From nobody Mon Jun  8 04:15:16 2026
Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com
 [209.85.219.46])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D5F52231832
	for <linux-kernel@vger.kernel.org>; Mon,  8 Jun 2026 02:10:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.46
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780884657; cv=none;
 b=GfNgqPXVwAz6cY39zz2DaSZsYkcu1iCLFGv+cu9rnEfXcgkES/3kiljgI+/cRXg9H+vLZzOQt8Gksg1v5ubn810fy7Q6AY3cZzFp1TPxjEW4JmuEeEzNr31APdifGGwMr5bEPUIR531dJLjnUWFejY5DnhbCVbUJLfShzEGfwMA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780884657; c=relaxed/simple;
	bh=UL3tgWEp2v39jdZzoWo0twDjlpGyS8R2HC/N/Fq8nV8=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=bcFn/VgkNAGMTvWk1yXnJu+T6CngBmber4awDtt97SjXGOTqf5fgPYhsHHqcdQMokq5oUljfBOi9HCQQRQvtkjc+JAXXZA9bEwUa/zm5UwtEEQ0P9hNT2sguTXusO1DeShWjt4SMJxYy5FHDGb9VELNvaaTTFGl/esrJqQ52F1g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=fjfKk0/6; arc=none smtp.client-ip=209.85.219.46
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="fjfKk0/6"
Received: by mail-qv1-f46.google.com with SMTP id
 6a1803df08f44-8ccf7b7d188so41338656d6.1
        for <linux-kernel@vger.kernel.org>;
 Sun, 07 Jun 2026 19:10:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780884655; x=1781489455;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=9/UZPLDL99uE79PZBqTgEFaV7YHrnGQJQrwQrbWdnDU=;
        b=fjfKk0/6KssZq8ckO91vkj0uFOxKb5itlS+mdGrM1IJUWId+hiXbcmIFbD2f6MCwZf
         ZULC1lzTEuPbo8s/8ETMKUvr3JZ+zy5H+yc95BvC2Z3IdNo2Ox8Gui/3xyJAFVy2wi0B
         l3O1JKnjbxIzlGMksJGo81ySt7s+QWMS8x1mIt/KWsuCPPreSgsLrSsyjzHxJKutTL1e
         UweHTBuMnZEW+ahLqFWsIGTQC5R564jkell5JnDB0imaXzoexn9UXkg6VO2oMCSuMTOm
         eRzUpInv8nCge6bUeA6IqveOXNjBj7LEnQYEO5TlmwbQMZbWDhskisjY49jw05HAbSNE
         pC7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780884655; x=1781489455;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=9/UZPLDL99uE79PZBqTgEFaV7YHrnGQJQrwQrbWdnDU=;
        b=Nl1ZadAQwSD1ZkA2/P5hIZsARs08eTnndXGwAbfiio0IoFQ8gH79cpN/pDF9vc5ksK
         S/MhCTPLv5e6Q2UQXwnvrYbSyhKzjdZr9tlALSeCcFwlUKHJ6xsUPhDTua7/f3RKW5l9
         It3oku3O3wfhzc3aq1Fp0hokMe4Yg5yD2B3id6Z++AM9hbpISd/qpOB/PdQ7YrSccEGx
         1p5wcpJPHa/7cKmEvTRX1yU7J+HX20wrEqS3snRYfZGR8ZryKRDib92HsJXztM1yXi6t
         mDYd69dlIm/GWUrgcO55Sv+rM+hc5dRyPI+Z7sCEVaSyOWYZQ0XpbaxkNuHYYBs7Tsvb
         wX2A==
X-Gm-Message-State: AOJu0Yz/ICP7sa5u1sAfnDSYyyVLzWCO7tK+dgpNw0iwlu2XiT7S9wwU
	VQDbOXs2UZJnjY2CYw636qBwY0NvIztHOqAG+Rxa8yqYC9R1UjYav1cs
X-Gm-Gg: Acq92OGKHrl9QyWsGSxgYzlu4cB9FVGNGa4VkH9ZKUsMBxBGvsC7ID4nArd4h9ETSyy
	gjEHIfu8UWppmer8Ixn4hiz6MTiXn8+bQl7Qb4HYbYMq+Ap0z/03M+6EQ5eK4ZoU5/CcXMZ33E+
	wDQJXn8rfgLf3tPA3VSqWFxdyu5uznpDKxrhnGaZWvT3dmPk0ZmfpLnci1r6xY8zS6Gnx8biEdt
	QhpqOdheWjFos5Bb8yWApOAmFaQdSGKIvnrtn+ZbxfG5ENI3nRHr5BEDujt2sTXaw1QhNVtl1Ba
	kQTVuFH3MkkuuoRntB9If6z4DHqp6sd8H5h7yqXzsWrFs2J6Q5n0cqb/VymnaforvWAuJGjZeXT
	WldkPvh0CPQbJOYZrzkMnsTyHkgOTnM7KECVZkkntcxNlisB5LiS8b+XAQ8VNiUvlmlQ8g8U3Zm
	iyTcJ+0p+0sgDoMoB4fhJGWFT1t9lISDUBVb0cgYO+L09fs4U9BII=
X-Received: by 2002:a05:6214:808b:b0:8cc:f135:52aa with SMTP id
 6a1803df08f44-8cee5ffe18bmr244656026d6.21.1780884654739;
        Sun, 07 Jun 2026 19:10:54 -0700 (PDT)
Received: from i4-gl-tmk5904.ad.psu.edu ([130.203.156.186])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-8ceccd9fc7dsm151466216d6.5.2026.06.07.19.10.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 07 Jun 2026 19:10:54 -0700 (PDT)
From: Yuho Choi <dbgh9129@gmail.com>
To: Lee Jones <lee@kernel.org>,
	Matthias Brugger <matthias.bgg@gmail.com>,
	AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Cc: linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org,
	linux-mediatek@lists.infradead.org,
	Yuho Choi <dbgh9129@gmail.com>
Subject: [PATCH v1] mfd: mt6397-irq: Fix PM notifier use-after-free
Date: Sun,  7 Jun 2026 22:10:48 -0400
Message-ID: <20260608021048.2577577-1-dbgh9129@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

mt6397_irq_init() registers chip->pm_nb with the global PM notifier
chain. The notifier callback uses container_of() to recover struct
mt6397_chip and then dereferences chip fields.

The chip structure is allocated with devm_kzalloc() in mt6397_probe().
If probe fails after mt6397_irq_init() succeeds, for example when
devm_mfd_add_devices() fails, devres can release the chip while the PM
notifier remains registered. The same lifetime mismatch exists when the
driver is unbound.

Check the register_pm_notifier() return value and add a devm cleanup
action to unregister the notifier before the devm-managed chip is freed.
If adding the cleanup action fails, devm_add_action_or_reset()
unregisters the notifier immediately; then remove the IRQ domain in the
remaining error path.

Fixes: 4e2e7cfec13a ("mfd: mt6397: Modify suspend/resume behavior")
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
---
 drivers/mfd/mt6397-irq.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/drivers/mfd/mt6397-irq.c b/drivers/mfd/mt6397-irq.c
index 5d2e5459f744..8947f7e732fa 100644
--- a/drivers/mfd/mt6397-irq.c
+++ b/drivers/mfd/mt6397-irq.c
@@ -169,6 +169,13 @@ static int mt6397_irq_pm_notifier(struct notifier_bloc=
k *notifier,
 	return NOTIFY_DONE;
 }
=20
+static void mt6397_irq_pm_notifier_unregister(void *data)
+{
+	struct mt6397_chip *chip =3D data;
+
+	unregister_pm_notifier(&chip->pm_nb);
+}
+
 int mt6397_irq_init(struct mt6397_chip *chip)
 {
 	int ret;
@@ -233,6 +240,17 @@ int mt6397_irq_init(struct mt6397_chip *chip)
 		return ret;
 	}
=20
-	register_pm_notifier(&chip->pm_nb);
-	return 0;
+	ret =3D register_pm_notifier(&chip->pm_nb);
+	if (ret) {
+		dev_err(chip->dev, "failed to register PM notifier: %d\n", ret);
+		irq_domain_remove(chip->irq_domain);
+		return ret;
+	}
+
+	ret =3D devm_add_action_or_reset(chip->dev,
+				       mt6397_irq_pm_notifier_unregister, chip);
+	if (ret)
+		irq_domain_remove(chip->irq_domain);
+
+	return ret;
 }
--=20
2.43.0