[PATCH] max17042_battery: fix potential use-after-free on device remove
From: Sven Van Asbroeck <hidden>
Date: 2019-02-15 22:03:57
Also in:
lkml
Subsystem:
maxim max17042 family fuel gauge drivers, power supply class/subsystem and drivers, the rest · Maintainers:
Sebastian Reichel, Linus Torvalds
The work which is scheduled on a POR boot is potentially left pending or running until after the device module is removed, which could result in a use-after-free. Fix by registering a cancel/sync callback, which gets executed as part of standard resource unwinding. This issue was detected with the help of Coccinelle. Cc: Hans de Goede <redacted> Signed-off-by: Sven Van Asbroeck <redacted> --- drivers/power/supply/max17042_battery.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/drivers/power/supply/max17042_battery.c b/drivers/power/supply/max17042_battery.c
index 2a8d75e5e930..581c6bd23388 100644
--- a/drivers/power/supply/max17042_battery.c
+++ b/drivers/power/supply/max17042_battery.c@@ -995,6 +995,13 @@ static const struct power_supply_desc max17042_no_current_sense_psy_desc = { .num_properties = ARRAY_SIZE(max17042_battery_props) - 2, }; +static void max17042_stop_work(void *data) +{ + struct max17042_chip *chip = data; + + cancel_work_sync(&chip->work); +} + static int max17042_probe(struct i2c_client *client, const struct i2c_device_id *id) {
@@ -1101,6 +1108,9 @@ static int max17042_probe(struct i2c_client *client, regmap_read(chip->regmap, MAX17042_STATUS, &val); if (val & STATUS_POR_BIT) { INIT_WORK(&chip->work, max17042_init_worker); + ret = devm_add_action(&client->dev, max17042_stop_work, chip); + if (ret) + return ret; schedule_work(&chip->work); } else { chip->init_complete = 1;
--
2.17.1