On 21.02.24 08:15, Dan Carpenter wrote:
> On Wed, Feb 21, 2024 at 07:55:40AM +0100, Torsten Hilbrich wrote:
>> Hello,
>>
>> updating our codebase to v6.8-rc4 which contains:
>>
>> eb988e46da2e Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
>>
>> I noticed that the previously noticed crash in the rmi4 was present again.
>>
>> Previously, we were using a fix from the grsecurity codebase which changed the function in the following way:
>>
>> void rmi_unregister_function(struct rmi_function *fn)
>> {
>> int i;
>>
>> rmi_dbg(RMI_DEBUG_CORE, &fn->dev, "Unregistering F%02X.\n",
>> fn->fd.function_number);
>>
>> for (i = 0; i < fn->num_of_irqs; i++)
>> irq_dispose_mapping(fn->irq[i]);
>>
>> device_del(&fn->dev);
>> of_node_put(fn->dev.of_node);
>> put_device(&fn->dev);
>> }
>>
>> With this version of the fix the crash didn't happen. Please note, that the crash happens in device_del which is before the irq_dispose_mapping call in eb988e46da2e.
>>
>> Attached is a kernel log from the crash with a kernel based on v6.8-rc4.
>
> Hi Torsten,
>
> Thanks for the bug report. The truth is that I don't really understand
> how IRQ mappings work. It would be simple enough to apply the same
> fix that grsecurity does. The only question how to assign authorship
> credit. Dmitry, how do you want to handle this?
The original patch was supplied to me by Brad Spengler <spender@xxxxxxxxxxxxxx>
There is also a bugreport https://bugzilla.kernel.org/show_bug.cgi?id=215604 related to that problem.
Torsten
