Re: [PATCH] Input: cyttsp4_core - change del_timer_sync() to timer_shutdown_sync()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 9/8/23 10:15, Greg KH wrote:
> On Fri, Sep 08, 2023 at 05:41:35AM +0400, Denis Efremov (Oracle) wrote:
>> From: Duoming Zhou <duoming@xxxxxxxxxx>
>>
>> The watchdog_timer can schedule tx_timeout_task and watchdog_work
>> can also arm watchdog_timer. The process is shown below:
>>
>> ----------- timer schedules work ------------
>> cyttsp4_watchdog_timer() //timer handler
>>   schedule_work(&cd->watchdog_work)
>>
>> ----------- work arms timer ------------
>> cyttsp4_watchdog_work() //workqueue callback function
>>   cyttsp4_start_wd_timer()
>>     mod_timer(&cd->watchdog_timer, ...)
>>
>> Although del_timer_sync() and cancel_work_sync() are called in
>> cyttsp4_remove(), the timer and workqueue could still be rearmed.
>> As a result, the possible use after free bugs could happen. The
>> process is shown below:
>>
>>   (cleanup routine)           |  (timer and workqueue routine)
>> cyttsp4_remove()              | cyttsp4_watchdog_timer() //timer
>>   cyttsp4_stop_wd_timer()     |   schedule_work()
>>     del_timer_sync()          |
>>                               | cyttsp4_watchdog_work() //worker
>>                               |   cyttsp4_start_wd_timer()
>>                               |     mod_timer()
>>     cancel_work_sync()        |
>>                               | cyttsp4_watchdog_timer() //timer
>>                               |   schedule_work()
>>     del_timer_sync()          |
>>   kfree(cd) //FREE            |
>>                               | cyttsp4_watchdog_work() // reschedule!
>>                               |   cd-> //USE
>>
>> This patch changes del_timer_sync() to timer_shutdown_sync(),
>> which could prevent rearming of the timer from the workqueue.
>>
>> Cc: stable@xxxxxxxxxxxxxxx
>> Fixes: CVE-2023-4134
> 
> "CVE" is not a valid Fixes tag :(
> 
>> Fixes: 17fb1563d69b ("Input: cyttsp4 - add core driver for Cypress TMA4XX touchscreen devices")
>> Signed-off-by: Duoming Zhou <duoming@xxxxxxxxxx>
>> Link: https://lore.kernel.org/r/20230421082919.8471-1-duoming@xxxxxxxxxx
>> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
>> Signed-off-by: Denis Efremov (Oracle) <efremov@xxxxxxxxx>
>> ---
>>
>> I've only added Cc: stable and Fixes tag.
> 

Please, don't take this patch. It breaks the build. Sorry, I forgot to check it this time.
I'll resend a correct backport with the upstream commit info.

Best Regards,
Denis
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux