| From a60ec78d306c6548d4adbc7918b587a723c555cc Mon Sep 17 00:00:00 2001 |
| From: Sven Van Asbroeck <thesven73@gmail.com> |
| Date: Thu, 19 Sep 2019 11:11:37 -0400 |
| Subject: power: supply: ltc2941-battery-gauge: fix use-after-free |
| |
| From: Sven Van Asbroeck <thesven73@gmail.com> |
| |
| commit a60ec78d306c6548d4adbc7918b587a723c555cc upstream. |
| |
| This driver's remove path calls cancel_delayed_work(). |
| However, that function does not wait until the work function |
| finishes. This could mean that the work function is still |
| running after the driver's remove function has finished, |
| which would result in a use-after-free. |
| |
| Fix by calling cancel_delayed_work_sync(), which ensures that |
| that the work is properly cancelled, no longer running, and |
| unable to re-schedule itself. |
| |
| This issue was detected with the help of Coccinelle. |
| |
| Cc: stable <stable@vger.kernel.org> |
| Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com> |
| Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/power/supply/ltc2941-battery-gauge.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/power/supply/ltc2941-battery-gauge.c |
| +++ b/drivers/power/supply/ltc2941-battery-gauge.c |
| @@ -448,7 +448,7 @@ static int ltc294x_i2c_remove(struct i2c |
| { |
| struct ltc294x_info *info = i2c_get_clientdata(client); |
| |
| - cancel_delayed_work(&info->work); |
| + cancel_delayed_work_sync(&info->work); |
| power_supply_unregister(info->supply); |
| return 0; |
| } |