diff mbox series

[v2] PCIE/PME: fix possible use-after-free on remove

Message ID 20190301165419.16493-1-TheSven73@gmail.com (mailing list archive)
State New, archived
Delegated to: Bjorn Helgaas
Headers show
Series [v2] PCIE/PME: fix possible use-after-free on remove | expand

Commit Message

Sven Van Asbroeck March 1, 2019, 4:54 p.m. UTC 
In remove(), ensure that the pme work cannot run after kfree()
is called. Otherwise, this could result in a use-after-free.

This issue was detected with the help of Coccinelle.

Cc: Sinan Kaya <okaya@kernel.org>
Cc: Frederick Lawler <fred@fredlawl.com>
Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: Keith Busch <keith.busch@intel.com>
Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
---
 drivers/pci/pcie/pme.c | 1 +
 1 file changed, 1 insertion(+)

v2:
	rebased against Bjorn Helgaas's pcm/pm branch at
	git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci.git

Comments

Bjorn Helgaas March 2, 2019, 12:11 a.m. UTC | #1 
On Fri, Mar 1, 2019 at 10:54 AM Sven Van Asbroeck <thesven73@gmail.com> wrote:
>
> In remove(), ensure that the pme work cannot run after kfree()
> is called. Otherwise, this could result in a use-after-free.
>
> This issue was detected with the help of Coccinelle.
>
> Cc: Sinan Kaya <okaya@kernel.org>
> Cc: Frederick Lawler <fred@fredlawl.com>
> Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
> Cc: Keith Busch <keith.busch@intel.com>
> Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>

Applied to pci/pm for v5.1, thanks!

> ---
>  drivers/pci/pcie/pme.c | 1 +
>  1 file changed, 1 insertion(+)
>
> v2:
>         rebased against Bjorn Helgaas's pcm/pm branch at
>         git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci.git
>
> diff --git a/drivers/pci/pcie/pme.c b/drivers/pci/pcie/pme.c
> index efa5b552914b..54d593d10396 100644
> --- a/drivers/pci/pcie/pme.c
> +++ b/drivers/pci/pcie/pme.c
> @@ -437,6 +437,7 @@ static void pcie_pme_remove(struct pcie_device *srv)
>
>         pcie_pme_disable_interrupt(srv->port, data);
>         free_irq(srv->irq, srv);
> +       cancel_work_sync(&data->work);
>         kfree(data);
>  }
>
> --
> 2.17.1
>
diff mbox series

Patch

diff --git a/drivers/pci/pcie/pme.c b/drivers/pci/pcie/pme.c
index efa5b552914b..54d593d10396 100644
--- a/drivers/pci/pcie/pme.c
+++ b/drivers/pci/pcie/pme.c
@@ -437,6 +437,7 @@  static void pcie_pme_remove(struct pcie_device *srv)
 
 	pcie_pme_disable_interrupt(srv->port, data);
 	free_irq(srv->irq, srv);
+	cancel_work_sync(&data->work);
 	kfree(data);
 }