2020-12-05 23:19:29

by Alexandre Belloni

[permalink] [raw]
Subject: [PATCH] rtc: fix RTC removal

Since the rtc_register_device, removing an RTC device will end with a
refcount_t: underflow; use-after-free warning since put_device is called
twice in the device tear down path.

Fixes: fdcfd854333b ("rtc: rework rtc_register_device() resource management")
Signed-off-by: Alexandre Belloni <[email protected]>
---
drivers/rtc/class.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/drivers/rtc/class.c b/drivers/rtc/class.c
index e6b44b7c4ad3..5c6748dfa55d 100644
--- a/drivers/rtc/class.c
+++ b/drivers/rtc/class.c
@@ -335,7 +335,6 @@ static void devm_rtc_unregister_device(void *data)
cdev_device_del(&rtc->char_dev, &rtc->dev);
rtc->ops = NULL;
mutex_unlock(&rtc->ops_lock);
- put_device(&rtc->dev);
}

static void devm_rtc_release_device(void *res)
--
2.28.0


2020-12-07 09:54:14

by Bartosz Golaszewski

[permalink] [raw]
Subject: Re: [PATCH] rtc: fix RTC removal

On Sun, Dec 6, 2020 at 12:14 AM Alexandre Belloni
<[email protected]> wrote:
>
> Since the rtc_register_device, removing an RTC device will end with a
> refcount_t: underflow; use-after-free warning since put_device is called
> twice in the device tear down path.
>
> Fixes: fdcfd854333b ("rtc: rework rtc_register_device() resource management")
> Signed-off-by: Alexandre Belloni <[email protected]>
> ---
> drivers/rtc/class.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/rtc/class.c b/drivers/rtc/class.c
> index e6b44b7c4ad3..5c6748dfa55d 100644
> --- a/drivers/rtc/class.c
> +++ b/drivers/rtc/class.c
> @@ -335,7 +335,6 @@ static void devm_rtc_unregister_device(void *data)
> cdev_device_del(&rtc->char_dev, &rtc->dev);
> rtc->ops = NULL;
> mutex_unlock(&rtc->ops_lock);
> - put_device(&rtc->dev);
> }
>
> static void devm_rtc_release_device(void *res)
> --
> 2.28.0
>

Eek! Thanks for fixing that.

Reviewed-by: Bartosz Golaszewski <[email protected]>