hte: Fix possible use-after-free in tegra_hte_test_remove()

del_timer() does not wait until the timer handler finishing.
This means that the timer handler may still be running after
the driver's remove function has finished, which would result
in a use-after-free.
Fix it by calling del_timer_sync(), which makes sure the timer
handler has finished.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Dipen Patel <dipenp@nvidia.com>
Acked-by: Dipen Patel <dipenp@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>

diff --git a/drivers/hte/hte-tegra194-test.c b/drivers/hte/hte-tegra194-test.c
index 6a3e57b..5d776a1 100644 (file)
--- a/drivers/hte/hte-tegra194-test.c
+++ b/drivers/hte/hte-tegra194-test.c
@@ -219,7 +219,7 @@ static int tegra_hte_test_remove(struct platform_device *pdev)
        free_irq(hte.gpio_in_irq, &hte);
        gpiod_put(hte.gpio_in);
        gpiod_put(hte.gpio_out);
-       del_timer(&hte.timer);
+       del_timer_sync(&hte.timer);
 
        return 0;
 }