From patchwork Tue Jul 28 00:16:30 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Krzysztof Kozlowski X-Patchwork-Id: 6878771 X-Patchwork-Delegate: jikos@jikos.cz Return-Path: X-Original-To: patchwork-linux-input@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 4EFD7C05AC for ; Tue, 28 Jul 2015 00:17:20 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 5BFED20709 for ; Tue, 28 Jul 2015 00:17:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6E85D206EE for ; Tue, 28 Jul 2015 00:17:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754859AbbG1AQr (ORCPT ); Mon, 27 Jul 2015 20:16:47 -0400 Received: from mailout3.w1.samsung.com ([210.118.77.13]:18851 "EHLO mailout3.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754638AbbG1AQq (ORCPT ); Mon, 27 Jul 2015 20:16:46 -0400 Received: from eucpsbgm2.samsung.com (unknown [203.254.199.245]) by mailout3.w1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0NS600KFK8RV9N70@mailout3.w1.samsung.com>; Tue, 28 Jul 2015 01:16:43 +0100 (BST) X-AuditID: cbfec7f5-f794b6d000001495-b2-55b6c9ea598e Received: from eusync3.samsung.com ( [203.254.199.213]) by eucpsbgm2.samsung.com (EUCPMTA) with SMTP id 9F.18.05269.AE9C6B55; Tue, 28 Jul 2015 01:16:42 +0100 (BST) Received: from localhost.localdomain ([10.252.80.64]) by eusync3.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0NS6007058ROXF70@eusync3.samsung.com>; Tue, 28 Jul 2015 01:16:42 +0100 (BST) From: Krzysztof Kozlowski To: Jiri Kosina , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Cc: sre@kernel.org, linux-pm@vger.kernel.org, "H.J. Lu" , Krzysztof Kozlowski , stable@vger.kernel.org Subject: [PATCH] HID: hid-input: Fix accessing freed memory during driver unbind Date: Tue, 28 Jul 2015 09:16:30 +0900 Message-id: <1438042590-17719-1-git-send-email-k.kozlowski@samsung.com> X-Mailer: git-send-email 1.9.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpgluLIzCtJLcpLzFFi42I5/e/4Vd1XJ7eFGjxs1bXYvu4ws0XTtsWM Fq9fGFrc/PSN1eLyrjlsFp97jzBanN5dYrFg4yNGBw6PnbPusntsWtXJ5tG3ZRWjx/otV1k8 Pm+SC2CN4rJJSc3JLEst0rdL4Mr4cmASW8FsoYrd51+yNzCu4O9i5OSQEDCR2DJpLjuELSZx 4d56ti5GLg4hgaWMEisvb2aCcP4zSsy+sYMVpIpNwFhi8/IlbCC2iEC8RPvbTawgRcwC0xgl tly8CZYQFgiQ2Lb2CthYFgFVif4HX1hAbF4Bd4mZl96zQKyTkzh5bDLrBEbuBYwMqxhFU0uT C4qT0nON9IoTc4tL89L1kvNzNzFCwuXrDsalx6wOMQpwMCrx8L7YsC1UiDWxrLgy9xCjBAez kggvYwVQiDclsbIqtSg/vqg0J7X4EKM0B4uSOO/MXe9DhATSE0tSs1NTC1KLYLJMHJxSDYyn Zm9xan7n2ltq7Hv/3q3Nljsf1XfImzYfm7zMcWqdevCzqY03Hn5Sk+qxmxkgFSwZ+TI9b1qQ 3JEiN0UZnjv/wo8X+mQpRi7vuSYmeqrCtHNPaNeHfP6M+lXr0uebql5x9/we/up5vL3hhLSd Iv/u9L+6oFntP3/u+XSdJvvIQ5rbZRtr/imxFGckGmoxFxUnAgCVWnSMEwIAAA== Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Spam-Status: No, score=-8.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP During unbinding the driver was dereferencing a pointer to memory already freed by power_supply_unregister(). Driver was freeing its internal description of battery through pointers stored in power_supply structure. However, because the core owns the power supply instance, after calling power_supply_unregister() the driver cannot access these members. Fix this by using resource-managed allocations so internal data will be freed by pointers stored in resource-managed core. Signed-off-by: Krzysztof Kozlowski Reported-by: H.J. Lu Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core") Cc: --- drivers/hid/hid-input.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c index 14aebe483219..5429a8497d51 100644 --- a/drivers/hid/hid-input.c +++ b/drivers/hid/hid-input.c @@ -408,15 +408,14 @@ static bool hidinput_setup_battery(struct hid_device *dev, unsigned report_type, if (dev->battery != NULL) goto out; /* already initialized? */ - psy_desc = kzalloc(sizeof(*psy_desc), GFP_KERNEL); + psy_desc = devm_kzalloc(&dev->dev, sizeof(*psy_desc), GFP_KERNEL); if (psy_desc == NULL) goto out; - psy_desc->name = kasprintf(GFP_KERNEL, "hid-%s-battery", dev->uniq); - if (psy_desc->name == NULL) { - kfree(psy_desc); + psy_desc->name = devm_kasprintf(&dev->dev, GFP_KERNEL, + "hid-%s-battery", dev->uniq); + if (psy_desc->name == NULL) goto out; - } psy_desc->type = POWER_SUPPLY_TYPE_BATTERY; psy_desc->properties = hidinput_battery_props; @@ -449,8 +448,6 @@ static bool hidinput_setup_battery(struct hid_device *dev, unsigned report_type, if (IS_ERR(dev->battery)) { hid_warn(dev, "can't register power supply: %ld\n", PTR_ERR(dev->battery)); - kfree(psy_desc->name); - kfree(psy_desc); dev->battery = NULL; } else { power_supply_powers(dev->battery, &dev->dev); @@ -466,8 +463,6 @@ static void hidinput_cleanup_battery(struct hid_device *dev) return; power_supply_unregister(dev->battery); - kfree(dev->battery->desc->name); - kfree(dev->battery->desc); dev->battery = NULL; } #else /* !CONFIG_HID_BATTERY_STRENGTH */