power: supply: bq27xxx: Fix kernel crash on IRQ handler register error

Commit Message

Hans de Goede Oct. 31, 2021, 9:02 a.m. UTC

When registering the IRQ handler fails, do not just return the error code,
this will free the devm_kalloc-ed data struct while leaving the queued
work queued and the registered power_supply registered with both of them
now pointing to free-ed memory, resulting in various kernel crashes
soon afterwards.

Instead properly tear-down things on IRQ handler register errors.

Fixes: 703df6c09795 ("power: bq27xxx_battery: Reorganize I2C into a module")
Cc: Andrew F. Davis <afd@ti.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 drivers/power/supply/bq27xxx_battery_i2c.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Andy Shevchenko Oct. 31, 2021, 12:57 p.m. UTC | #1

On Sun, Oct 31, 2021 at 11:07 AM Hans de Goede <hdegoede@redhat.com> wrote:
>
> When registering the IRQ handler fails, do not just return the error code,
> this will free the devm_kalloc-ed data struct while leaving the queued

devm_kzalloc()-ed?

(main point is z/m/etc in the function name)

> work queued and the registered power_supply registered with both of them
> now pointing to free-ed memory, resulting in various kernel crashes
> soon afterwards.
>
> Instead properly tear-down things on IRQ handler register errors.

Patch

diff --git a/drivers/power/supply/bq27xxx_battery_i2c.c b/drivers/power/supply/bq27xxx_battery_i2c.c
index 46f078350fd3..cf38cbfe13e9 100644
--- a/drivers/power/supply/bq27xxx_battery_i2c.c
+++ b/drivers/power/supply/bq27xxx_battery_i2c.c
@@ -187,7 +187,8 @@  static int bq27xxx_battery_i2c_probe(struct i2c_client *client,
 			dev_err(&client->dev,
 				"Unable to register IRQ %d error %d\n",
 				client->irq, ret);
-			return ret;
+			bq27xxx_battery_teardown(di);
+			goto err_failed;
 		}
 	}