[PATCH] PCI/pwrctrl: Cancel outstanding rescan work when unregistering

From: Brian Norris
Date: Wed Apr 09 2025 - 14:58:23 EST

Next message: tip-bot2 for Thomas Gleixner: "[tip: irq/msi] NTB/msi: Switch MSI descriptor locking to lock guard()"
Previous message: Andrew Jones: "Re: [PATCH v2 2/3] riscv: module: Allocate PLT entries for R_RISCV_PLT32"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Brian Norris <briannorris@xxxxxxxxxx>

It's possible to trigger use-after-free here by:
(a) forcing rescan_work_func() to take a long time and
(b) utilizing a pwrctrl driver that may be unloaded for some reason.

I'm unlucky to trigger both of these in development. It's likely much
more difficult to hit this in practice.

Anyway, we should ensure our work is finished before we allow our data
structures to be cleaned up.

Fixes: 8f62819aaace ("PCI/pwrctl: Rescan bus on a separate thread")
Cc: Konrad Dybcio <konradybcio@xxxxxxxxxx>
Cc: Bartosz Golaszewski <bartosz.golaszewski@xxxxxxxxxx>
Signed-off-by: Brian Norris <briannorris@xxxxxxxxxx>
Signed-off-by: Brian Norris <briannorris@xxxxxxxxxxxx>
---

drivers/pci/pwrctrl/core.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/pci/pwrctrl/core.c b/drivers/pci/pwrctrl/core.c
index 9cc7e2b7f2b5..6bdbfed584d6 100644
--- a/drivers/pci/pwrctrl/core.c
+++ b/drivers/pci/pwrctrl/core.c
@@ -101,6 +101,8 @@ EXPORT_SYMBOL_GPL(pci_pwrctrl_device_set_ready);
*/
void pci_pwrctrl_device_unset_ready(struct pci_pwrctrl *pwrctrl)
{
+ cancel_work_sync(&pwrctrl->work);
+
/*
* We don't have to delete the link here. Typically, this function
* is only called when the power control device is being detached. If
--
2.49.0.604.gff1f9ca942-goog

Next message: tip-bot2 for Thomas Gleixner: "[tip: irq/msi] NTB/msi: Switch MSI descriptor locking to lock guard()"
Previous message: Andrew Jones: "Re: [PATCH v2 2/3] riscv: module: Allocate PLT entries for R_RISCV_PLT32"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]