Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-22 12:11:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

hte: Fix possible use-after-free in tegra_hte_test_remove()

Browse Source 
del_timer() does not wait until the timer handler finishing.
This means that the timer handler may still be running after
the driver's remove function has finished, which would result
in a use-after-free.
Fix it by calling del_timer_sync(), which makes sure the timer
handler has finished.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Dipen Patel <dipenp@nvidia.com>
Acked-by: Dipen Patel <dipenp@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
This commit is contained in:
Yang Yingliang 2022-05-06 16:48:51 +08:00 committed by Thierry Reding
parent e0bfb57e1b
commit 0668e8ccd3
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/hte/hte-tegra194-test.c
View File

@ -219,7 +219,7 @@ static int tegra_hte_test_remove(struct platform_device *pdev)
free_irq(hte.gpio_in_irq, &hte);
gpiod_put(hte.gpio_in);
gpiod_put(hte.gpio_out);
del_timer(&hte.timer);
del_timer_sync(&hte.timer);
return 0;
}