From nobody Wed Jun 17 06:27:22 2026 Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C19F42FC00D for ; Mon, 27 Apr 2026 13:17:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777295860; cv=none; b=n77QSJA2ArFdouAq2W4loN4HNs/3sP7wVyD5eUUwlCMH9a2b+POcjUv60cpGGFQp5GuhPDArz0EuXs2tV8JuvT20UHdT2G8d4staIUNAgjA+k1xRguxM/G9lPB0++/+IL71XxWMX3ATStqykD/1x63hSU/uN6NzxUJ4bjMlObBc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777295860; c=relaxed/simple; bh=0V6gosJdoRQNTFQqh2+bD0+xQoMNzeLU3Tbf4QclE5M=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=qQS9s2AQVFRfLe4YcmDAKxpTcTdtxKLJLf0RjN1+ND8Ukb+DOEnDaLKPMN/hjLsCQt42cplla1HrMM1eZCQfMGRtuDWTAyg/f9HwZyL48aLDZrNZ0Q1ATkNpbZjxV+IpQfnU1d/h4ikM+eA7ffgR6PqBnU6stoQBz8zPLL1edx8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=QgJ/SVje; arc=none smtp.client-ip=209.85.208.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="QgJ/SVje" Received: by mail-ed1-f42.google.com with SMTP id 4fb4d7f45d1cf-676fec7e946so7740263a12.3 for ; Mon, 27 Apr 2026 06:17:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777295857; x=1777900657; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=UdxTgo2BiNPwM4INja+PgXdaGRXgDFW+qwgof2SUt84=; b=QgJ/SVjehgPUOlAfdij2CluvHIy4ZtjtHsVas/E0gza32/XP1Qs94wVd+MtIz1zIPt tlpbUVGxAnKg5oDXCqzfQsc8KEkw5pfMdqDp+UtsejnBbvNot7H9+iS4hZEnTp2WIIlc H3oU7Bu119lA+iMBFlKZG/GF2ocsrZGrmA7JE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777295857; x=1777900657; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=UdxTgo2BiNPwM4INja+PgXdaGRXgDFW+qwgof2SUt84=; b=KtzVgMaE72ULE3iNrfTvVJwPdP3CIxRRMfHzFl814KOv25+B+ue0XQ0QfMELxanoqo Ty9ZQhqper5BDVt7326TukzoDva48xbCuhaWmixk0QisIK46NM9SsRfUgkec5H+8OXXZ mUx+DdgpwLM5MlXouz4TIJf7RQSFSyFE/zN8ZUhldVJpDz2dVL55BiVf5bu4pjzF+A9L 5gnS0wk9J0E4GC5B7bS2wmBewkeYlF5sRpaZv+lNElC8no8+BqJjvqUsMDcQOVBmxCfd 7jwimXpUzduMwWvmI2OTN9MOT78CfVpRXNJYvUAl/6+Zkz08ME6MIuYkoK0+jbFwZX4Z hqTw== X-Forwarded-Encrypted: i=1; AFNElJ9mCb+sf4I+XKB1kkjAsiqP6YtjgeeVfstH9jA9fanzuIxVxbUhZV1nkfXpfBriIzfE9BqBmBtbh9U/Z9U=@vger.kernel.org X-Gm-Message-State: AOJu0Yzl90yOryyHEqkxp3+AWlAfRr0soFVykQXwU0cr6A8LNNm7brJr sMB5Z1IlO/SUqPmlYu8qa6lIgcwE1u+cjK1ZVTBcTTUsCgiO7h+QirHZ2dnAXQDbMw== X-Gm-Gg: AeBDievWiH1o6CChY7jXSUV+ZuyZLcI+LqyTzMCeUV0oWXLSpL0bY/6jleXgyXvI+Bk dKRRZPNDneSv2u+Unwr/PFOwh+OqWQR//FfMwiXjZddecZV2Foi0I664QcwE2Tg2GDncwDWTILT s/XVFxTe4yz6FQ5eQlP2I0j1iK5V6ocXlVLQT6wLp0jzO4/TmJSDvCgApm61Quz1KiyuwZGi059 s98TWiCldaoTpiF7PE+T0StQOZp7rlQ0xVFttXFWX/WhC15si1Qmbqii3lKbCj0I843isBuM2BP kyRrpoZRrHkWkjdDK76HMJpaFgjEwJOnWpDoPGlP0s4rJ0ZqGKVXEpz2J4IXZF4zWsGR5i0hRJo lTasAVj43H7F5+ucjA+PnFjeVAtqyPwKS35hw4ywA4qOsCDD0FdpfKCFrZa/x3anq3WwYrAmUDb WNfUskgQA7D67vyu6FmZIt+vlUI+JewD4g84szyaxqdFbHvtUEcJI0nr569dtJJVn67hCW/ND1K 6vItOGxhuyld+QSzZ1EAbfgstu7/Bw0TQ== X-Received: by 2002:a17:907:3cca:b0:ba6:a05c:ac2b with SMTP id a640c23a62f3a-ba6a05cb665mr1754584166b.18.1777295856940; Mon, 27 Apr 2026 06:17:36 -0700 (PDT) Received: from akuchynski.c.googlers.com.com (124.143.141.34.bc.googleusercontent.com. [34.141.143.124]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ba454d1db07sm1135196166b.30.2026.04.27.06.17.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 06:17:36 -0700 (PDT) From: Andrei Kuchynski To: Lee Jones , Benson Leung Cc: Sergey Senozhatsky , Guenter Roeck , Tzung-Bi Shih , Logan Gunthorpe , Greg Kroah-Hartman , chrome-platform@lists.linux.dev, linux-kernel@vger.kernel.org, Andrei Kuchynski , stable@vger.kernel.org Subject: [PATCH] mfd: cros_ec: Delay dev_set_drvdata() until probe success Date: Mon, 27 Apr 2026 13:17:21 +0000 Message-ID: <20260427131721.1165078-1-akuchynski@chromium.org> X-Mailer: git-send-email 2.54.0.rc2.544.gc7ae2d5bb8-goog Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" If ec_device_probe() fails, cros_ec_class_release releases memory for the cros_ec_dev structure. However, because the drvdata was already set, sub-drivers like cros_ec_typec can still retrieve the stale pointer via the platform device. This leads to a use-after-free when cros_ec_typec attempts to access &typec->ec->ec->dev on a device that has already been released. Move dev_set_drvdata() to ensure that the pointer is only made available once all initialization steps have succeeded. sysfs: cannot create duplicate filename '/class/chromeos/cros_ec' Call trace: sysfs_do_create_link_sd+0x94/0xdc sysfs_create_link+0x30/0x44 device_add_class_symlinks+0x90/0x13c device_add+0xf0/0x50c ec_device_probe+0x150/0x4f0 platform_probe+0xa0/0xe0 ... BUG: KASAN: invalid-access in __memcpy+0x44/0x230 Write at addr f5ffff809e2d33ac by task kworker/u32:5/125 Pointer tag: [f5], memory tag: [fe] Tainted : [W]=3DWARN, [O]=3DOOT_MODULE Hardware name: Google Navi unprovisioned 0x7FFFFFFF/sku0 board/sku3 Workqueue: events_unbound deferred_probe_work_func Call trace: __memcpy+0x44/0x230 cros_ec_check_features+0x60/0xcc [cros_ec_proto] cros_typec_probe+0xe8/0x6e0 [cros_ec_typec] platform_probe+0xa0/0xe0 Cc: stable@vger.kernel.org Fixes: 1c1d152cc5ac ("platform/chrome: cros_ec_dev - utilize new cdev_devic= e_add helper function") Co-developed-by: Sergey Senozhatsky Signed-off-by: Sergey Senozhatsky Signed-off-by: Andrei Kuchynski Reviewed-by: Benson Leung --- drivers/mfd/cros_ec_dev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/mfd/cros_ec_dev.c b/drivers/mfd/cros_ec_dev.c index 39430dd44e30c..56fb7cceafc6c 100644 --- a/drivers/mfd/cros_ec_dev.c +++ b/drivers/mfd/cros_ec_dev.c @@ -195,7 +195,6 @@ static int ec_device_probe(struct platform_device *pdev) if (!ec) return retval; =20 - dev_set_drvdata(dev, ec); ec->ec_dev =3D dev_get_drvdata(dev->parent); ec->dev =3D dev; ec->cmd_offset =3D ec_platform->cmd_offset; @@ -237,6 +236,8 @@ static int ec_device_probe(struct platform_device *pdev) if (retval) goto failed; =20 + dev_set_drvdata(dev, ec); + /* check whether this EC is a sensor hub. */ if (cros_ec_get_sensor_count(ec) > 0) { retval =3D mfd_add_hotplug_devices(ec->dev, --=20 2.54.0.rc2.544.gc7ae2d5bb8-goog