diff options
| author | Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> | 2016-11-10 19:36:15 -0700 |
|---|---|---|
| committer | Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> | 2016-11-14 12:08:11 -0700 |
| commit | ba31ac10660a7df1bf9e6f76cf1cee2fa7bec4bb (patch) | |
| tree | 537cbeb366246cba3c5360601865f76c14d8d58e /lib/mpi/mpi-bit.c | |
| parent | 24d0c1f91eb2850889cb27ef6fdcadc0c8ff2834 (diff) | |
nf: IDLETIMER: Fix use after free condition during work
schedule_work(&timer->work) appears to be called after
cancel_work_sync(&info->timer->work) is completed.
Work can be scheduled from the PM_POST_SUSPEND notification event
even after cancel_work_sync is called.
Call stack
-004|notify_netlink_uevent(
| [X19] timer = 0xFFFFFFC0A5DFC780 -> (
| ...
| [NSD:0xFFFFFFC0A5DFC800] kobj = 0x6B6B6B6B6B6B6B6B,
| [NSD:0xFFFFFFC0A5DFC868] timeout = 0x6B6B6B6B,
| [NSD:0xFFFFFFC0A5DFC86C] refcnt = 0x6B6B6B6B,
| [NSD:0xFFFFFFC0A5DFC870] work_pending = 0x6B,
| [NSD:0xFFFFFFC0A5DFC871] send_nl_msg = 0x6B,
| [NSD:0xFFFFFFC0A5DFC872] active = 0x6B,
| [NSD:0xFFFFFFC0A5DFC874] uid = 0x6B6B6B6B,
| [NSD:0xFFFFFFC0A5DFC878] suspend_time_valid = 0x6B))
-005|idletimer_tg_work(
-006|__read_once_size(inline)
-006|static_key_count(inline)
-006|static_key_false(inline)
-006|trace_workqueue_execute_end(inline)
-006|process_one_work(
-007|worker_thread(
-008|kthread(
-009|ret_from_fork(asm)
---|end of frame
Force any pending idletimer_tg_work() to complete before freeing
the associated work struct and after unregistering to the pm_notifier
callback.
CRs-Fixed: 1088590
Change-Id: I4c5f0a1c142f7d698c092cf7bcafdb0f9fbaa9c1
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Diffstat (limited to 'lib/mpi/mpi-bit.c')
0 files changed, 0 insertions, 0 deletions