Commit dca39a7c authored Aug 19, 2024 by Hans de Goede Committed by Luo Gengkun Aug 19, 2024

leds: trigger: Unregister sysfs attributes before calling deactivate()

mainline inclusion
from mainline-v6.11-rc1
commit c0dc9adf9474ecb7106e60e5472577375aedaed3
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ89
CVE: CVE-2024-43830

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c0dc9adf9474ecb7106e60e5472577375aedaed3



--------------------------------

Triggers which have trigger specific sysfs attributes typically store
related data in trigger-data allocated by the activate() callback and
freed by the deactivate() callback.

Calling device_remove_groups() after calling deactivate() leaves a window
where the sysfs attributes show/store functions could be called after
deactivation and then operate on the just freed trigger-data.

Move the device_remove_groups() call to before deactivate() to close
this race window.

This also makes the deactivation path properly do things in reverse order
of the activation path which calls the activate() callback before calling
device_add_groups().

Fixes: a7e7a315 ("leds: triggers: add device attribute support")
Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20240504162533.76780-1-hdegoede@redhat.com


Signed-off-by: Lee Jones <lee@kernel.org>

Conflicts:
	drivers/leds/led-triggers.c
[Fix context conflict]
Signed-off-by: Luo Gengkun <luogengkun2@huawei.com>

parent 10361bdc

drivers/leds/led-triggers.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -177,9 +177,9 @@ int led_trigger_set(struct led_classdev led_cdev, struct led_trigger trig)
		flags);
		cancel_work_sync(&led_cdev->set_brightness_work);
		led_stop_software_blink(led_cdev);
		device_remove_groups(led_cdev->dev, led_cdev->trigger->groups);
		if (led_cdev->trigger->deactivate)
		led_cdev->trigger->deactivate(led_cdev);
		device_remove_groups(led_cdev->dev, led_cdev->trigger->groups);
		led_cdev->trigger = NULL;
		led_cdev->trigger_data = NULL;
		led_cdev->activated = false;