In remove(), ensure that the pme work cannot run after kfree()
is called. Otherwise, this could result in a use-after-free.
This issue was detected with the help of Coccinelle.
Cc: Sinan Kaya <okaya@xxxxxxxxxx>
Cc: Frederick Lawler <fred@xxxxxxxxxxxx>
Cc: Mika Westerberg <mika.westerberg@xxxxxxxxxxxxxxx>
Cc: Keith Busch <keith.busch@xxxxxxxxx>
Signed-off-by: Sven Van Asbroeck <TheSven73@xxxxxxxxx>
---
drivers/pci/pcie/pme.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/pci/pcie/pme.c b/drivers/pci/pcie/pme.c
index 0dbcf429089f..87823f669ccc 100644
--- a/drivers/pci/pcie/pme.c
+++ b/drivers/pci/pcie/pme.c
@@ -427,9 +427,12 @@ static int pcie_pme_resume(struct pcie_device *srv)
*/
static void pcie_pme_remove(struct pcie_device *srv)
{
+ struct pcie_pme_service_data *data = get_service_data(srv);
+
pcie_pme_suspend(srv);
free_irq(srv->irq, srv);
- kfree(get_service_data(srv));
+ cancel_work_sync(&data->work);
+ kfree(data);
}
static int pcie_pme_runtime_suspend(struct pcie_device *srv)
--
2.17.1
