diff options
| author | Sven Van Asbroeck <[email protected]> | 2019-03-08 12:59:35 -0500 |
|---|---|---|
| committer | Jonathan Cameron <[email protected]> | 2019-04-04 20:19:56 +0100 |
| commit | 11362b7a43bac15607e26d501d6095235b38567b (patch) | |
| tree | 13096dd10908a81ba30f117756d2ec474e0ecbd2 /tools/perf/scripts/python/bin/stackcollapse-report | |
| parent | 71a7766b36f32ece32346985e9bed63e23847914 (diff) | |
iio: proximity: as3935: fix use-after-free on device remove
This driver's probe() uses a mix of devm_ and non-devm_ functions. This
means that the remove order will not be the exact opposite of the probe
order.
Remove order:
1. remove() executes:
iio_device_unregister
iio_triggered_buffer_cleanup
iio_trigger_unregister
(A)
2. core frees devm resources in reverse order:
free_irq
iio_trigger_free
iio_device_free
In (A) the trigger has been unregistered, but the irq handler is still
registered and active, so the trigger may still be touched via
interrupt -> as3935_event_work. This is a potential use-after-unregister.
Given that the delayed work is never canceled explicitly, it may run even
after iio_device_free. This is a potential use-after-free.
Solution: convert all probe functions to their devm_ equivalents.
Add a devm callback, called by the core on remove right after irq_free,
which explicitly cancels the delayed work. This will guarantee that all
resources are freed in the correct order.
As an added bonus, some boilerplate code can be removed.
Signed-off-by: Sven Van Asbroeck <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python/bin/stackcollapse-report')
0 files changed, 0 insertions, 0 deletions