Hi, > In function reg_query_database, query_regdb_file call > request_firmware_nowait to do request_firmware asynchronously, > which need the caller hold the reference of dev, otherwise it will > do put_device freeing '®_pdev->dev'. After that, call_crda access > the dev will trigger use-after-free bug. So ... OK, but how does that then only fix the firmware file loading, rather than CRDA calling? > This patch fix this by holding a reference of dev in regulatory_init > after platform_device_register_simple registered successly, which > releasing in platform_device_unregister. This doesn't make sense? You just add a new reference and don't release it? If there was a bug then just loading & unloading would trigger an underflow now? platform_device_register_full() (to which _simple is a wrapper) will evidently return the pdev with a reference held, because it does platform_device_put() in the error path? johannes
