On Tue, Apr 13, 2021 at 04:03:18PM +0000, Wei Yongjun wrote: > This driver's remove path calls del_timer(). However, that function > does not wait until the timer handler finishes. This means that the > timer handler may still be running after the driver's remove function > has finished, which would result in a use-after-free. > > Fix by calling del_timer_sync(), which makes sure the timer handler > has finished, and unable to re-schedule itself. > > Fixes: 8562d4fe34a3 ("mhi: pci_generic: Add health-check") > Reported-by: Hulk Robot <hulkci@xxxxxxxxxx> > Signed-off-by: Wei Yongjun <weiyongjun1@xxxxxxxxxx> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@xxxxxxxxxx> Loic, could you please review this patch as well? Thanks, Mani > --- > drivers/bus/mhi/pci_generic.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/bus/mhi/pci_generic.c b/drivers/bus/mhi/pci_generic.c > index 7c810f02a2ef..5b19e877d17a 100644 > --- a/drivers/bus/mhi/pci_generic.c > +++ b/drivers/bus/mhi/pci_generic.c > @@ -708,7 +708,7 @@ static void mhi_pci_remove(struct pci_dev *pdev) > struct mhi_pci_device *mhi_pdev = pci_get_drvdata(pdev); > struct mhi_controller *mhi_cntrl = &mhi_pdev->mhi_cntrl; > > - del_timer(&mhi_pdev->health_check_timer); > + del_timer_sync(&mhi_pdev->health_check_timer); > cancel_work_sync(&mhi_pdev->recovery_work); > > if (test_and_clear_bit(MHI_PCI_DEV_STARTED, &mhi_pdev->status)) { >