netfilter: xt_HARDIDLETIMER: Fix use after free condition

Force any pending hardidletimer_tg_work() to complete before freeing
the associated work struct.

CRs-Fixed: 814707
Change-Id: I57b2f0dcd24f05ddb472d6007525d1722f9fe0b0
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>

2 files changed, 3 insertions, 1 deletions

diff --git a/net/netfilter/xt_HARDIDLETIMER.c b/net/netfilter/xt_HARDIDLETIMER.c
index 1e209b96ec2..928357675d7 100644
--- a/net/netfilter/xt_HARDIDLETIMER.c
+++ b/net/netfilter/xt_HARDIDLETIMER.c
@@ -4,7 +4,7 @@
  * Netfilter module to trigger a timer when packet matches.
  * After timer expires a kevent will be sent.
  *
- * Copyright (c) 2014, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
  *
  * Copyright (C) 2004, 2010 Nokia Corporation
  *
@@ -299,6 +299,7 @@ static void hardidletimer_tg_destroy(const struct xt_tgdtor_param *par)
 
 		list_del(&info->timer->entry);
 		alarm_cancel(&info->timer->alarm);
+		cancel_work_sync(&info->timer->work);
 		sysfs_remove_file(hardidletimer_tg_kobj,
 				&info->timer->attr.attr);
 		kfree(info->timer->attr.attr.name);
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index b21fbd63da6..ca78d5b0857 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -436,6 +436,7 @@ static void idletimer_tg_destroy(const struct xt_tgdtor_param *par)
 
 		list_del(&info->timer->entry);
 		del_timer_sync(&info->timer->timer);
+		cancel_work_sync(&info->timer->work);
 		sysfs_remove_file(idletimer_tg_kobj, &info->timer->attr.attr);
 		unregister_pm_notifier(&info->timer->pm_nb);
 		kfree(info->timer->attr.attr.name);