misc: ti-st: st_kim: Fix use after free bug in kim_remove due to race…

… condition In kim_probe, it called st_core_init and bound &st_gdata->work_write_wakeup with work_fn_write_wakeup. When it calls st_tty_wakeup, it will finally call schedule_work to start the work. When we call kim_remove to remove the driver, there may be a sequence as follows: Fix it by finishing the work before cleanup in kim_remove CPU0 CPU1 |work_fn_write_wakeup kim_remove | st_core_exit | kfree(st_gdata)| |st_tx_wakeup |//use st_gdata Fixes: b05b7c7 ("ti-st: use worker instead of calling st_int_write in wake up") Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
intel-lab-lkp · Mar 18, 2023 · ecbe190 · ecbe190
1 parent 6ca8f8b
commit ecbe190
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/drivers/misc/ti-st/st_kim.c b/drivers/misc/ti-st/st_kim.c
@@ -785,9 +785,12 @@ static int kim_remove(struct platform_device *pdev)
 	/* free the GPIOs requested */
 	struct ti_st_plat_data	*pdata = pdev->dev.platform_data;
 	struct kim_data_s	*kim_gdata;
+	struct st_data_s *st_gdata = kim_gdata->core_data;
 
 	kim_gdata = platform_get_drvdata(pdev);
 
+	cancel_work_sync(&st_gdata->work_write_wakeup);
+
 	/*
 	 * Free the Bluetooth/FM/GPIO
 	 * nShutdown gpio from the system
@@ -800,7 +803,7 @@ static int kim_remove(struct platform_device *pdev)
 	pr_info("sysfs entries removed");
 
 	kim_gdata->kim_pdev = NULL;
-	st_core_exit(kim_gdata->core_data);
+	st_core_exit(st_gdata);
 
 	kfree(kim_gdata);
 	kim_gdata = NULL;