On Fri, Oct 18, 2024 at 09:54:28PM +0800, He Zhe wrote:
> From: Duoming Zhou <duoming@xxxxxxxxxx>
>
> commit 573601521277119f2e2ba5f28ae6e87fc594f4d4 upstream.
>
> When the cpu5wdt module is removing, the origin code uses del_timer() to
> de-activate the timer. If the timer handler is running, del_timer() could
> not stop it and will return directly. If the port region is released by
> release_region() and then the timer handler cpu5wdt_trigger() calls outb()
> to write into the region that is released, the use-after-free bug will
> happen.
>
> Change del_timer() to timer_shutdown_sync() in order that the timer handler
> could be finished before the port region is released.
>
> Fixes: e09d9c3e9f85 ("watchdog: cpu5wdt.c: add missing del_timer call")
> Signed-off-by: Duoming Zhou <duoming@xxxxxxxxxx>
> Reviewed-by: Guenter Roeck <linux@xxxxxxxxxxxx>
> Link: https://lore.kernel.org/r/20240324140444.119584-1-duoming@xxxxxxxxxx
> Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
> Signed-off-by: Wim Van Sebroeck <wim@xxxxxxxxxxxxxxxxxx>
>
> CVE: CVE-2024-38630
>
> [Zhe: The function timer_shutdown_sync in the original fix is not
> introduced to 5.10 yet. As stated in f571faf6e443b6011ccb585d57866177af1f643c
Please refer to commits in the correct way, this would be f571faf6e443
("timers: Provide timer_shutdown[_sync]()"), right?
thanks,
greg k-h
