From patchwork Mon Aug 3 00:01:21 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Krzysztof Kozlowski X-Patchwork-Id: 6926341 X-Patchwork-Delegate: jikos@jikos.cz Return-Path: X-Original-To: patchwork-linux-input@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 1D01E9F358 for ; Mon, 3 Aug 2015 00:02:08 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 4B86D20451 for ; Mon, 3 Aug 2015 00:02:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 61CD020431 for ; Mon, 3 Aug 2015 00:02:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751876AbbHCABk (ORCPT ); Sun, 2 Aug 2015 20:01:40 -0400 Received: from mailout4.w1.samsung.com ([210.118.77.14]:49013 "EHLO mailout4.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751875AbbHCABk (ORCPT ); Sun, 2 Aug 2015 20:01:40 -0400 Received: from eucpsbgm2.samsung.com (unknown [203.254.199.245]) by mailout4.w1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0NSH003HHC2OCB50@mailout4.w1.samsung.com>; Mon, 03 Aug 2015 01:01:36 +0100 (BST) X-AuditID: cbfec7f5-f794b6d000001495-c5-55beaf603c5e Received: from eusync4.samsung.com ( [203.254.199.214]) by eucpsbgm2.samsung.com (EUCPMTA) with SMTP id F2.5B.05269.06FAEB55; Mon, 3 Aug 2015 01:01:36 +0100 (BST) Received: from localhost.localdomain ([10.252.80.64]) by eusync4.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0NSH003GXC2IJW40@eusync4.samsung.com>; Mon, 03 Aug 2015 01:01:36 +0100 (BST) From: Krzysztof Kozlowski To: Jiri Kosina , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Dmitry Torokhov , sre@kernel.org, linux-pm@vger.kernel.org, "H.J. Lu" , Krzysztof Kozlowski , stable@vger.kernel.org Subject: [PATCH v2] HID: hid-input: Fix accessing freed memory during device disconnect Date: Mon, 03 Aug 2015 09:01:21 +0900 Message-id: <1438560081-23055-1-git-send-email-k.kozlowski@samsung.com> X-Mailer: git-send-email 1.9.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmphluLIzCtJLcpLzFFi42I5/e/4Nd2E9ftCDf5fELQ4vOgFo8X2dYeZ LZq2LWa0eP3C0OLmp2+sFpd3zWGz+Nx7hNHi9O4SiwUbHzE6cHrsnHWX3WPTqk42j74tqxg9 1m+5yuLxeZNcAGsUl01Kak5mWWqRvl0CV8a7lRtZCz7zVNyf79TA+Jqri5GTQ0LAROLRirOM ELaYxIV769m6GLk4hASWMkr8WLKOEcL5zyjRc30GK0gVm4CxxOblS9hAbBGBeIn2t5tYQYqY BY4ySnR3rGMBSQgLRErc+HAcrIFFQFVi+dvnYA28Au4SW1ecZIVYJydx8thk1gmM3AsYGVYx iqaWJhcUJ6XnGukVJ+YWl+al6yXn525ihITN1x2MS49ZHWIU4GBU4uH9sGBfqBBrYllxZe4h RgkOZiUR3ovpQCHelMTKqtSi/Pii0pzU4kOM0hwsSuK8M3e9DxESSE8sSc1OTS1ILYLJMnFw SjUwzvvK9HApZ9wUJX81V9l59//eujs543mM3IXipxoC7DdEMrdNLloR+PuJEQvb8xifa7mL xBy511f35z44f2+X1Pk1jU7sa1m/1+YmiBgsiFfVzdi7ax+/wbQGjhvalg+fnFZn+l35uGo+ yz2/WxskflwR81ru+WxhX+TuSTJclsV91tPeTPlyU4mlOCPRUIu5qDgRAK7kQvIXAgAA Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Spam-Status: No, score=-7.0 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP During unbinding the driver was dereferencing a pointer to memory already freed by power_supply_unregister(). Driver was freeing its internal description of battery through pointers stored in power_supply structure. However, because the core owns the power supply instance, after calling power_supply_unregister() this memory is freed and the driver cannot access these members. Fix this by storing the pointer to internal description of battery in a local variable before calling power_supply_unregister(), so the pointer remains valid. Signed-off-by: Krzysztof Kozlowski Reported-by: H.J. Lu Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core") Cc: --- Changes since v1: 1. Re-work idea, use local variable instead of devm-like functions (pointed out by Dmitry Torokhov). 2. Adjusted subject and commit message. --- drivers/hid/hid-input.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c index 14aebe483219..460faaebaa2c 100644 --- a/drivers/hid/hid-input.c +++ b/drivers/hid/hid-input.c @@ -462,12 +462,15 @@ out: static void hidinput_cleanup_battery(struct hid_device *dev) { + struct power_supply_desc *psy_desc; + if (!dev->battery) return; + psy_desc = dev->battery->desc; power_supply_unregister(dev->battery); - kfree(dev->battery->desc->name); - kfree(dev->battery->desc); + kfree(psy_desc->name); + kfree(psy_desc); dev->battery = NULL; } #else /* !CONFIG_HID_BATTERY_STRENGTH */