Re: [PATCH] mfd: cros_ec: Delay dev_set_drvdata() until probe success

[Benson Leung <bleung@google.com>]

[-- Attachment #1: Type: text/plain, Size: 2666 bytes --]

Hi Andrei,

On Mon, Apr 27, 2026 at 01:17:21PM +0000, Andrei Kuchynski wrote:
> If ec_device_probe() fails, cros_ec_class_release releases memory for the
> cros_ec_dev structure. However, because the drvdata was already set,
> sub-drivers like cros_ec_typec can still retrieve the stale pointer via the
> platform device. This leads to a use-after-free when cros_ec_typec attempts
> to access &typec->ec->ec->dev on a device that has already been released.
> Move dev_set_drvdata() to ensure that the pointer is only made available
> once all initialization steps have succeeded.
> 
>  sysfs: cannot create duplicate filename '/class/chromeos/cros_ec'
>  Call trace:
>   sysfs_do_create_link_sd+0x94/0xdc
>   sysfs_create_link+0x30/0x44
>   device_add_class_symlinks+0x90/0x13c
>   device_add+0xf0/0x50c
>   ec_device_probe+0x150/0x4f0
>   platform_probe+0xa0/0xe0
>  ...
>  BUG: KASAN: invalid-access in __memcpy+0x44/0x230
>  Write at addr f5ffff809e2d33ac by task kworker/u32:5/125
>  Pointer tag: [f5], memory tag: [fe]
>  Tainted : [W]=WARN, [O]=OOT_MODULE
>  Hardware name: Google Navi unprovisioned 0x7FFFFFFF/sku0 board/sku3
>  Workqueue: events_unbound deferred_probe_work_func
>  Call trace:
>   __memcpy+0x44/0x230
>   cros_ec_check_features+0x60/0xcc [cros_ec_proto]
>   cros_typec_probe+0xe8/0x6e0 [cros_ec_typec]
>   platform_probe+0xa0/0xe0
> 
> Cc: stable@vger.kernel.org
> Fixes: 1c1d152cc5ac ("platform/chrome: cros_ec_dev - utilize new cdev_device_add helper function")
> Co-developed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
> Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
> Signed-off-by: Andrei Kuchynski <akuchynski@chromium.org>

Reviewed-by: Benson Leung <bleung@chromium.org>


> ---
>  drivers/mfd/cros_ec_dev.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/mfd/cros_ec_dev.c b/drivers/mfd/cros_ec_dev.c
> index 39430dd44e30c..56fb7cceafc6c 100644
> --- a/drivers/mfd/cros_ec_dev.c
> +++ b/drivers/mfd/cros_ec_dev.c
> @@ -195,7 +195,6 @@ static int ec_device_probe(struct platform_device *pdev)
>  	if (!ec)
>  		return retval;
>  
> -	dev_set_drvdata(dev, ec);
>  	ec->ec_dev = dev_get_drvdata(dev->parent);
>  	ec->dev = dev;
>  	ec->cmd_offset = ec_platform->cmd_offset;
> @@ -237,6 +236,8 @@ static int ec_device_probe(struct platform_device *pdev)
>  	if (retval)
>  		goto failed;
>  
> +	dev_set_drvdata(dev, ec);
> +
>  	/* check whether this EC is a sensor hub. */
>  	if (cros_ec_get_sensor_count(ec) > 0) {
>  		retval = mfd_add_hotplug_devices(ec->dev,
> -- 
> 2.54.0.rc2.544.gc7ae2d5bb8-goog
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]