm: Fix lockup on kernel exec fault Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 076/122] powerpc/barrier: Avoid collision with clangs __lwsync macro Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 077/122] drm/amdgpu: Update NV SIMD-per-CU to 2 Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 078/122] drm/radeon: Add the missed drm_gem_object_put() in radeon_user_framebuffer_create() Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 079/122] drm/rockchip: dsi: remove extra component_del() call Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 080/122] drm/amd/display: fix incorrrect valid irq check Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 081/122] pinctrl/amd: Add device HID for new AMD GPIO controller Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 082/122] drm/amd/display: Reject non-zero src_y and src_x for video planes Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 083/122] drm/tegra: Dont set allow_fb_modifiers explicitly Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 084/122] drm/msm/mdp4: Fix modifier support enabling Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 085/122] drm/arm/malidp: Always list modifiers Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 086/122] mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 087/122] mmc: core: clear flags before allowing to retune Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 088/122] mmc: core: Allow UHS-I voltage switch for SDSC cards if supported Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 089/122] ata: ahci_sunxi: Disable DIPM Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 090/122] cpu/hotplug: Cure the cpusets trainwreck Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 091/122] clocksource/arm_arch_timer: Improve Allwinner A64 timer workaround Greg Kroah-Hartman
2021-07-15 18:38 ` [PATCH 5.4 092/122] fpga: stratix10-soc: Add missing fpga_mgr_free() call Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 093/122] MIPS: fix "mipsel-linux-ld: decompress.c:undefined reference to `memmove" Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 094/122] ASoC: tegra: Set driver_name=tegra for all machine drivers Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 095/122] qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 096/122] ipmi/watchdog: Stop watchdog timer when the current action is none Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 097/122] xfrm: policy: Read seqcount outside of rcu-read side in xfrm_policy_lookup_bytype Greg Kroah-Hartman
2021-07-15 18:54 ` Florian Westphal
2021-07-16 17:47 ` Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 098/122] thermal/drivers/int340x/processor_thermal: Fix tcc setting Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 099/122] ubifs: Fix races between xattr_{set|get} and listxattr operations Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 100/122] power: supply: ab8500: Fix an old bug Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 101/122] nvmem: core: add a missing of_node_put Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 102/122] extcon: intel-mrfld: Sync hardware and software state on init Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 103/122] seq_buf: Fix overflow in seq_buf_putmem_hex() Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 104/122] rq-qos: fix missed wake-ups in rq_qos_throttle try two Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 105/122] tracing: Simplify & fix saved_tgids logic Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 106/122] tracing: Resize tgid_map to pid_max, not PID_MAX_DEFAULT Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 107/122] ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 108/122] coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer() Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 109/122] dm btree remove: assign new_root only when removal succeeds Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 110/122] PCI: Leave Apple Thunderbolt controllers on for s2idle or standby Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 111/122] PCI: aardvark: Fix checking for PIO Non-posted Request Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 112/122] PCI: aardvark: Implement workaround for the readback value of VEND_ID Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 113/122] media: subdev: disallow ioctl for saa6588/davinci Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 114/122] media: dtv5100: fix control-request directions Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 115/122] media: zr364xx: fix memory leak in zr364xx_start_readpipe Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 116/122] media: gspca/sq905: fix control-request direction Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 117/122] media: gspca/sunplus: fix zero-length control requests Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 118/122] media: rtl28xxu: fix zero-length control request Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 119/122] media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 120/122] pinctrl: mcp23s08: Fix missing unlock on error in mcp23s08_irq() Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 121/122] jfs: fix GPF in diFree Greg Kroah-Hartman
2021-07-15 18:39 ` [PATCH 5.4 122/122] smackfs: restrict bytes count in smk_set_cipso() Greg Kroah-Hartman
2021-07-15 21:59 ` [PATCH 5.4 000/122] 5.4.133-rc1 review Florian Fainelli
2021-07-16 11:53 ` Naresh Kamboju
2021-07-17 1:21 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210715182450.976392699@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=hulkci@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=zou_wei@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).