Re: [PATCH 09/11] power: supply: pm8916_lbc: Fix use-after-free in power_supply_changed()

[Waqar Hameed <waqar.hameed@axis.com>]

On Wed, Jan 07, 2026 at 15:32 +0100 Waqar Hameed <waqar.hameed@axis.com> wrote:

> On Sun, Dec 21, 2025 at 10:45 +0500 Nikita Travkin <nikita@trvn.ru> wrote:

[...]

>> As a small note, the interrupt handler also has a call to
>> extcon_set_state_sync(chg->edev,...) which is allocated right below.
>> I don't think this is actually a problem since it has a null check for
>> edev (unlike psy core) so I think this patch is fine as-is. However if
>> for some reason you'd have to respin this series, perhaps it would be
>> nice to move irq registration slightly lower, after extcon registration.
>
> Hm, it _is_ actually a problem. During `probe()`, it's fine, due to the
> NULL check in `extcon_set_state()` (and the interrupt handler doesn't
> check the return value anyway), as you mention. However, during removal,
> we have the exact same situation as for `power_supply_changed()` as
> explained in the commit message; `devm_extcon_dev_release()` runs and
> frees `struct extcon_dev *edev`, the interrupt handler would now call
>
>   `extcon_set_state_sync(chg->edev, ...)` ->
>   `extcon_set_state(edev, ...)` ->
>   `find_cable_index_by_id(edev, ...)`
>   
> with an invalid `edev` triggering a crash/corruption in
> `find_cable_index_by_id()` (before we get the chance to release the IRQ
> handler)!
>
> Good catch! Let's move the registration a further bit down to fix this.
> I will send v2 as soon as the other patches in the series also get
> feedback.

Since Sebastian says that he applied the whole series as is, I'll just
send a new separate patch for that now instead. I couldn't find anything
in his tree [1] yet so let's chill a bit until things get pushed.

[1] git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply.git