nf: IDLETIMER: Fix use after free condition during work

schedule_work(&timer->work) appears to be called after
cancel_work_sync(&info->timer->work) is completed.
Work can be scheduled from the PM_POST_SUSPEND notification event
even after cancel_work_sync is called.

Call stack

-004|notify_netlink_uevent(
    |    [X19] timer = 0xFFFFFFC0A5DFC780 -> (
    |      ...
    |      [NSD:0xFFFFFFC0A5DFC800] kobj = 0x6B6B6B6B6B6B6B6B,
    |      [NSD:0xFFFFFFC0A5DFC868] timeout = 0x6B6B6B6B,
    |      [NSD:0xFFFFFFC0A5DFC86C] refcnt = 0x6B6B6B6B,
    |      [NSD:0xFFFFFFC0A5DFC870] work_pending = 0x6B,
    |      [NSD:0xFFFFFFC0A5DFC871] send_nl_msg = 0x6B,
    |      [NSD:0xFFFFFFC0A5DFC872] active = 0x6B,
    |      [NSD:0xFFFFFFC0A5DFC874] uid = 0x6B6B6B6B,
    |      [NSD:0xFFFFFFC0A5DFC878] suspend_time_valid = 0x6B))
-005|idletimer_tg_work(
-006|__read_once_size(inline)
-006|static_key_count(inline)
-006|static_key_false(inline)
-006|trace_workqueue_execute_end(inline)
-006|process_one_work(
-007|worker_thread(
-008|kthread(
-009|ret_from_fork(asm)
---|end of frame

Force any pending idletimer_tg_work() to complete before freeing
the associated work struct and after unregistering to the pm_notifier
callback.

CRs-Fixed: 1088590
Change-Id: I4c5f0a1c142f7d698c092cf7bcafdb0f9fbaa9c1
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>

1 files changed, 1 insertions, 1 deletions

diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index dda332d821e4..456a1dff692d 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -460,9 +460,9 @@ static void idletimer_tg_destroy(const struct xt_tgdtor_param *par)
 
 		list_del(&info->timer->entry);
 		del_timer_sync(&info->timer->timer);
-		cancel_work_sync(&info->timer->work);
 		sysfs_remove_file(idletimer_tg_kobj, &info->timer->attr.attr);
 		unregister_pm_notifier(&info->timer->pm_nb);
+		cancel_work_sync(&info->timer->work);
 		kfree(info->timer->attr.attr.name);
 		kfree(info->timer);
 	} else {