From patchwork Fri Feb 15 21:43:02 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sven Van Asbroeck <thesven73@gmail.com>
X-Patchwork-Id: 10815917
Return-Path: <linux-pm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C502F13B5
	for <patchwork-linux-pm@patchwork.kernel.org>;
 Fri, 15 Feb 2019 21:43:15 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B528A303A4
	for <patchwork-linux-pm@patchwork.kernel.org>;
 Fri, 15 Feb 2019 21:43:15 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A8FDC3056F; Fri, 15 Feb 2019 21:43:15 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 201E0303A4
	for <patchwork-linux-pm@patchwork.kernel.org>;
 Fri, 15 Feb 2019 21:43:15 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2392498AbfBOVnO (ORCPT
        <rfc822;patchwork-linux-pm@patchwork.kernel.org>);
        Fri, 15 Feb 2019 16:43:14 -0500
Received: from mail-it1-f195.google.com ([209.85.166.195]:55157 "EHLO
        mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2392493AbfBOVnO (ORCPT
        <rfc822;linux-pm@vger.kernel.org>); Fri, 15 Feb 2019 16:43:14 -0500
Received: by mail-it1-f195.google.com with SMTP id f10so4150784ita.4;
        Fri, 15 Feb 2019 13:43:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=FKlJddmruO7nWtXJzDCxYpJZ2hrqaK8J0+Kc3s0oyqc=;
        b=RM7xDQn0GhUSXYzAlz1axfY3Nxt/DMX/kJD+y0as0A9xZkCNUuViQkLYVnmFv+P0Ww
         oRE8i7K/rwDaORZX1LJVovorQw8R6QugE0liVhSDQkAjoLEl569XZFJdrcmGjFiWalpC
         sUTVwi7pjMKR3/vySUXDm+mafS6Muzq1hr62IISIgVGb7e/FvZot3Er/RQ6GHYARXtkW
         z8P+kyT3QoW5sUdD6OnalW8PtG9kyMMzJ+nfEroyVC/XBW211/saxmL8nuNnRdKLyF9L
         mf0OM/MLdC8qwj4EkKVkFzQArMdAfAhMA5Zz7glF0faVzxXtlEzJfg9SKFMwTS7Q/ENw
         skqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=FKlJddmruO7nWtXJzDCxYpJZ2hrqaK8J0+Kc3s0oyqc=;
        b=stNWDHmHnPd/qmq0e/mx56t0HZiRy3YPwkh9PoNviwsESuiypezA8oXzsLpBZ6/gzT
         V4QYAxK8SuShJ7tTFtL6uwKUF2sGvo7h/MJdlf84+IAKl61BIza8y5eR+dAgQEQMVDe8
         i0AvTpENgPEVkDgizoPtdQHu0K138rf7CFyowgZ7Jgpc+Mi4ncdy6iBFQFoVBWwXS4az
         WW8NfyuAx3o9b7q6NNPfRcGjI2/ut7BJhiw105NbpFdHKdlxjPeX9LO1QAvOI5DM+/Er
         8GctGkRVanDDI/M/zxMpbJmfdz1McdD9v2eEQePCbN38drXbIhUMHx5H8XG0MjTgDK4t
         cL4Q==
X-Gm-Message-State: AHQUAuYn+hUVDZJxAMFlWpBy1lxUNRE6j632p0Ut1xJQClfi3mfaOeuu
        k8V23qX65BzcQEm3XpT9NOfOHtxE
X-Google-Smtp-Source: 
 AHgI3IbmuQC8I7xlv2PRMYEwzbxb4VQ3KQxq83c4UdC6ZszpGTEj3SZb/8ATLEAUK+7qwf/trAxARA==
X-Received: by 2002:a02:4084:: with SMTP id n126mr2545109jaa.78.1550266992602;
        Fri, 15 Feb 2019 13:43:12 -0800 (PST)
Received: from svens-asus.arcx.com ([184.94.50.30])
        by smtp.gmail.com with ESMTPSA id
 t64sm3301431itb.5.2019.02.15.13.43.11
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 15 Feb 2019 13:43:11 -0800 (PST)
From: Sven Van Asbroeck <thesven73@gmail.com>
X-Google-Original-From: Sven Van Asbroeck <TheSven73@gmail.com>
To: Sebastian Reichel <sre@kernel.org>
Cc: linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Alexander Kurz <akurz@blala.de>
Subject: [PATCH 1/2] power: supply: max14656: fix potential use-before-alloc
Date: Fri, 15 Feb 2019 16:43:02 -0500
Message-Id: <20190215214303.7274-1-TheSven73@gmail.com>
X-Mailer: git-send-email 2.17.1
Sender: linux-pm-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-pm.vger.kernel.org>
X-Mailing-List: linux-pm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Call order on probe():
- max14656_hw_init() enables interrupts on the chip
- devm_request_irq() starts processing interrupts, isr
  could be called immediately
-    isr: schedules delayed work (irq_work)
-    irq_work: calls power_supply_changed()
- devm_power_supply_register() registers the power supply

Depending on timing, it's possible that power_supply_changed()
is called on an unregistered power supply structure.

Fix by registering the power supply before requesting the irq.

Cc: Alexander Kurz <akurz@blala.de>
Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
---
 drivers/power/supply/max14656_charger_detector.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/power/supply/max14656_charger_detector.c b/drivers/power/supply/max14656_charger_detector.c
index b91b1d2999dc..d19307f791c6 100644
--- a/drivers/power/supply/max14656_charger_detector.c
+++ b/drivers/power/supply/max14656_charger_detector.c
@@ -280,6 +280,13 @@ static int max14656_probe(struct i2c_client *client,
 
 	INIT_DELAYED_WORK(&chip->irq_work, max14656_irq_worker);
 
+	chip->detect_psy = devm_power_supply_register(dev,
+		       &chip->psy_desc, &psy_cfg);
+	if (IS_ERR(chip->detect_psy)) {
+		dev_err(dev, "power_supply_register failed\n");
+		return -EINVAL;
+	}
+
 	ret = devm_request_irq(dev, chip->irq, max14656_irq,
 			       IRQF_TRIGGER_FALLING,
 			       MAX14656_NAME, chip);
@@ -289,13 +296,6 @@ static int max14656_probe(struct i2c_client *client,
 	}
 	enable_irq_wake(chip->irq);
 
-	chip->detect_psy = devm_power_supply_register(dev,
-		       &chip->psy_desc, &psy_cfg);
-	if (IS_ERR(chip->detect_psy)) {
-		dev_err(dev, "power_supply_register failed\n");
-		return -EINVAL;
-	}
-
 	schedule_delayed_work(&chip->irq_work, msecs_to_jiffies(2000));
 
 	return 0;

From patchwork Fri Feb 15 21:43:03 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sven Van Asbroeck <thesven73@gmail.com>
X-Patchwork-Id: 10815919
Return-Path: <linux-pm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8181113B5
	for <patchwork-linux-pm@patchwork.kernel.org>;
 Fri, 15 Feb 2019 21:43:21 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 729323055B
	for <patchwork-linux-pm@patchwork.kernel.org>;
 Fri, 15 Feb 2019 21:43:21 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 664103056F; Fri, 15 Feb 2019 21:43:21 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1116A3055B
	for <patchwork-linux-pm@patchwork.kernel.org>;
 Fri, 15 Feb 2019 21:43:21 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2392549AbfBOVnP (ORCPT
        <rfc822;patchwork-linux-pm@patchwork.kernel.org>);
        Fri, 15 Feb 2019 16:43:15 -0500
Received: from mail-it1-f193.google.com ([209.85.166.193]:39389 "EHLO
        mail-it1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727724AbfBOVnO (ORCPT
        <rfc822;linux-pm@vger.kernel.org>); Fri, 15 Feb 2019 16:43:14 -0500
Received: by mail-it1-f193.google.com with SMTP id l15so14148121iti.4;
        Fri, 15 Feb 2019 13:43:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=1tD3XdrjTvGx7PG6lPxNTPREFZ0oaZ7N/X4nuzbJyQY=;
        b=KwaQcZEGKC+do3YQu80T0QPaRLk5AZLoMsLnnvewxJdmtoeXeMcYd+UinXhOzD6hIT
         uB9ANYQPHCZ1F/lyzbfkigmy7/LtOSICbof08tkl3+33NKiGwRCSwFQq42ZFlMyfTyZR
         WG3NTgt4azyUjTfu3sIx3PFyNoRhcEAz2TwfIPjgTplFh4Lg2MKLjwZ6xU1FG54e6nga
         ZOUoTubiKD6mIjHawPZ05yelhveXgd+b6lTY728Qj10KhIB89WrlKOPdHCfjytXOJ3UE
         +x+BtA5A8YAavIOm5Zh85otkKpK62gUePr3tqhlR+Z5dQhD7ex0GPv1C31O6Dl50hF4w
         2sSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=1tD3XdrjTvGx7PG6lPxNTPREFZ0oaZ7N/X4nuzbJyQY=;
        b=h0LTYtPb3uP/pIdqYDRcDQbpb3I5vFToLyVIX8gERSWAySsZvYutg2/T+licWmDDbX
         CxFQbpSgPAi9iYoV8c2S+XuhKoDPKXl7HWbdXSklj2S9Z7YViMHKnGSwK7VzNZyXMYcU
         L7wc+HGOJdqcgBggz3XiZZH3OkHnVPrW92LYSOaeDtGhXQkuBYPZYWuNdbmo7gPGS5Ix
         MQe4sX5bH5/mL8ekSpr4RggNdwyNePWNadCbKt6y0BUZYHqjoG4QRfGIxyIt7C2JBQbF
         WHxiw2DR5M/LXY/nIGMqcBNcGCQlOz8QCYnXrx4mm5wRfWpTGGU/s8Ogzr4QkRCjfk+x
         Vqug==
X-Gm-Message-State: AHQUAuZyAdFBJKCYeKEND26V9OWQ/odw9AmamvwTcCx2aA0bTSy8EqKB
        tJORyQgnNQSyQaxLVr6ZRcg=
X-Google-Smtp-Source: 
 AHgI3Ia6zljpLgl/9TUqSkGZmTCNFqXcFzZ+5cPWWiRMRW7qZfb/58jA2ibAT3g2Mh09XUH5FxL2kQ==
X-Received: by 2002:a24:d288:: with SMTP id
 z130mr1616060itf.171.1550266993455;
        Fri, 15 Feb 2019 13:43:13 -0800 (PST)
Received: from svens-asus.arcx.com ([184.94.50.30])
        by smtp.gmail.com with ESMTPSA id
 t64sm3301431itb.5.2019.02.15.13.43.12
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 15 Feb 2019 13:43:12 -0800 (PST)
From: Sven Van Asbroeck <thesven73@gmail.com>
X-Google-Original-From: Sven Van Asbroeck <TheSven73@gmail.com>
To: Sebastian Reichel <sre@kernel.org>
Cc: linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Alexander Kurz <akurz@blala.de>
Subject: [PATCH 2/2] power: supply: max14656: fix potential use-after-free
Date: Fri, 15 Feb 2019 16:43:03 -0500
Message-Id: <20190215214303.7274-2-TheSven73@gmail.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20190215214303.7274-1-TheSven73@gmail.com>
References: <20190215214303.7274-1-TheSven73@gmail.com>
Sender: linux-pm-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-pm.vger.kernel.org>
X-Mailing-List: linux-pm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Explicitly cancel/sync the irq_work delayed work, otherwise
there's a chance that it will run after the device is removed,
which would result in a use-after-free.

Note that cancel/sync should happen:
- after irq's have been disabled, as the isr re-schedules the work
- before the power supply is unregistered, because the work func
    uses the power supply handle.

Cc: Alexander Kurz <akurz@blala.de>
Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
---
 .../power/supply/max14656_charger_detector.c    | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/drivers/power/supply/max14656_charger_detector.c b/drivers/power/supply/max14656_charger_detector.c
index d19307f791c6..9e6472834e37 100644
--- a/drivers/power/supply/max14656_charger_detector.c
+++ b/drivers/power/supply/max14656_charger_detector.c
@@ -240,6 +240,14 @@ static enum power_supply_property max14656_battery_props[] = {
 	POWER_SUPPLY_PROP_MANUFACTURER,
 };
 
+static void stop_irq_work(void *data)
+{
+	struct max14656_chip *chip = data;
+
+	cancel_delayed_work_sync(&chip->irq_work);
+}
+
+
 static int max14656_probe(struct i2c_client *client,
 			  const struct i2c_device_id *id)
 {
@@ -278,8 +286,6 @@ static int max14656_probe(struct i2c_client *client,
 	if (ret)
 		return -ENODEV;
 
-	INIT_DELAYED_WORK(&chip->irq_work, max14656_irq_worker);
-
 	chip->detect_psy = devm_power_supply_register(dev,
 		       &chip->psy_desc, &psy_cfg);
 	if (IS_ERR(chip->detect_psy)) {
@@ -287,6 +293,13 @@ static int max14656_probe(struct i2c_client *client,
 		return -EINVAL;
 	}
 
+	INIT_DELAYED_WORK(&chip->irq_work, max14656_irq_worker);
+	ret = devm_add_action(dev, stop_irq_work, chip);
+	if (ret) {
+		dev_err(dev, "devm_add_action %d failed\n", ret);
+		return ret;
+	}
+
 	ret = devm_request_irq(dev, chip->irq, max14656_irq,
 			       IRQF_TRIGGER_FALLING,
 			       MAX14656_NAME, chip);