6.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Norris briannorris@google.com
[ Upstream commit 8b926f237743f020518162c62b93cb7107a2b5eb ]
It's possible to trigger use-after-free here by:
(a) forcing rescan_work_func() to take a long time and (b) utilizing a pwrctrl driver that may be unloaded for some reason
Cancel outstanding work to ensure it is finished before we allow our data structures to be cleaned up.
[bhelgaas: tidy commit log] Fixes: 8f62819aaace ("PCI/pwrctl: Rescan bus on a separate thread") Signed-off-by: Brian Norris briannorris@google.com Signed-off-by: Brian Norris briannorris@chromium.org Signed-off-by: Krzysztof WilczyĆski kwilczynski@kernel.org Signed-off-by: Bjorn Helgaas bhelgaas@google.com Reviewed-by: Manivannan Sadhasivam manivannan.sadhasivam@linaro.org Acked-by: Bartosz Golaszewski bartosz.golaszewski@linaro.org Cc: Konrad Dybcio konradybcio@kernel.org Link: https://patch.msgid.link/20250409115313.1.Ia319526ed4ef06bec3180378c9a008340... Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/pci/pwrctrl/core.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/pci/pwrctrl/core.c b/drivers/pci/pwrctrl/core.c index 9cc7e2b7f2b56..6bdbfed584d6d 100644 --- a/drivers/pci/pwrctrl/core.c +++ b/drivers/pci/pwrctrl/core.c @@ -101,6 +101,8 @@ EXPORT_SYMBOL_GPL(pci_pwrctrl_device_set_ready); */ void pci_pwrctrl_device_unset_ready(struct pci_pwrctrl *pwrctrl) { + cancel_work_sync(&pwrctrl->work); + /* * We don't have to delete the link here. Typically, this function * is only called when the power control device is being detached. If