| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190218195730.4975-1-TheSven73@gmail.com>
Date: Mon, 18 Feb 2019 14:57:30 -0500
From: Sven Van Asbroeck <thesven73@...il.com>
To: Bjorn Helgaas <bhelgaas@...gle.com>
Cc: linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org,
Sinan Kaya <okaya@...nel.org>,
Frederick Lawler <fred@...dlawl.com>,
Mika Westerberg <mika.westerberg@...ux.intel.com>,
Keith Busch <keith.busch@...el.com>
Subject: [PATCH] PCIE/PME: fix possible use-after-free on remove
In remove(), ensure that the pme work cannot run after kfree()
is called. Otherwise, this could result in a use-after-free.
This issue was detected with the help of Coccinelle.
Cc: Sinan Kaya <okaya@...nel.org>
Cc: Frederick Lawler <fred@...dlawl.com>
Cc: Mika Westerberg <mika.westerberg@...ux.intel.com>
Cc: Keith Busch <keith.busch@...el.com>
Signed-off-by: Sven Van Asbroeck <TheSven73@...il.com>
---
drivers/pci/pcie/pme.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/pci/pcie/pme.c b/drivers/pci/pcie/pme.c
index 0dbcf429089f..87823f669ccc 100644
--- a/drivers/pci/pcie/pme.c
+++ b/drivers/pci/pcie/pme.c
@@ -427,9 +427,12 @@ static int pcie_pme_resume(struct pcie_device *srv)
*/
static void pcie_pme_remove(struct pcie_device *srv)
{
+ struct pcie_pme_service_data *data = get_service_data(srv);
+
pcie_pme_suspend(srv);
free_irq(srv->irq, srv);
- kfree(get_service_data(srv));
+ cancel_work_sync(&data->work);
+ kfree(data);
}
static int pcie_pme_runtime_suspend(struct pcie_device *srv)
--
2.17.1
Powered by blists - more mailing lists