| From 771bb52155a684460aec3e2ccc5442d7e534c417 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Wed, 12 May 2021 15:00:24 +0800 |
| Subject: atm: nicstar: Fix possible use-after-free in nicstar_cleanup() |
| |
| From: Zou Wei <zou_wei@huawei.com> |
| |
| [ Upstream commit 34e7434ba4e97f4b85c1423a59b2922ba7dff2ea ] |
| |
| This module's remove path calls del_timer(). However, that function |
| does not wait until the timer handler finishes. This means that the |
| timer handler may still be running after the driver's remove function |
| has finished, which would result in a use-after-free. |
| |
| Fix by calling del_timer_sync(), which makes sure the timer handler |
| has finished, and unable to re-schedule itself. |
| |
| Reported-by: Hulk Robot <hulkci@huawei.com> |
| Signed-off-by: Zou Wei <zou_wei@huawei.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/atm/nicstar.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c |
| index bb9835c62641..5ec7b6a60145 100644 |
| --- a/drivers/atm/nicstar.c |
| +++ b/drivers/atm/nicstar.c |
| @@ -297,7 +297,7 @@ static void __exit nicstar_cleanup(void) |
| { |
| XPRINTK("nicstar: nicstar_cleanup() called.\n"); |
| |
| - del_timer(&ns_timer); |
| + del_timer_sync(&ns_timer); |
| |
| pci_unregister_driver(&nicstar_driver); |
| |
| -- |
| 2.30.2 |
| |