Commit 663d8fb0 authored Jan 05, 2022 by William Breathitt Gray Committed by Greg Kroah-Hartman Jan 06, 2022

counter: 104-quad-8: Fix use-after-free by quad8_irq_handler

On unbind an irq might be pending which results in quad8_irq_handler()
calling counter_push_event() for a counter that is already unregistered.
This patch fixes that situation by passing the struct counter_device dev
to devm_request_irq() rather than the parent's so that the irq handler
is cleaned before the counter is unregistered.

Fixes: 7aa2ba0d ("counter: 104-quad-8: Add IRQ support for the ACCES 104-QUAD-8")
Cc: Syed Nayyar Waris <syednwaris@gmail.com>
Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
Link: https://lore.kernel.org/r/20220105093052.258791-1-vilhelm.gray@gmail.com

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 8f2cade5

drivers/counter/104-quad-8.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -1188,8 +1188,8 @@ static int quad8_probe(struct device *dev, unsigned int id)
		/* Enable all counters and enable interrupt function */
		outb(QUAD8_CHAN_OP_ENABLE_INTERRUPT_FUNC, base[id] + QUAD8_REG_CHAN_OP);

		err = devm_request_irq(dev, irq[id], quad8_irq_handler, IRQF_SHARED,
		counter->name, counter);
		err = devm_request_irq(&counter->dev, irq[id], quad8_irq_handler,
		IRQF_SHARED, counter->name, counter);
		if (err)
		return err;