linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sven Van Asbroeck <thesven73@gmail.com>
To: Peter Rosin <peda@axentia.se>, Jonathan Cameron <jic23@kernel.org>
Cc: Hartmut Knaack <knaack.h@gmx.de>,
	Lars-Peter Clausen <lars@metafoo.de>,
	Peter Meerwald-Stadler <pmeerw@pmeerw.net>,
	linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] iio: envelope-detector: fix use-after-free on device remove
Date: Sun, 10 Mar 2019 15:32:46 -0400	[thread overview]
Message-ID: <20190310193246.31761-1-TheSven73@gmail.com> (raw)

This driver's remove path never explicitly cancels the
delayed work. So it is possible for the delayed work to
run after the core has freed the private structure
(struct envelope). This is a potential use-after-free.

Fix by adding a devm_add_action callback to the remove
path, called right after iio_device_unregister(), which
explicitly cancels the delayed work.

This issue was detected with the help of Coccinelle.

Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
---
 drivers/iio/adc/envelope-detector.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/iio/adc/envelope-detector.c b/drivers/iio/adc/envelope-detector.c
index 2f2b563c1162..2f1c78b3ff44 100644
--- a/drivers/iio/adc/envelope-detector.c
+++ b/drivers/iio/adc/envelope-detector.c
@@ -321,6 +321,14 @@ static const struct iio_info envelope_detector_info = {
 	.read_raw = &envelope_detector_read_raw,
 };
 
+static void envelope_detector_stop_work(void *data)
+{
+	struct iio_dev *indio_dev = data;
+	struct envelope *env = iio_priv(indio_dev);
+
+	cancel_delayed_work_sync(&env->comp_timeout);
+}
+
 static int envelope_detector_probe(struct platform_device *pdev)
 {
 	struct device *dev = &pdev->dev;
@@ -395,6 +403,10 @@ static int envelope_detector_probe(struct platform_device *pdev)
 		return ret;
 	}
 
+	ret = devm_add_action(dev, envelope_detector_stop_work, indio_dev);
+	if (ret)
+		return ret;
+
 	return devm_iio_device_register(dev, indio_dev);
 }
 
-- 
2.17.1

next             reply	other threads:[~2019-03-10 19:33 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-10 19:32 Sven Van Asbroeck [this message]
2019-03-11 18:00 ` [PATCH] iio: envelope-detector: fix use-after-free on device remove Tomasz Duszynski
2019-03-11 18:41   ` Peter Rosin
2019-03-11 18:47     ` Sven Van Asbroeck

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:2f2b563c116 dfblob:2f1c78b3ff4
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190310193246.31761-1-TheSven73@gmail.com \
    --to=thesven73@gmail.com \
    --cc=jic23@kernel.org \
    --cc=knaack.h@gmx.de \
    --cc=lars@metafoo.de \
    --cc=linux-iio@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=peda@axentia.se \
    --cc=pmeerw@pmeerw.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).