Hello, while looking around for drivers still using platform_driver_probe() I found the meson-ir-tx driver. While looking at it I identified a few patch opportunities. I think the driver might be used to trigger a use after free problem that is caused by the ir core. With my current understanding the following is possible: 1) open the ir device and keep it open 2) unbind the meson-ir-tx device 3) trigger calling .tx_ir = meson_irtx_transmit using the opened device using write() 2) can be done using sysfs or (maybe) by module unloading. The result is that the memory pointed to by ir is freed and the register mapping goes away. Even meson_irtx_transmit() might disappear then. Calling meson_irtx_transmit() then yields all kind of fun. I didn't debug in detail so I might miss something. To fix that you have to make sure that the callbacks don't get called any more once the rc device is unregistered (and track that information in memory that doesn't go away with the parent device's remove callback completing). Best regards Uwe Uwe Kleine-König (3): media: meson-ir-tx: Convert to use devm_rc_register_device() media: meson-ir-tx: Simplify and improve using dev_err_probe() media: meson-ir-tx: Drop usage of platform_driver_probe() drivers/media/rc/meson-ir-tx.c | 34 ++++++++++------------------------ 1 file changed, 10 insertions(+), 24 deletions(-) base-commit: 0bb80ecc33a8fb5a682236443c1e740d5c917d1d -- 2.42.0
