Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752848AbbHCF5r (ORCPT <rfc822;w@1wt.eu>);
	Mon, 3 Aug 2015 01:57:47 -0400
Received: from mailout1.w1.samsung.com ([210.118.77.11]:50738 "EHLO
	mailout1.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752754AbbHCF5m (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 3 Aug 2015 01:57:42 -0400
X-AuditID: cbfec7f4-f79c56d0000012ee-0e-55bf02d33265
From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
To: Jiri Kosina <jkosina@suse.com>, linux-input@vger.kernel.org,
        linux-kernel@vger.kernel.org
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>, sre@kernel.org,
        linux-pm@vger.kernel.org, "H.J. Lu" <hjl.tools@gmail.com>,
        Krzysztof Kozlowski <k.kozlowski@samsung.com>, stable@vger.kernel.org
Subject: [PATCH v3] HID: hid-input: Fix accessing freed memory during device
 disconnect
Date: Mon, 03 Aug 2015 14:57:30 +0900
Message-id: <1438581450-20728-1-git-send-email-k.kozlowski@samsung.com>
X-Mailer: git-send-email 1.9.1
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmluLIzCtJLcpLzFFi42I5/e/4Zd3LTPtDDWbeULM4vOgFo8X2dYeZ
	LZq2LWa0eP3C0OLmp2+sFpd3zWGz+Nx7hNHi9O4SiwUbHzE6cHrsnHWX3WPTqk42j74tqxg9
	1m+5yuLxeZNcAGsUl01Kak5mWWqRvl0CV8bZm5fZCpbzVpz8ld/AOJm7i5GTQ0LAROJX0yQ2
	CFtM4sK99UA2F4eQwFJGicN/5zBCOP8ZJb6dWwJWxSZgLLF5OYQtIhAv0f52EytIEbPAUUaJ
	7o51LCAJYYFIibOXX7CC2CwCqhJLzn4HmsTBwSvgLvHpky3ENjmJk8cms05g5F7AyLCKUTS1
	NLmgOCk911CvODG3uDQvXS85P3cTIyRovuxgXHzM6hCjAAejEg/vhwX7QoVYE8uKK3MPMUpw
	MCuJ8P74DRTiTUmsrEotyo8vKs1JLT7EKM3BoiTOO3fX+xAhgfTEktTs1NSC1CKYLBMHp1QD
	44TrKx/Ll59M7845U3zsa2Lx1dYu+YXHmJ8XJljdkhaf9X7XLG3xlxeV/q0wuW+07c3/iQW7
	9lkK2Cy9s3pOmqDoly2rHfc/W+t/mYPJznVm7KfJ6as44iO0s/I9uX8pFwrUaGw6198otCg5
	5PHDbqWMi7ePZC4Wub/R7gm3yzRutx0XveafmarEUpyRaKjFXFScCAAWuDmnFgIAAA==
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1894
Lines: 59

During unbinding the driver was dereferencing a pointer to memory
already freed by power_supply_unregister().

Driver was freeing its internal description of battery through pointers
stored in power_supply structure. However, because the core owns the
power supply instance, after calling power_supply_unregister() this
memory is freed and the driver cannot access these members.

Fix this by storing the pointer to internal description of battery in a
local variable before calling power_supply_unregister(), so the pointer
remains valid.

Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Reported-by: H.J. Lu <hjl.tools@gmail.com>
Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core")
Cc: <stable@vger.kernel.org>

---
Changes since v2:
1. Add missing 'const'.

Changes since v1:
1. Re-work idea, use local variable instead of devm-like functions
   (pointed out by Dmitry Torokhov).
2. Adjusted subject and commit message.
---
 drivers/hid/hid-input.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index 14aebe483219..53aeaf6252c7 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -462,12 +462,15 @@ out:
 
 static void hidinput_cleanup_battery(struct hid_device *dev)
 {
+	const struct power_supply_desc *psy_desc;
+
 	if (!dev->battery)
 		return;
 
+	psy_desc = dev->battery->desc;
 	power_supply_unregister(dev->battery);
-	kfree(dev->battery->desc->name);
-	kfree(dev->battery->desc);
+	kfree(psy_desc->name);
+	kfree(psy_desc);
 	dev->battery = NULL;
 }
 #else  /* !CONFIG_HID_BATTERY_STRENGTH */
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/