| Message ID | 20220105093052.258791-1-vilhelm.gray@gmail.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | counter: 104-quad-8: Fix use-after-free by quad8_irq_handler | expand |
diff --git a/drivers/counter/104-quad-8.c b/drivers/counter/104-quad-8.c index 1fbb3923797c..a17e51d65aca 100644 --- a/drivers/counter/104-quad-8.c +++ b/drivers/counter/104-quad-8.c @@ -1188,8 +1188,8 @@ static int quad8_probe(struct device *dev, unsigned int id) /* Enable all counters and enable interrupt function */ outb(QUAD8_CHAN_OP_ENABLE_INTERRUPT_FUNC, base[id] + QUAD8_REG_CHAN_OP); - err = devm_request_irq(dev, irq[id], quad8_irq_handler, IRQF_SHARED, - counter->name, counter); + err = devm_request_irq(&counter->dev, irq[id], quad8_irq_handler, + IRQF_SHARED, counter->name, counter); if (err) return err;
On unbind an irq might be pending which results in quad8_irq_handler() calling counter_push_event() for a counter that is already unregistered. This patch fixes that situation by passing the struct counter_device dev to devm_request_irq() rather than the parent's so that the irq handler is cleaned before the counter is unregistered. Fixes: 7aa2ba0df651 ("counter: 104-quad-8: Add IRQ support for the ACCES 104-QUAD-8") Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Cc: Syed Nayyar Waris <syednwaris@gmail.com> Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com> --- drivers/counter/104-quad-8.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) base-commit: 8f2cade5da97713e77ca5be576438f194b8873d7