| Bug ID | 1210329 |
|---|---|
| Summary | use after free bug in da9150_charger_remove due to race condition |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 16.0 |
| Hardware | x86-64 |
| OS | Linux |
| Status | NEW |
| Severity | Major |
| Priority | P5 - None |
| Component | Kernel |
| Assignee | kernel-bugs@opensuse.org |
| Reporter | hackerzheng666@gmail.com |
| QA Contact | qa-bugs@suse.de |
| Found By | --- |
| Blocker | --- |
In da9150_charger_probe, &charger->otg_work is bound with
da9150_charger_otg_work. da9150_charger_otg_ncb may be
called to start the work.
If we remove the module which will call da9150_charger_remove
to make cleanup, there may be a unfinished work. The possible
sequence is as follows:
Fix it by canceling the work before cleanup in the da9150_charger_remove
CPU0 CPUc1
|da9150_charger_otg_work
da9150_charger_remove |
power_supply_unregister |
device_unregister |
power_supply_dev_release |
kfree(psy) |
|
| power_supply_changed(charger->usb);
| //use
There's no kernel log. Here is the patch link of [1] Linux-v6.3 and
[2]patchwork
[1]
https://lore.kernel.org/all/CAHk-=whcaHLNpb7Mu_QX7ABwPgyRyfW-V8=v4Mv0S22fpjY4JQ@mail.gmail.com/
[2] https://lore.kernel.org/all/20230328142620.323334485@linuxfoundation.org/