queue-4.14/power-supply-generic-adc-battery-fix-possible-use-af.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 0a011cbd6f1b7f93400ba7ae7fcf756cc04c840b Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Wed, 7 Apr 2021 17:17:06 +0800
 Subject: power: supply: generic-adc-battery: fix possible use-after-free in
  gab_remove()

 From: Yang Yingliang <yangyingliang@huawei.com>

 [ Upstream commit b6cfa007b3b229771d9588970adb4ab3e0487f49 ]

 This driver's remove path calls cancel_delayed_work(). However, that
 function does not wait until the work function finishes. This means
 that the callback function may still be running after the driver's
 remove function has finished, which would result in a use-after-free.

 Fix by calling cancel_delayed_work_sync(), which ensures that
 the work is properly cancelled, no longer running, and unable
 to re-schedule itself.

 Reported-by: Hulk Robot <hulkci@huawei.com>
 Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
 Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  drivers/power/supply/generic-adc-battery.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/drivers/power/supply/generic-adc-battery.c b/drivers/power/supply/generic-adc-battery.c
 index 371b5ec70087..c5bde3c24c31 100644
 --- a/drivers/power/supply/generic-adc-battery.c
 +++ b/drivers/power/supply/generic-adc-battery.c
 @@ -384,7 +384,7 @@ static int gab_remove(struct platform_device *pdev)
  	}

  	kfree(adc_bat->psy_desc.properties);
 -	cancel_delayed_work(&adc_bat->bat_work);
 +	cancel_delayed_work_sync(&adc_bat->bat_work);
  	return 0;
  }

 --
 2.30.2
	From 0a011cbd6f1b7f93400ba7ae7fcf756cc04c840b Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Wed, 7 Apr 2021 17:17:06 +0800
	Subject: power: supply: generic-adc-battery: fix possible use-after-free in
	gab_remove()

	From: Yang Yingliang <yangyingliang@huawei.com>

	[ Upstream commit b6cfa007b3b229771d9588970adb4ab3e0487f49 ]

	This driver's remove path calls cancel_delayed_work(). However, that
	function does not wait until the work function finishes. This means
	that the callback function may still be running after the driver's
	remove function has finished, which would result in a use-after-free.

	Fix by calling cancel_delayed_work_sync(), which ensures that
	the work is properly cancelled, no longer running, and unable
	to re-schedule itself.

	Reported-by: Hulk Robot <hulkci@huawei.com>
	Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
	Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	drivers/power/supply/generic-adc-battery.c \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	diff --git a/drivers/power/supply/generic-adc-battery.c b/drivers/power/supply/generic-adc-battery.c
	index 371b5ec70087..c5bde3c24c31 100644
	--- a/drivers/power/supply/generic-adc-battery.c
	+++ b/drivers/power/supply/generic-adc-battery.c
	@@ -384,7 +384,7 @@ static int gab_remove(struct platform_device *pdev)
	}

	kfree(adc_bat->psy_desc.properties);
	- cancel_delayed_work(&adc_bat->bat_work);
	+ cancel_delayed_work_sync(&adc_bat->bat_work);
	return 0;
	}

	--
	2.30.2