[PATCH 4/6] leds: lm36274: fix use-after-free on unbind
From: Johan Hovold
Date: Mon Jun 01 2020 - 09:40:37 EST
Several MFD child drivers register their class devices directly under
the parent device. This means you cannot use devres so that
deregistration ends up being tied to the parent device, something which
leads to use-after-free on driver unbind when the class device is
released while still being registered.
Fixes: 11e1bbc116a7 ("leds: lm36274: Introduce the TI LM36274 LED driver")
Cc: stable <stable@xxxxxxxxxxxxxxx> # 5.3
Cc: Dan Murphy <dmurphy@xxxxxx>
Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
---
drivers/leds/leds-lm36274.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/leds/leds-lm36274.c b/drivers/leds/leds-lm36274.c
index 836b60c9a2b8..db842eeb7ca2 100644
--- a/drivers/leds/leds-lm36274.c
+++ b/drivers/leds/leds-lm36274.c
@@ -133,7 +133,7 @@ static int lm36274_probe(struct platform_device *pdev)
lm36274_data->pdev = pdev;
lm36274_data->dev = lmu->dev;
lm36274_data->regmap = lmu->regmap;
- dev_set_drvdata(&pdev->dev, lm36274_data);
+ platform_set_drvdata(pdev, lm36274_data);
ret = lm36274_parse_dt(lm36274_data);
if (ret) {
@@ -147,8 +147,16 @@ static int lm36274_probe(struct platform_device *pdev)
return ret;
}
- return devm_led_classdev_register(lm36274_data->dev,
- &lm36274_data->led_dev);
+ return led_classdev_register(lm36274_data->dev, &lm36274_data->led_dev);
+}
+
+static int lm36274_remove(struct platform_device *pdev)
+{
+ struct lm36274 *lm36274_data = platform_get_drvdata(pdev);
+
+ led_classdev_unregister(&lm36274_data->led_dev);
+
+ return 0;
}
static const struct of_device_id of_lm36274_leds_match[] = {
@@ -159,6 +167,7 @@ MODULE_DEVICE_TABLE(of, of_lm36274_leds_match);
static struct platform_driver lm36274_driver = {
.probe = lm36274_probe,
+ .remove = lm36274_remove,
.driver = {
.name = "lm36274-leds",
},
--
2.26.2