| Message ID | 20190218195730.4975-1-TheSven73@gmail.com (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Headers | show |
| Series | PCIE/PME: fix possible use-after-free on remove | expand |
On Mon, Feb 18, 2019 at 02:57:30PM -0500, Sven Van Asbroeck wrote: > In remove(), ensure that the pme work cannot run after kfree() > is called. Otherwise, this could result in a use-after-free. > > This issue was detected with the help of Coccinelle. > > Cc: Sinan Kaya <okaya@kernel.org> > Cc: Frederick Lawler <fred@fredlawl.com> > Cc: Mika Westerberg <mika.westerberg@linux.intel.com> Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
diff --git a/drivers/pci/pcie/pme.c b/drivers/pci/pcie/pme.c index 0dbcf429089f..87823f669ccc 100644 --- a/drivers/pci/pcie/pme.c +++ b/drivers/pci/pcie/pme.c @@ -427,9 +427,12 @@ static int pcie_pme_resume(struct pcie_device *srv) */ static void pcie_pme_remove(struct pcie_device *srv) { + struct pcie_pme_service_data *data = get_service_data(srv); + pcie_pme_suspend(srv); free_irq(srv->irq, srv); - kfree(get_service_data(srv)); + cancel_work_sync(&data->work); + kfree(data); } static int pcie_pme_runtime_suspend(struct pcie_device *srv)
In remove(), ensure that the pme work cannot run after kfree() is called. Otherwise, this could result in a use-after-free. This issue was detected with the help of Coccinelle. Cc: Sinan Kaya <okaya@kernel.org> Cc: Frederick Lawler <fred@fredlawl.com> Cc: Mika Westerberg <mika.westerberg@linux.intel.com> Cc: Keith Busch <keith.busch@intel.com> Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com> --- drivers/pci/pcie/pme.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)