This is a note to let you know that I've just added the patch titled
Input: cyttsp4_core - change del_timer_sync() to timer_shutdown_sync()
to the 6.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
input-cyttsp4_core-change-del_timer_sync-to-timer_sh.patch
and it can be found in the queue-6.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit c08f573763e5947912d02ddf590766e4f1359205
Author: Duoming Zhou <duoming@xxxxxxxxxx>
Date: Mon May 1 17:37:02 2023 -0700
Input: cyttsp4_core - change del_timer_sync() to timer_shutdown_sync()
[ Upstream commit dbe836576f12743a7d2d170ad4ad4fd324c4d47a ]
The watchdog_timer can schedule tx_timeout_task and watchdog_work
can also arm watchdog_timer. The process is shown below:
----------- timer schedules work ------------
cyttsp4_watchdog_timer() //timer handler
schedule_work(&cd->watchdog_work)
----------- work arms timer ------------
cyttsp4_watchdog_work() //workqueue callback function
cyttsp4_start_wd_timer()
mod_timer(&cd->watchdog_timer, ...)
Although del_timer_sync() and cancel_work_sync() are called in
cyttsp4_remove(), the timer and workqueue could still be rearmed.
As a result, the possible use after free bugs could happen. The
process is shown below:
(cleanup routine) | (timer and workqueue routine)
cyttsp4_remove() | cyttsp4_watchdog_timer() //timer
cyttsp4_stop_wd_timer() | schedule_work()
del_timer_sync() |
| cyttsp4_watchdog_work() //worker
| cyttsp4_start_wd_timer()
| mod_timer()
cancel_work_sync() |
| cyttsp4_watchdog_timer() //timer
| schedule_work()
del_timer_sync() |
kfree(cd) //FREE |
| cyttsp4_watchdog_work() // reschedule!
| cd-> //USE
This patch changes del_timer_sync() to timer_shutdown_sync(),
which could prevent rearming of the timer from the workqueue.
Fixes: 17fb1563d69b ("Input: cyttsp4 - add core driver for Cypress TMA4XX touchscreen devices")
Signed-off-by: Duoming Zhou <duoming@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20230421082919.8471-1-duoming@xxxxxxxxxx
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/input/touchscreen/cyttsp4_core.c b/drivers/input/touchscreen/cyttsp4_core.c
index 0cd6f626adec5..7cb26929dc732 100644
--- a/drivers/input/touchscreen/cyttsp4_core.c
+++ b/drivers/input/touchscreen/cyttsp4_core.c
@@ -1263,9 +1263,8 @@ static void cyttsp4_stop_wd_timer(struct cyttsp4 *cd)
* Ensure we wait until the watchdog timer
* running on a different CPU finishes
*/
- del_timer_sync(&cd->watchdog_timer);
+ timer_shutdown_sync(&cd->watchdog_timer);
cancel_work_sync(&cd->watchdog_work);
- del_timer_sync(&cd->watchdog_timer);
}
static void cyttsp4_watchdog_timer(struct timer_list *t)
