[PATCH -next] watchdog: Fix possible use-after-free by calling del_timer_sync()
Vladimir Zapolskiy
vz at mleia.com
Wed May 12 10:04:27 PDT 2021
On 5/12/21 9:57 AM, Zou Wei wrote:
> This driver's remove path calls del_timer(). However, that function
> does not wait until the timer handler finishes. This means that the
> timer handler may still be running after the driver's remove function
> has finished, which would result in a use-after-free.
>
> Fix by calling del_timer_sync(), which makes sure the timer handler
> has finished, and unable to re-schedule itself.
>
> Reported-by: Hulk Robot <hulkci at huawei.com>
> Signed-off-by: Zou Wei <zou_wei at huawei.com>
Acked-by: Vladimir Zapolskiy <vz at mleia.com>
--
Best wishes,
Vladimir
More information about the linux-arm-kernel
mailing list