Commit d1a8691f authored by Sven Van Asbroeck's avatar Sven Van Asbroeck Committed by Greg Kroah-Hartman

iio: adc: xilinx: fix potential use-after-free on remove

[ Upstream commit 62039b6a ]

When cancel_delayed_work() returns, the delayed work may still
be running. This means that the core could potentially free
the private structure (struct xadc) while the delayed work
is still using it. This is a potential use-after-free.

Fix by calling cancel_delayed_work_sync(), which waits for
any residual work to finish before returning.
Signed-off-by: default avatarSven Van Asbroeck <TheSven73@gmail.com>
Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 2651afdc
...@@ -1299,7 +1299,7 @@ static int xadc_remove(struct platform_device *pdev) ...@@ -1299,7 +1299,7 @@ static int xadc_remove(struct platform_device *pdev)
} }
free_irq(irq, indio_dev); free_irq(irq, indio_dev);
clk_disable_unprepare(xadc->clk); clk_disable_unprepare(xadc->clk);
cancel_delayed_work(&xadc->zynq_unmask_work); cancel_delayed_work_sync(&xadc->zynq_unmask_work);
kfree(xadc->data); kfree(xadc->data);
kfree(indio_dev->channels); kfree(indio_dev->channels);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment