[PATCH 5.13 669/800] mfd: Remove software node conditionally and locate at right place
From: Greg Kroah-Hartman
Date: Mon Jul 12 2021 - 04:51:46 EST
From: Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>
[ Upstream commit 5a23e8b0fd6010e25ae58362292235cc9213ca57 ]
Currently the software node is removed in error case and at ->remove()
stage unconditionally, that ruins the symmetry. Besides, in some cases,
when mfd_add_device() fails, the device_remove_software_node() call
may lead to NULL pointer dereference:
BUG: kernel NULL pointer dereference, address: 00000000
...
EIP: strlen+0x12/0x20
...
kernfs_name_hash+0x13/0x70
kernfs_find_ns+0x32/0xc0
kernfs_remove_by_name_ns+0x2a/0x90
sysfs_remove_link+0x16/0x30
software_node_notify.cold+0x34/0x6b
device_remove_software_node+0x5a/0x90
mfd_add_device.cold+0x30a/0x427
Fix all these by guarding device_remove_software_node() with a conditional
and locating it at the right place.
Fixes: 42e59982917a ("mfd: core: Add support for software nodes")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>
Signed-off-by: Lee Jones <lee.jones@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/mfd/mfd-core.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c
index 6f02b8022c6d..79f5c6a18815 100644
--- a/drivers/mfd/mfd-core.c
+++ b/drivers/mfd/mfd-core.c
@@ -266,18 +266,18 @@ static int mfd_add_device(struct device *parent, int id,
if (has_acpi_companion(&pdev->dev)) {
ret = acpi_check_resource_conflict(&res[r]);
if (ret)
- goto fail_of_entry;
+ goto fail_res_conflict;
}
}
}
ret = platform_device_add_resources(pdev, res, cell->num_resources);
if (ret)
- goto fail_of_entry;
+ goto fail_res_conflict;
ret = platform_device_add(pdev);
if (ret)
- goto fail_of_entry;
+ goto fail_res_conflict;
if (cell->pm_runtime_no_callbacks)
pm_runtime_no_callbacks(&pdev->dev);
@@ -286,13 +286,15 @@ static int mfd_add_device(struct device *parent, int id,
return 0;
+fail_res_conflict:
+ if (cell->swnode)
+ device_remove_software_node(&pdev->dev);
fail_of_entry:
list_for_each_entry_safe(of_entry, tmp, &mfd_of_node_list, list)
if (of_entry->dev == &pdev->dev) {
list_del(&of_entry->list);
kfree(of_entry);
}
- device_remove_software_node(&pdev->dev);
fail_alias:
regulator_bulk_unregister_supply_alias(&pdev->dev,
cell->parent_supplies,
@@ -358,11 +360,12 @@ static int mfd_remove_devices_fn(struct device *dev, void *data)
if (level && cell->level > *level)
return 0;
+ if (cell->swnode)
+ device_remove_software_node(&pdev->dev);
+
regulator_bulk_unregister_supply_alias(dev, cell->parent_supplies,
cell->num_parent_supplies);
- device_remove_software_node(&pdev->dev);
-
platform_device_unregister(pdev);
return 0;
}
--
2.30.2