From: Luo Meng <luomeng12@huawei.com>
Date: Tue, 29 Nov 2022 02:48:50 +0000 (+0800)
Subject: dm integrity: Fix UAF in dm_integrity_dtr()
X-Git-Tag: v5.15.92~649
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=9215b25f2e105032114e9b92c9783a2a84ee8af9;p=platform%2Fkernel%2Flinux-rpi.git

dm integrity: Fix UAF in dm_integrity_dtr()

commit f50cb2cbabd6c4a60add93d72451728f86e4791c upstream.

Dm_integrity also has the same UAF problem when dm_resume()
and dm_destroy() are concurrent.

Therefore, cancelling timer again in dm_integrity_dtr().

Cc: stable@vger.kernel.org
Fixes: 7eada909bfd7a ("dm: add integrity target")
Signed-off-by: Luo Meng <luomeng12@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
index 9705f3c..508e81b 100644
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -4539,6 +4539,8 @@ static void dm_integrity_dtr(struct dm_target *ti)
 	BUG_ON(!RB_EMPTY_ROOT(&ic->in_progress));
 	BUG_ON(!list_empty(&ic->wait_list));
 
+	if (ic->mode == 'B')
+		cancel_delayed_work_sync(&ic->bitmap_flush_work);
 	if (ic->metadata_wq)
 		destroy_workqueue(ic->metadata_wq);
 	if (ic->wait_wq)