* [PATCH 1/6] leds: 88pm860x: fix use-after-free on unbind
[not found] <20200601133950.12420-1-johan@kernel.org>
@ 2020-06-01 13:39 ` Johan Hovold
2020-06-01 13:39 ` [PATCH 2/6] leds: da903x: " Johan Hovold
` (3 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: Johan Hovold @ 2020-06-01 13:39 UTC (permalink / raw)
To: Jacek Anaszewski, Pavel Machek
Cc: Dan Murphy, Amitoj Kaur Chawla, linux-leds, linux-kernel,
Johan Hovold, stable
Several MFD child drivers register their class devices directly under
the parent device. This means you cannot blindly do devres conversions
so that deregistration ends up being tied to the parent device,
something which leads to use-after-free on driver unbind when the class
device is released while still being registered.
Fixes: 375446df95ee ("leds: 88pm860x: Use devm_led_classdev_register")
Cc: stable <stable@vger.kernel.org> # 4.6
Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/leds/leds-88pm860x.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/leds/leds-88pm860x.c b/drivers/leds/leds-88pm860x.c
index b3044c9a8120..465c3755cf2e 100644
--- a/drivers/leds/leds-88pm860x.c
+++ b/drivers/leds/leds-88pm860x.c
@@ -203,21 +203,33 @@ static int pm860x_led_probe(struct platform_device *pdev)
data->cdev.brightness_set_blocking = pm860x_led_set;
mutex_init(&data->lock);
- ret = devm_led_classdev_register(chip->dev, &data->cdev);
+ ret = led_classdev_register(chip->dev, &data->cdev);
if (ret < 0) {
dev_err(&pdev->dev, "Failed to register LED: %d\n", ret);
return ret;
}
pm860x_led_set(&data->cdev, 0);
+
+ platform_set_drvdata(pdev, data);
+
return 0;
}
+static int pm860x_led_remove(struct platform_device *pdev)
+{
+ struct pm860x_led *data = platform_get_drvdata(pdev);
+
+ led_classdev_unregister(&data->cdev);
+
+ return 0;
+}
static struct platform_driver pm860x_led_driver = {
.driver = {
.name = "88pm860x-led",
},
.probe = pm860x_led_probe,
+ .remove = pm860x_led_remove,
};
module_platform_driver(pm860x_led_driver);
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH 2/6] leds: da903x: fix use-after-free on unbind
[not found] <20200601133950.12420-1-johan@kernel.org>
2020-06-01 13:39 ` [PATCH 1/6] leds: 88pm860x: fix use-after-free on unbind Johan Hovold
@ 2020-06-01 13:39 ` Johan Hovold
2020-06-01 13:39 ` [PATCH 3/6] leds: lm3533: " Johan Hovold
` (2 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: Johan Hovold @ 2020-06-01 13:39 UTC (permalink / raw)
To: Jacek Anaszewski, Pavel Machek
Cc: Dan Murphy, Amitoj Kaur Chawla, linux-leds, linux-kernel,
Johan Hovold, stable
Several MFD child drivers register their class devices directly under
the parent device. This means you cannot blindly do devres conversions
so that deregistration ends up being tied to the parent device,
something which leads to use-after-free on driver unbind when the class
device is released while still being registered.
Fixes: eed16255d66b ("leds: da903x: Use devm_led_classdev_register")
Cc: stable <stable@vger.kernel.org> # 4.6
Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/leds/leds-da903x.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/leds/leds-da903x.c b/drivers/leds/leds-da903x.c
index ed1b303f699f..2b5fb00438a2 100644
--- a/drivers/leds/leds-da903x.c
+++ b/drivers/leds/leds-da903x.c
@@ -110,12 +110,23 @@ static int da903x_led_probe(struct platform_device *pdev)
led->flags = pdata->flags;
led->master = pdev->dev.parent;
- ret = devm_led_classdev_register(led->master, &led->cdev);
+ ret = led_classdev_register(led->master, &led->cdev);
if (ret) {
dev_err(&pdev->dev, "failed to register LED %d\n", id);
return ret;
}
+ platform_set_drvdata(pdev, led);
+
+ return 0;
+}
+
+static int da903x_led_remove(struct platform_device *pdev)
+{
+ struct da903x_led *led = platform_get_drvdata(pdev);
+
+ led_classdev_unregister(&led->cdev);
+
return 0;
}
@@ -124,6 +135,7 @@ static struct platform_driver da903x_led_driver = {
.name = "da903x-led",
},
.probe = da903x_led_probe,
+ .remove = da903x_led_remove,
};
module_platform_driver(da903x_led_driver);
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH 3/6] leds: lm3533: fix use-after-free on unbind
[not found] <20200601133950.12420-1-johan@kernel.org>
2020-06-01 13:39 ` [PATCH 1/6] leds: 88pm860x: fix use-after-free on unbind Johan Hovold
2020-06-01 13:39 ` [PATCH 2/6] leds: da903x: " Johan Hovold
@ 2020-06-01 13:39 ` Johan Hovold
2020-06-01 13:39 ` [PATCH 4/6] leds: lm36274: " Johan Hovold
2020-06-01 13:39 ` [PATCH 5/6] leds: wm831x-status: " Johan Hovold
4 siblings, 0 replies; 5+ messages in thread
From: Johan Hovold @ 2020-06-01 13:39 UTC (permalink / raw)
To: Jacek Anaszewski, Pavel Machek
Cc: Dan Murphy, Amitoj Kaur Chawla, linux-leds, linux-kernel,
Johan Hovold, stable
Several MFD child drivers register their class devices directly under
the parent device. This means you cannot blindly do devres conversions
so that deregistration ends up being tied to the parent device,
something which leads to use-after-free on driver unbind when the class
device is released while still being registered.
Fixes: 50154e29e5cc ("leds: lm3533: Use devm_led_classdev_register")
Cc: stable <stable@vger.kernel.org> # 4.6
Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/leds/leds-lm3533.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/leds/leds-lm3533.c b/drivers/leds/leds-lm3533.c
index 9504ad405aef..b3edee703193 100644
--- a/drivers/leds/leds-lm3533.c
+++ b/drivers/leds/leds-lm3533.c
@@ -694,7 +694,7 @@ static int lm3533_led_probe(struct platform_device *pdev)
platform_set_drvdata(pdev, led);
- ret = devm_led_classdev_register(pdev->dev.parent, &led->cdev);
+ ret = led_classdev_register(pdev->dev.parent, &led->cdev);
if (ret) {
dev_err(&pdev->dev, "failed to register LED %d\n", pdev->id);
return ret;
@@ -704,13 +704,18 @@ static int lm3533_led_probe(struct platform_device *pdev)
ret = lm3533_led_setup(led, pdata);
if (ret)
- return ret;
+ goto err_deregister;
ret = lm3533_ctrlbank_enable(&led->cb);
if (ret)
- return ret;
+ goto err_deregister;
return 0;
+
+err_deregister:
+ led_classdev_unregister(&led->cdev);
+
+ return ret;
}
static int lm3533_led_remove(struct platform_device *pdev)
@@ -720,6 +725,7 @@ static int lm3533_led_remove(struct platform_device *pdev)
dev_dbg(&pdev->dev, "%s\n", __func__);
lm3533_ctrlbank_disable(&led->cb);
+ led_classdev_unregister(&led->cdev);
return 0;
}
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH 4/6] leds: lm36274: fix use-after-free on unbind
[not found] <20200601133950.12420-1-johan@kernel.org>
` (2 preceding siblings ...)
2020-06-01 13:39 ` [PATCH 3/6] leds: lm3533: " Johan Hovold
@ 2020-06-01 13:39 ` Johan Hovold
2020-06-01 13:39 ` [PATCH 5/6] leds: wm831x-status: " Johan Hovold
4 siblings, 0 replies; 5+ messages in thread
From: Johan Hovold @ 2020-06-01 13:39 UTC (permalink / raw)
To: Jacek Anaszewski, Pavel Machek
Cc: Dan Murphy, Amitoj Kaur Chawla, linux-leds, linux-kernel,
Johan Hovold, stable
Several MFD child drivers register their class devices directly under
the parent device. This means you cannot use devres so that
deregistration ends up being tied to the parent device, something which
leads to use-after-free on driver unbind when the class device is
released while still being registered.
Fixes: 11e1bbc116a7 ("leds: lm36274: Introduce the TI LM36274 LED driver")
Cc: stable <stable@vger.kernel.org> # 5.3
Cc: Dan Murphy <dmurphy@ti.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/leds/leds-lm36274.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/leds/leds-lm36274.c b/drivers/leds/leds-lm36274.c
index 836b60c9a2b8..db842eeb7ca2 100644
--- a/drivers/leds/leds-lm36274.c
+++ b/drivers/leds/leds-lm36274.c
@@ -133,7 +133,7 @@ static int lm36274_probe(struct platform_device *pdev)
lm36274_data->pdev = pdev;
lm36274_data->dev = lmu->dev;
lm36274_data->regmap = lmu->regmap;
- dev_set_drvdata(&pdev->dev, lm36274_data);
+ platform_set_drvdata(pdev, lm36274_data);
ret = lm36274_parse_dt(lm36274_data);
if (ret) {
@@ -147,8 +147,16 @@ static int lm36274_probe(struct platform_device *pdev)
return ret;
}
- return devm_led_classdev_register(lm36274_data->dev,
- &lm36274_data->led_dev);
+ return led_classdev_register(lm36274_data->dev, &lm36274_data->led_dev);
+}
+
+static int lm36274_remove(struct platform_device *pdev)
+{
+ struct lm36274 *lm36274_data = platform_get_drvdata(pdev);
+
+ led_classdev_unregister(&lm36274_data->led_dev);
+
+ return 0;
}
static const struct of_device_id of_lm36274_leds_match[] = {
@@ -159,6 +167,7 @@ MODULE_DEVICE_TABLE(of, of_lm36274_leds_match);
static struct platform_driver lm36274_driver = {
.probe = lm36274_probe,
+ .remove = lm36274_remove,
.driver = {
.name = "lm36274-leds",
},
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH 5/6] leds: wm831x-status: fix use-after-free on unbind
[not found] <20200601133950.12420-1-johan@kernel.org>
` (3 preceding siblings ...)
2020-06-01 13:39 ` [PATCH 4/6] leds: lm36274: " Johan Hovold
@ 2020-06-01 13:39 ` Johan Hovold
4 siblings, 0 replies; 5+ messages in thread
From: Johan Hovold @ 2020-06-01 13:39 UTC (permalink / raw)
To: Jacek Anaszewski, Pavel Machek
Cc: Dan Murphy, Amitoj Kaur Chawla, linux-leds, linux-kernel,
Johan Hovold, stable
Several MFD child drivers register their class devices directly under
the parent device. This means you cannot blindly do devres conversions
so that deregistration ends up being tied to the parent device,
something which leads to use-after-free on driver unbind when the class
device is released while still being registered.
Fixes: 8d3b6a4001ce ("leds: wm831x-status: Use devm_led_classdev_register")
Cc: stable <stable@vger.kernel.org> # 4.6
Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/leds/leds-wm831x-status.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/leds/leds-wm831x-status.c b/drivers/leds/leds-wm831x-status.c
index 082df7f1dd90..67f4235cb28a 100644
--- a/drivers/leds/leds-wm831x-status.c
+++ b/drivers/leds/leds-wm831x-status.c
@@ -269,12 +269,23 @@ static int wm831x_status_probe(struct platform_device *pdev)
drvdata->cdev.blink_set = wm831x_status_blink_set;
drvdata->cdev.groups = wm831x_status_groups;
- ret = devm_led_classdev_register(wm831x->dev, &drvdata->cdev);
+ ret = led_classdev_register(wm831x->dev, &drvdata->cdev);
if (ret < 0) {
dev_err(&pdev->dev, "Failed to register LED: %d\n", ret);
return ret;
}
+ platform_set_drvdata(pdev, drvdata);
+
+ return 0;
+}
+
+static int wm831x_status_remove(struct platform_device *pdev)
+{
+ struct wm831x_status *drvdata = platform_get_drvdata(pdev);
+
+ led_classdev_unregister(&drvdata->cdev);
+
return 0;
}
@@ -283,6 +294,7 @@ static struct platform_driver wm831x_status_driver = {
.name = "wm831x-status",
},
.probe = wm831x_status_probe,
+ .remove = wm831x_status_remove,
};
module_platform_driver(wm831x_status_driver);
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread