On Thu, Feb 22, 2024 at 03:26:54PM +0100, Mathias Krause wrote:
> Calling irq_domain_remove() will lead to freeing the IRQ domain
> prematurely. The domain is still referenced and will be attempted to get
> used via rmi_free_function_list() -> rmi_unregister_function() ->
> irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer.
>
> With PaX's MEMORY_SANITIZE this will lead to an access fault when
> attempting to dereference embedded pointers, as in Torsten's report that
> was faulting on the 'domain->ops->unmap' test.
>
> Fix this by releasing the IRQ domain only after all related IRQs have
> been deactivated.
>
> Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain")
> Reported-by: Torsten Hilbrich <torsten.hilbrich@xxxxxxxxxxx>
> Signed-off-by: Mathias Krause <minipli@xxxxxxxxxxxxxx>
Applied, thank you.
--
Dmitry
