hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition

bluesheep1337 · Sasha Levin · commit 3375a896426c · 2023-03-20T15:03:46.000Z
[ Upstream commit cb090e6 ] In xgene_hwmon_probe, &ctx->workq is bound with xgene_hwmon_evt_work. Then it will be started. If we remove the driver which will call xgene_hwmon_remove to clean up, there may be unfinished work. The possible sequence is as follows: Fix it by finishing the work before cleanup in xgene_hwmon_remove. CPU0 CPU1 |xgene_hwmon_evt_work xgene_hwmon_remove | kfifo_free(&ctx->async_msg_fifo);| | |kfifo_out_spinlocked |//use &ctx->async_msg_fifo Fixes: 2ca492e ("hwmon: (xgene) Fix crash when alarm occurs before driver probe") Signed-off-by: Zheng Wang <zyytlz.wz@163.com> Link: https://lore.kernel.org/r/20230310084007.1403388-1-zyytlz.wz@163.com Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/drivers/hwmon/xgene-hwmon.c b/drivers/hwmon/xgene-hwmon.c
@@ -751,6 +751,7 @@ static int xgene_hwmon_remove(struct platform_device *pdev)
 {
 	struct xgene_hwmon_dev *ctx = platform_get_drvdata(pdev);
 
+	cancel_work_sync(&ctx->workq);
 	hwmon_device_unregister(ctx->hwmon_dev);
 	kfifo_free(&ctx->async_msg_fifo);
 	if (acpi_disabled)

Original file line number	Diff line number	Diff line change
`@@ -751,6 +751,7 @@ static int xgene_hwmon_remove(struct platform_device *pdev)`
`751`	`751`	`{`
`752`	`752`	`struct xgene_hwmon_dev *ctx = platform_get_drvdata(pdev);`
`753`	`753`
	`754`	`+ cancel_work_sync(&ctx->workq);`
`754`	`755`	`hwmon_device_unregister(ctx->hwmon_dev);`
`755`	`756`	`kfifo_free(&ctx->async_msg_fifo);`
`756`	`757`	`if (acpi_disabled)`