From patchwork Mon Aug 3 05:57:30 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Krzysztof Kozlowski X-Patchwork-Id: 6927221 X-Patchwork-Delegate: jikos@jikos.cz Return-Path: X-Original-To: patchwork-linux-input@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 50B7F9F39D for ; Mon, 3 Aug 2015 05:57:50 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 3003D20523 for ; Mon, 3 Aug 2015 05:57:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 36DA6204EC for ; Mon, 3 Aug 2015 05:57:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752781AbbHCF5p (ORCPT ); Mon, 3 Aug 2015 01:57:45 -0400 Received: from mailout1.w1.samsung.com ([210.118.77.11]:50738 "EHLO mailout1.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752754AbbHCF5m (ORCPT ); Mon, 3 Aug 2015 01:57:42 -0400 Received: from eucpsbgm1.samsung.com (unknown [203.254.199.244]) by mailout1.w1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0NSH003XLSK3CT70@mailout1.w1.samsung.com>; Mon, 03 Aug 2015 06:57:39 +0100 (BST) X-AuditID: cbfec7f4-f79c56d0000012ee-0e-55bf02d33265 Received: from eusync1.samsung.com ( [203.254.199.211]) by eucpsbgm1.samsung.com (EUCPMTA) with SMTP id 47.68.04846.3D20FB55; Mon, 3 Aug 2015 06:57:39 +0100 (BST) Received: from localhost.localdomain ([10.252.80.64]) by eusync1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0NSH003I6SJXW260@eusync1.samsung.com>; Mon, 03 Aug 2015 06:57:39 +0100 (BST) From: Krzysztof Kozlowski To: Jiri Kosina , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Dmitry Torokhov , sre@kernel.org, linux-pm@vger.kernel.org, "H.J. Lu" , Krzysztof Kozlowski , stable@vger.kernel.org Subject: [PATCH v3] HID: hid-input: Fix accessing freed memory during device disconnect Date: Mon, 03 Aug 2015 14:57:30 +0900 Message-id: <1438581450-20728-1-git-send-email-k.kozlowski@samsung.com> X-Mailer: git-send-email 1.9.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmluLIzCtJLcpLzFFi42I5/e/4Zd3LTPtDDWbeULM4vOgFo8X2dYeZ LZq2LWa0eP3C0OLmp2+sFpd3zWGz+Nx7hNHi9O4SiwUbHzE6cHrsnHWX3WPTqk42j74tqxg9 1m+5yuLxeZNcAGsUl01Kak5mWWqRvl0CV8bZm5fZCpbzVpz8ld/AOJm7i5GTQ0LAROJX0yQ2 CFtM4sK99UA2F4eQwFJGicN/5zBCOP8ZJb6dWwJWxSZgLLF5OYQtIhAv0f52EytIEbPAUUaJ 7o51LCAJYYFIibOXX7CC2CwCqhJLzn4HmsTBwSvgLvHpky3ENjmJk8cms05g5F7AyLCKUTS1 NLmgOCk911CvODG3uDQvXS85P3cTIyRovuxgXHzM6hCjAAejEg/vhwX7QoVYE8uKK3MPMUpw MCuJ8P74DRTiTUmsrEotyo8vKs1JLT7EKM3BoiTOO3fX+xAhgfTEktTs1NSC1CKYLBMHp1QD 44TrKx/Ll59M7845U3zsa2Lx1dYu+YXHmJ8XJljdkhaf9X7XLG3xlxeV/q0wuW+07c3/iQW7 9lkK2Cy9s3pOmqDoly2rHfc/W+t/mYPJznVm7KfJ6as44iO0s/I9uX8pFwrUaGw6198otCg5 5PHDbqWMi7ePZC4Wub/R7gm3yzRutx0XveafmarEUpyRaKjFXFScCAAWuDmnFgIAAA== Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP During unbinding the driver was dereferencing a pointer to memory already freed by power_supply_unregister(). Driver was freeing its internal description of battery through pointers stored in power_supply structure. However, because the core owns the power supply instance, after calling power_supply_unregister() this memory is freed and the driver cannot access these members. Fix this by storing the pointer to internal description of battery in a local variable before calling power_supply_unregister(), so the pointer remains valid. Signed-off-by: Krzysztof Kozlowski Reported-by: H.J. Lu Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core") Cc: Reviewed-by: Dmitry Torokhov --- Changes since v2: 1. Add missing 'const'. Changes since v1: 1. Re-work idea, use local variable instead of devm-like functions (pointed out by Dmitry Torokhov). 2. Adjusted subject and commit message. --- drivers/hid/hid-input.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c index 14aebe483219..53aeaf6252c7 100644 --- a/drivers/hid/hid-input.c +++ b/drivers/hid/hid-input.c @@ -462,12 +462,15 @@ out: static void hidinput_cleanup_battery(struct hid_device *dev) { + const struct power_supply_desc *psy_desc; + if (!dev->battery) return; + psy_desc = dev->battery->desc; power_supply_unregister(dev->battery); - kfree(dev->battery->desc->name); - kfree(dev->battery->desc); + kfree(psy_desc->name); + kfree(psy_desc); dev->battery = NULL; } #else /* !CONFIG_HID_BATTERY_STRENGTH */