From: Zheng Wang <zyytlz.wz@163.com>
To: arnd@arndb.de
Cc: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
hackerzheng666@gmail.com, 1395428693sheep@gmail.com,
alex000young@gmail.com, Zheng Wang <zyytlz.wz@163.com>
Subject: [PATCH RESEND] misc: ti-st: st_kim: Fix use after free bug in kim_remove due to race condition
Date: Sat, 18 Mar 2023 16:17:43 +0800 [thread overview]
Message-ID: <20230318081743.797531-1-zyytlz.wz@163.com> (raw)
In kim_probe, it called st_core_init and bound &st_gdata->work_write_wakeup
with work_fn_write_wakeup.
When it calls st_tty_wakeup, it will finally call schedule_work to start
the work.
When we call kim_remove to remove the driver, there
may be a sequence as follows:
Fix it by finishing the work before cleanup in kim_remove
CPU0 CPU1
|work_fn_write_wakeup
kim_remove |
st_core_exit |
kfree(st_gdata)|
|st_tx_wakeup
|//use st_gdata
Fixes: b05b7c7cc032 ("ti-st: use worker instead of calling st_int_write in wake up")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
drivers/misc/ti-st/st_kim.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/ti-st/st_kim.c b/drivers/misc/ti-st/st_kim.c
index f2f6cab97c08..160258a78c7b 100644
--- a/drivers/misc/ti-st/st_kim.c
+++ b/drivers/misc/ti-st/st_kim.c
@@ -785,9 +785,12 @@ static int kim_remove(struct platform_device *pdev)
/* free the GPIOs requested */
struct ti_st_plat_data *pdata = pdev->dev.platform_data;
struct kim_data_s *kim_gdata;
+ struct st_data_s *st_gdata = kim_gdata->core_data;
kim_gdata = platform_get_drvdata(pdev);
+ cancel_work_sync(&st_gdata->work_write_wakeup);
+
/*
* Free the Bluetooth/FM/GPIO
* nShutdown gpio from the system
@@ -800,7 +803,7 @@ static int kim_remove(struct platform_device *pdev)
pr_info("sysfs entries removed");
kim_gdata->kim_pdev = NULL;
- st_core_exit(kim_gdata->core_data);
+ st_core_exit(st_gdata);
kfree(kim_gdata);
kim_gdata = NULL;
--
2.25.1
next reply other threads:[~2023-03-18 8:18 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-18 8:17 Zheng Wang [this message]
2023-03-18 9:53 ` [PATCH RESEND] misc: ti-st: st_kim: Fix use after free bug in kim_remove due to race condition kernel test robot
2023-03-18 9:53 ` kernel test robot
2023-03-18 10:24 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230318081743.797531-1-zyytlz.wz@163.com \
--to=zyytlz.wz@163.com \
--cc=1395428693sheep@gmail.com \
--cc=alex000young@gmail.com \
--cc=arnd@arndb.de \
--cc=gregkh@linuxfoundation.org \
--cc=hackerzheng666@gmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.