3f4093e2bf
There are use-after-free bugs caused by tst_timer. The root cause
is that there are no functions to stop tst_timer in idt77252_exit().
One of the possible race conditions is shown below:
(thread 1) | (thread 2)
| idt77252_init_one
| init_card
| fill_tst
| mod_timer(&card->tst_timer, ...)
idt77252_exit | (wait a time)
| tst_timer
|
| ...
kfree(card) // FREE |
| card->soft_tst[e] // USE
The idt77252_dev is deallocated in idt77252_exit() and used in
timer handler.
This patch adds del_timer_sync() in idt77252_exit() in order that
the timer handler could be stopped before the idt77252_dev is
deallocated.
Fixes:
|
||
---|---|---|
.. | ||
.gitignore | ||
Kconfig | ||
Makefile | ||
adummy.c | ||
atmtcp.c | ||
eni.c | ||
eni.h | ||
fore200e.c | ||
fore200e.h | ||
he.c | ||
he.h | ||
idt77105.c | ||
idt77105.h | ||
idt77252.c | ||
idt77252.h | ||
idt77252_tables.h | ||
iphase.c | ||
iphase.h | ||
lanai.c | ||
midway.h | ||
nicstar.c | ||
nicstar.h | ||
nicstarmac.c | ||
nicstarmac.copyright | ||
solos-attrlist.c | ||
solos-pci.c | ||
suni.c | ||
suni.h | ||
tonga.h | ||
zeprom.h |