Message ID | 20211031090208.6564-1-hdegoede@redhat.com (mailing list archive) |
---|---|
State | Superseded, archived |
Headers | show |
Series | power: supply: bq27xxx: Fix kernel crash on IRQ handler register error | expand |
On Sun, Oct 31, 2021 at 11:07 AM Hans de Goede <hdegoede@redhat.com> wrote: > > When registering the IRQ handler fails, do not just return the error code, > this will free the devm_kalloc-ed data struct while leaving the queued devm_kzalloc()-ed? (main point is z/m/etc in the function name) > work queued and the registered power_supply registered with both of them > now pointing to free-ed memory, resulting in various kernel crashes > soon afterwards. > > Instead properly tear-down things on IRQ handler register errors.
diff --git a/drivers/power/supply/bq27xxx_battery_i2c.c b/drivers/power/supply/bq27xxx_battery_i2c.c index 46f078350fd3..cf38cbfe13e9 100644 --- a/drivers/power/supply/bq27xxx_battery_i2c.c +++ b/drivers/power/supply/bq27xxx_battery_i2c.c @@ -187,7 +187,8 @@ static int bq27xxx_battery_i2c_probe(struct i2c_client *client, dev_err(&client->dev, "Unable to register IRQ %d error %d\n", client->irq, ret); - return ret; + bq27xxx_battery_teardown(di); + goto err_failed; } }
When registering the IRQ handler fails, do not just return the error code, this will free the devm_kalloc-ed data struct while leaving the queued work queued and the registered power_supply registered with both of them now pointing to free-ed memory, resulting in various kernel crashes soon afterwards. Instead properly tear-down things on IRQ handler register errors. Fixes: 703df6c09795 ("power: bq27xxx_battery: Reorganize I2C into a module") Cc: Andrew F. Davis <afd@ti.com> Signed-off-by: Hans de Goede <hdegoede@redhat.com> --- drivers/power/supply/bq27xxx_battery_i2c.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)