On Wed, Feb 21, 2024 at 07:55:40AM +0100, Torsten Hilbrich wrote:
> Hello,
>
> updating our codebase to v6.8-rc4 which contains:
>
> eb988e46da2e Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
>
> I noticed that the previously noticed crash in the rmi4 was present again.
>
> Previously, we were using a fix from the grsecurity codebase which changed the function in the following way:
>
> void rmi_unregister_function(struct rmi_function *fn)
> {
> int i;
>
> rmi_dbg(RMI_DEBUG_CORE, &fn->dev, "Unregistering F%02X.\n",
> fn->fd.function_number);
>
> for (i = 0; i < fn->num_of_irqs; i++)
> irq_dispose_mapping(fn->irq[i]);
>
> device_del(&fn->dev);
> of_node_put(fn->dev.of_node);
> put_device(&fn->dev);
> }
>
> With this version of the fix the crash didn't happen. Please note, that the crash happens in device_del which is before the irq_dispose_mapping call in eb988e46da2e.
>
> Attached is a kernel log from the crash with a kernel based on v6.8-rc4.
Hi Torsten,
Thanks for the bug report. The truth is that I don't really understand
how IRQ mappings work. It would be simple enough to apply the same
fix that grsecurity does. The only question how to assign authorship
credit. Dmitry, how do you want to handle this?
regards,
dan carpenter
diff --git a/drivers/input/rmi4/rmi_bus.c b/drivers/input/rmi4/rmi_bus.c
index 1b45b1d3077d..02acc81b9d3e 100644
--- a/drivers/input/rmi4/rmi_bus.c
+++ b/drivers/input/rmi4/rmi_bus.c
@@ -275,12 +275,11 @@ void rmi_unregister_function(struct rmi_function *fn)
rmi_dbg(RMI_DEBUG_CORE, &fn->dev, "Unregistering F%02X.\n",
fn->fd.function_number);
- device_del(&fn->dev);
- of_node_put(fn->dev.of_node);
-
for (i = 0; i < fn->num_of_irqs; i++)
irq_dispose_mapping(fn->irq[i]);
+ device_del(&fn->dev);
+ of_node_put(fn->dev.of_node);
put_device(&fn->dev);
}
