[PATCH] sh: push-switch: reorder cleanup operations to avoid UAF bug

From: Duoming Zhou
Date: Tue Aug 01 2023 - 23:39:16 EST

Next message: kernel test robot: "Re: [PATCH] PCI/VGA: Fixup the firmware fb address om demanding time"
Previous message: Andy Shevchenko: "Re: [PATCH 2/5] of: dynamic: Refactor action prints to not use "%pOF" inside devtree_lock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The original code puts flush_work() before timer_shutdown_sync()
in switch_drv_remove(). Although we use flush_work() to stop
the worker, it could be re-scheduled in switch_timer. As a result,
the UAF bug will happen. The detail is shown below:

(cpu 0) | (cpu 1)
switch_drv_remove() |
flush_work() |
... | switch_timer //timer
| schedule_work(&psw->work)
timer_shutdown_sync() |
... | switch_work_handler //worker
kfree(psw) //free |
| psw->state = 0 //use

This patch puts timer_shutdown_sync() before flush_work() to
mitigate the bugs. As a result, the worker and timer could
be stopped safely before the deallocate operations.

Fixes: 9f5e8eee5cfe ("sh: generic push-switch framework.")
Signed-off-by: Duoming Zhou <duoming@xxxxxxxxxx>
---
arch/sh/drivers/push-switch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/sh/drivers/push-switch.c b/arch/sh/drivers/push-switch.c
index c95f48ff3f6..6ecba5f521e 100644
--- a/arch/sh/drivers/push-switch.c
+++ b/arch/sh/drivers/push-switch.c
@@ -101,8 +101,8 @@ static int switch_drv_remove(struct platform_device *pdev)
device_remove_file(&pdev->dev, &dev_attr_switch);

platform_set_drvdata(pdev, NULL);
- flush_work(&psw->work);
timer_shutdown_sync(&psw->debounce);
+ flush_work(&psw->work);
free_irq(irq, pdev);

kfree(psw);
--
2.17.1

Next message: kernel test robot: "Re: [PATCH] PCI/VGA: Fixup the firmware fb address om demanding time"
Previous message: Andy Shevchenko: "Re: [PATCH 2/5] of: dynamic: Refactor action prints to not use "%pOF" inside devtree_lock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]