From: Yuho Choi <dbgh9129@gmail.com>
To: Lee Jones <lee@kernel.org>,
Matthias Brugger <matthias.bgg@gmail.com>,
AngeloGioacchino Del Regno
<angelogioacchino.delregno@collabora.com>
Cc: linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org,
Yuho Choi <dbgh9129@gmail.com>
Subject: [PATCH v1] mfd: mt6397-irq: Fix PM notifier use-after-free
Date: Sun, 7 Jun 2026 22:10:48 -0400 [thread overview]
Message-ID: <20260608021048.2577577-1-dbgh9129@gmail.com> (raw)
mt6397_irq_init() registers chip->pm_nb with the global PM notifier
chain. The notifier callback uses container_of() to recover struct
mt6397_chip and then dereferences chip fields.
The chip structure is allocated with devm_kzalloc() in mt6397_probe().
If probe fails after mt6397_irq_init() succeeds, for example when
devm_mfd_add_devices() fails, devres can release the chip while the PM
notifier remains registered. The same lifetime mismatch exists when the
driver is unbound.
Check the register_pm_notifier() return value and add a devm cleanup
action to unregister the notifier before the devm-managed chip is freed.
If adding the cleanup action fails, devm_add_action_or_reset()
unregisters the notifier immediately; then remove the IRQ domain in the
remaining error path.
Fixes: 4e2e7cfec13a ("mfd: mt6397: Modify suspend/resume behavior")
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
---
drivers/mfd/mt6397-irq.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/drivers/mfd/mt6397-irq.c b/drivers/mfd/mt6397-irq.c
index 5d2e5459f744..8947f7e732fa 100644
--- a/drivers/mfd/mt6397-irq.c
+++ b/drivers/mfd/mt6397-irq.c
@@ -169,6 +169,13 @@ static int mt6397_irq_pm_notifier(struct notifier_block *notifier,
return NOTIFY_DONE;
}
+static void mt6397_irq_pm_notifier_unregister(void *data)
+{
+ struct mt6397_chip *chip = data;
+
+ unregister_pm_notifier(&chip->pm_nb);
+}
+
int mt6397_irq_init(struct mt6397_chip *chip)
{
int ret;
@@ -233,6 +240,17 @@ int mt6397_irq_init(struct mt6397_chip *chip)
return ret;
}
- register_pm_notifier(&chip->pm_nb);
- return 0;
+ ret = register_pm_notifier(&chip->pm_nb);
+ if (ret) {
+ dev_err(chip->dev, "failed to register PM notifier: %d\n", ret);
+ irq_domain_remove(chip->irq_domain);
+ return ret;
+ }
+
+ ret = devm_add_action_or_reset(chip->dev,
+ mt6397_irq_pm_notifier_unregister, chip);
+ if (ret)
+ irq_domain_remove(chip->irq_domain);
+
+ return ret;
}
--
2.43.0
next reply other threads:[~2026-06-08 2:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 2:10 Yuho Choi [this message]
2026-06-17 15:26 ` [PATCH v1] mfd: mt6397-irq: Fix PM notifier use-after-free Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608021048.2577577-1-dbgh9129@gmail.com \
--to=dbgh9129@gmail.com \
--cc=angelogioacchino.delregno@collabora.com \
--cc=lee@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=matthias.bgg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.