Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp4414433pxa; Mon, 10 Aug 2020 08:32:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwYGDUGlPV0fbma0jomTmgyzowHs/Me9dX9oAG+L88c/7lGVPFGpeFqaAG9lpaZObpXthg1 X-Received: by 2002:a05:6402:3196:: with SMTP id di22mr21101677edb.193.1597073555852; Mon, 10 Aug 2020 08:32:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597073555; cv=none; d=google.com; s=arc-20160816; b=noRCLQMEWWfGNNAkzjX1GuwnIx2+1AUDo+HzIosqlDcF4teG3FBx60BaX2LZP2ArSF ICQvgnAZGqc3RHBKWSYANBHh3dYNlk2BG3+JyvuRU4nWSpU7gOWYaSmL6RQItNQ6Zr5w JJ3sfQhEK2bNrLNEeis/0ICr6ZMeg8G/hxwWh93aoTEX2cthBXRXNwwy+kosexOqs1vu ULZ+mbj1CwbSCDfKpwZEXMIr28Urorqn4uMxkTPuAFka5su4QCJttcOxGAK9PJk7DT4h 8O84gimNd9DC5rE//+ih3aK7CUHeO4Qh4gMFtFvqkXuSNNwHlA15fQ+bpDmn6YUIeJu0 ybew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=s5nR8qoqaxTMrfZYNu2g6C+qMA4OQxjugHOVY2Dd1iE=; b=ufDvIRDjmTkVX5DoZby54+uXrcZ49NLpi404GHDQhvD/lDMCVQniwmmmptgGmgR8Iq i2VMUX0KVL/psfDwVDtlqM2UwDetze0Fj1S89iXLIQvG5WUKyO8KBMqOPVrwNvJ483v8 Q+n6I4O44krDPA6smlmNeMmIovuw8WqmMe+2mFnYF3Em2HIRU4OfVVX5rzSV2dCGjgar iIUQRS9kY7A2VFX2/qfdYGCblLjHof3FyLgUrid/aBbj47+CxJsvibDIdX8MxKmwLKC8 ps84EfL8PMmF2U7GZO0/dG+PI0VfeQ+xCEsMp3cMYnzepWgxABvOLlG+byvrcsRdYeVi SWYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=CSq5639s; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v4si11915078edl.506.2020.08.10.08.32.12; Mon, 10 Aug 2020 08:32:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=CSq5639s; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729004AbgHJP3p (ORCPT + 99 others); Mon, 10 Aug 2020 11:29:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:36140 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728758AbgHJP3j (ORCPT ); Mon, 10 Aug 2020 11:29:39 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 033CB22D07; Mon, 10 Aug 2020 15:29:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073378; bh=KaxY1NvNPtD69tQs/t0IdTuYAOTR+KNMEfLbGZkbrm4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CSq5639sLdo59uqbNcR97Jfvvbqu46yZc5Wxif3U8wHs6GUxL8u5xDSD9ELbvfORm vPWKk4RjdBQlCPzGm+CX9sjQt+xeFUJRApC3iHjDWbsnvW5NRepxJm9nYkop7Kt66A ItQs/jW0a+fXAiqvZuaPHtFl58c/DNzUJp5CfpMo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Amitoj Kaur Chawla , Johan Hovold , Pavel Machek Subject: [PATCH 4.19 17/48] leds: lm3533: fix use-after-free on unbind Date: Mon, 10 Aug 2020 17:21:39 +0200 Message-Id: <20200810151805.062885325@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit d584221e683bbd173738603b83a315f27d27d043 upstream. Several MFD child drivers register their class devices directly under the parent device. This means you cannot blindly do devres conversions so that deregistration ends up being tied to the parent device, something which leads to use-after-free on driver unbind when the class device is released while still being registered. Fixes: 50154e29e5cc ("leds: lm3533: Use devm_led_classdev_register") Cc: stable # 4.6 Cc: Amitoj Kaur Chawla Signed-off-by: Johan Hovold Signed-off-by: Pavel Machek Signed-off-by: Greg Kroah-Hartman --- drivers/leds/leds-lm3533.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) --- a/drivers/leds/leds-lm3533.c +++ b/drivers/leds/leds-lm3533.c @@ -698,7 +698,7 @@ static int lm3533_led_probe(struct platf platform_set_drvdata(pdev, led); - ret = devm_led_classdev_register(pdev->dev.parent, &led->cdev); + ret = led_classdev_register(pdev->dev.parent, &led->cdev); if (ret) { dev_err(&pdev->dev, "failed to register LED %d\n", pdev->id); return ret; @@ -708,13 +708,18 @@ static int lm3533_led_probe(struct platf ret = lm3533_led_setup(led, pdata); if (ret) - return ret; + goto err_deregister; ret = lm3533_ctrlbank_enable(&led->cb); if (ret) - return ret; + goto err_deregister; return 0; + +err_deregister: + led_classdev_unregister(&led->cdev); + + return ret; } static int lm3533_led_remove(struct platform_device *pdev) @@ -724,6 +729,7 @@ static int lm3533_led_remove(struct plat dev_dbg(&pdev->dev, "%s\n", __func__); lm3533_ctrlbank_disable(&led->cb); + led_classdev_unregister(&led->cdev); return 0; }