del_timer() does not wait until the timer handler finishing. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix it by calling del_timer_sync(), which makes sure the timer handler has finished. Reported-by: Hulk Robot <hulkci@xxxxxxxxxx> Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx> --- drivers/hte/hte-tegra194-test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hte/hte-tegra194-test.c b/drivers/hte/hte-tegra194-test.c index bc3ab18dfdc5..f69a274a7d8d 100644 --- a/drivers/hte/hte-tegra194-test.c +++ b/drivers/hte/hte-tegra194-test.c @@ -220,7 +220,7 @@ static int tegra_hte_test_remove(struct platform_device *pdev) free_irq(hte.gpio_in_irq, &hte); gpiod_put(hte.gpio_in); gpiod_put(hte.gpio_out); - del_timer(&hte.timer); + del_timer_sync(&hte.timer); return 0; } -- 2.25.1
