[PATCH 1/2][SRU][linux-intel][F] bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove()

You-Sheng Yang vicamo.yang at canonical.com
Wed Jun 23 10:43:30 UTC 2021 

From: Wei Yongjun <weiyongjun1 at huawei.com>

BugLink: https://bugs.launchpad.net/bugs/1932124

This driver's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Link: https://lore.kernel.org/r/20210413160318.2003699-1-weiyongjun1@huawei.com
Fixes: 8562d4fe34a3 ("mhi: pci_generic: Add health-check")
Cc: stable <stable at vger.kernel.org>
Reported-by: Hulk Robot <hulkci at huawei.com>
Reviewed-by: Hemant kumar <hemantk at codeaurora.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam at linaro.org>
Reviewed-by: Loic Poulain <loic.poulain at linaro.org>
Signed-off-by: Wei Yongjun <weiyongjun1 at huawei.com>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam at linaro.org>
Link: https://lore.kernel.org/r/20210606153741.20725-3-manivannan.sadhasivam@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
(cherry picked from commit 0b67808ade8893a1b3608ddd74fac7854786c919)
Signed-off-by: You-Sheng Yang <vicamo at gmail.com>
---
 drivers/bus/mhi/pci_generic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/bus/mhi/pci_generic.c b/drivers/bus/mhi/pci_generic.c
index 8f715519ba08..99d5384f7639 100644
--- a/drivers/bus/mhi/pci_generic.c
+++ b/drivers/bus/mhi/pci_generic.c
@@ -708,7 +708,7 @@ static void mhi_pci_remove(struct pci_dev *pdev)
 	struct mhi_pci_device *mhi_pdev = pci_get_drvdata(pdev);
 	struct mhi_controller *mhi_cntrl = &mhi_pdev->mhi_cntrl;
 
-	del_timer(&mhi_pdev->health_check_timer);
+	del_timer_sync(&mhi_pdev->health_check_timer);
 	cancel_work_sync(&mhi_pdev->recovery_work);
 
 	if (test_and_clear_bit(MHI_PCI_DEV_STARTED, &mhi_pdev->status)) {
-- 
2.31.1

More information about the kernel-team mailing list