On Fri, Apr 21, 2023 at 04:29:19PM +0800, Duoming Zhou wrote:
> The watchdog_timer can schedule tx_timeout_task and watchdog_work
> can also arm watchdog_timer. The process is shown below:
>
> ----------- timer schedules work ------------
> cyttsp4_watchdog_timer() //timer handler
> schedule_work(&cd->watchdog_work)
>
> ----------- work arms timer ------------
> cyttsp4_watchdog_work() //workqueue callback function
> cyttsp4_start_wd_timer()
> mod_timer(&cd->watchdog_timer, ...)
>
> Although del_timer_sync() and cancel_work_sync() are called in
> cyttsp4_remove(), the timer and workqueue could still be rearmed.
> As a result, the possible use after free bugs could happen. The
> process is shown below:
>
> (cleanup routine) | (timer and workqueue routine)
> cyttsp4_remove() | cyttsp4_watchdog_timer() //timer
> cyttsp4_stop_wd_timer() | schedule_work()
> del_timer_sync() |
> | cyttsp4_watchdog_work() //worker
> | cyttsp4_start_wd_timer()
> | mod_timer()
> cancel_work_sync() |
> | cyttsp4_watchdog_timer() //timer
> | schedule_work()
> del_timer_sync() |
> kfree(cd) //FREE |
> | cyttsp4_watchdog_work() // reschedule!
> | cd-> //USE
>
> This patch changes del_timer_sync() to timer_shutdown_sync(),
> which could prevent rearming of the timer from the workqueue.
>
> Fixes: 17fb1563d69b ("Input: cyttsp4 - add core driver for Cypress TMA4XX touchscreen devices")
> Signed-off-by: Duoming Zhou <duoming@xxxxxxxxxx>
Applied, thank you.
--
Dmitry
