From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Date: Fri, 11 Nov 2016 02:36:15 +0000 (-0700)
Subject: nf: IDLETIMER: Fix use after free condition during work
X-Git-Tag: release-20171130_firefly~4^2~100^2~224
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=f2688d5b1c6844b8660218e30a5b74fffd0a117f;p=firefly-linux-kernel-4.4.55.git

nf: IDLETIMER: Fix use after free condition during work

schedule_work(&timer->work) appears to be called after
cancel_work_sync(&info->timer->work) is completed.
Work can be scheduled from the PM_POST_SUSPEND notification event
even after cancel_work_sync is called.

Call stack

-004|notify_netlink_uevent(
    |    [X19] timer = 0xFFFFFFC0A5DFC780 -> (
    |      ...
    |      [NSD:0xFFFFFFC0A5DFC800] kobj = 0x6B6B6B6B6B6B6B6B,
    |      [NSD:0xFFFFFFC0A5DFC868] timeout = 0x6B6B6B6B,
    |      [NSD:0xFFFFFFC0A5DFC86C] refcnt = 0x6B6B6B6B,
    |      [NSD:0xFFFFFFC0A5DFC870] work_pending = 0x6B,
    |      [NSD:0xFFFFFFC0A5DFC871] send_nl_msg = 0x6B,
    |      [NSD:0xFFFFFFC0A5DFC872] active = 0x6B,
    |      [NSD:0xFFFFFFC0A5DFC874] uid = 0x6B6B6B6B,
    |      [NSD:0xFFFFFFC0A5DFC878] suspend_time_valid = 0x6B))
-005|idletimer_tg_work(
-006|__read_once_size(inline)
-006|static_key_count(inline)
-006|static_key_false(inline)
-006|trace_workqueue_execute_end(inline)
-006|process_one_work(
-007|worker_thread(
-008|kthread(
-009|ret_from_fork(asm)
---|end of frame

Force any pending idletimer_tg_work() to complete before freeing
the associated work struct and after unregistering to the pm_notifier
callback.

Change-Id: I4c5f0a1c142f7d698c092cf7bcafdb0f9fbaa9c1
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
---

diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index 0975c993a94e..ada5a304e61e 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -456,6 +456,7 @@ static void idletimer_tg_destroy(const struct xt_tgdtor_param *par)
 		del_timer_sync(&info->timer->timer);
 		sysfs_remove_file(idletimer_tg_kobj, &info->timer->attr.attr);
 		unregister_pm_notifier(&info->timer->pm_nb);
+		cancel_work_sync(&info->timer->work);
 		kfree(info->timer->attr.attr.name);
 		kfree(info->timer);
 	} else {