From nobody Sun Feb 8 11:44:17 2026 Received: from OSPPR02CU001.outbound.protection.outlook.com (mail-norwayeastazon11013061.outbound.protection.outlook.com [40.107.159.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 011352FDC37; Sat, 20 Dec 2025 22:36:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.159.61 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270168; cv=fail; b=oWfFjEF3KjvMjSst/J6/A1DmjdQbArfVPtnRT4rhRj4ELl9CS7hzKcbxTRV8N0olKUzNicXj6JL5Tz49q0BStHCoEAZ8v4I0feRm79hpcU2S4/L0uIqY/03C6VO+LzQ3gavh10lNPOhLBP5w+2O3ajqI2kS3pO6RMjMxSdCP/ZU= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270168; c=relaxed/simple; bh=cnCkPJfykOaRuduk5+gyuuxyCClq8q1zVkBlQSfEP+I=; h=From:To:CC:Subject:In-Reply-To:References:Message-ID:Date: MIME-Version:Content-Type; b=A6eJgGfmrwS77VQtN5Wzz8WorHR/8U4OHYA17R3X6HNqVzMpvJbLj7mte5MIulTqnllpgbJ6mSor6ZEkP/XdPZMly6VPIQ3ZHb4rhW7O+8MbJcnLJO70oF3G8pMwaXAqEUmDV8A8HqRxZRY8EONlHKrAG9lU4dQX62ATAiEUpcI= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com; spf=pass smtp.mailfrom=axis.com; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b=dzviu8nI; arc=fail smtp.client-ip=40.107.159.61 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=axis.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b="dzviu8nI" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=KVfgNKJ3H9Qvn9+PEPyMV6AJ9s1AlFQ7Ta0HrirfnxFkMdzi4z10bd43oitxkjB5uNX0rRqljllFSbCGfOdwdRg6S3XbWIqVaZow6JfrrWclpRg8QsvxYth8/GqPhcyIXLphHAUPAqXLPBn/mvZ6rRbOXE3C4YvC/WtPAmQyv+fb1CxQyzQhZlZrY5xAwxTdNeac+4IlXdieLRO2Vc5sFZQHYrQJk+WPZhDycW5rNMWg8QffWag47nNzDwh0JZfc8kMSr/uPbgIBvUGp6Xbw89Xo9S4XcDCULD+eNl3qNMb4s7Y3sPscn+TpEyBFdRLErtmt6MSt+4G3CJn2e/VkOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=b2brA5j7kV2Fxmhqr8RZLIErYkCxb5SgEws6JhjkVFU=; b=mECkJHquJupd2nN8jKAsWnkKeHh6x2nPIZf7POaMGcwpTW1pTGj9O3WtcDVTlN/fqwPLTJeT/yzMQqP0QH04B6tQO/YGN+/GgmssQoxFeYiyaVHC2BTimCQBrpbCas+fp292BnfLjQLWX98y8mlKQho+tWwS328xFsZxW9b4XMbbS3GPKYwL0TgaBY7/0yTVjtJZwVcm404jpgPrBejs2nKghyY3ebqVflQBTW4PEeDhNK8KtDSM2c/J24xF0k8GnMhPn7vMYLZpLXNvQUq/tryLrl3IREYDCO6EKNhUllbLXbho+umES4nqcyPDBhR856ESXwsv4LRr4+gbZYwzoQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=b2brA5j7kV2Fxmhqr8RZLIErYkCxb5SgEws6JhjkVFU=; b=dzviu8nImNv0sUOcKXwWDVtL9HAcThEmuCafUW3K2lphn6x11M6IvF+8KEkFezPO1yP1e9KFGTyQnhcbV2ZddLd59+onAkPjvyw3AEXqcqAjWmh2z6vTJgXwC2D7AKYVxacvF1BGdLvIGUS8cjjwdIyNbrM2ZBmpgJaVoQwq/+I= Received: from DU7P194CA0026.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:553::23) by GV1PR02MB10661.eurprd02.prod.outlook.com (2603:10a6:150:163::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.10; Sat, 20 Dec 2025 22:36:00 +0000 Received: from DB1PEPF000509FD.eurprd03.prod.outlook.com (2603:10a6:10:553:cafe::a5) by DU7P194CA0026.outlook.office365.com (2603:10a6:10:553::23) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9434.10 via Frontend Transport; Sat, 20 Dec 2025 22:35:59 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509FD.mail.protection.outlook.com (10.167.242.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.6 via Frontend Transport; Sat, 20 Dec 2025 22:35:59 +0000 Received: from pc52311-2249 (10.4.0.13) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.39; Sat, 20 Dec 2025 23:35:59 +0100 From: Waqar Hameed To: Linus Walleij , Sebastian Reichel CC: , , Subject: [PATCH 01/11] power: supply: ab8500: Fix use-after-free in power_supply_changed() In-Reply-To: References: User-Agent: a.out Message-ID: Date: Sat, 20 Dec 2025 23:35:58 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: se-mail02w.axis.com (10.20.40.8) To se-mail10w.axis.com (10.20.40.10) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509FD:EE_|GV1PR02MB10661:EE_ X-MS-Office365-Filtering-Correlation-Id: fd108ab0-e5c6-449e-cdc7-08de4018264f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|36860700013|82310400026|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?L5roHjz/20fZLONogYzqfVLYRxg1jmoE8RDP+WvAeW5IN/Rsl6UcqZkLJ+qP?= =?us-ascii?Q?oIQTFYLC78FH9W77HrmRvHJA/ZXorpAlHFC/YWuUzYvC+ufVCVo0L8yIavWQ?= =?us-ascii?Q?Weq7UrHS8QlQWxAQfXkpc+xX3N4mqATFdTrid+pouEiYPryVL3Bqiql/C5sQ?= =?us-ascii?Q?+xi3I8He2whqy9Y6g7q/DvcQyRy0gTM8ewbeognpYixTyE7Ea86kS5x3CNIT?= =?us-ascii?Q?vZezqv3xVLMT3w9um0cjBXaX2sNDHpUvSjrg5PkdsXLbV43TOhf4w7pV4SgA?= =?us-ascii?Q?OVikyQfd8AkmBEmfrjQu10KAqYDEo/dhWGV1zBA+9r3UWUqY1xm6/fOK3A9x?= =?us-ascii?Q?JvxH4YUD9wNbIQ37LxjJ5z+oMsetXXZl2MiCP+Hq3TDXCwWH9zlptE0rJa5m?= =?us-ascii?Q?rmPmZp7N4G6UxjVoNNdV7R+bb3TO8z/xkLjGsNoekYb6Rh4B1N6zNde19l4z?= =?us-ascii?Q?KXRGEtoVIDe07m6lJUCPhbnRvi5fS/34HYQb4yws25j8y7psXf9D3a3mF4GD?= =?us-ascii?Q?F5tS5bVws6QA3c75qVzgnoM0PzfCWuSk/QxQvUFgBZoJ1YzXXpfce7P4HgCw?= =?us-ascii?Q?qSD1y4VZbM+3/nNsJ2IB56F69ibk3tS9l06AMb3MzAWwIIUs2tWMcr3eiX4h?= =?us-ascii?Q?E7MevireCIrOoeEP1CGyXM+N9q49oqsZkeL6G+ZLU67OohOEbkOd6c2QHkHK?= =?us-ascii?Q?CYio1KXiNZBWHEOAk9OBqM8j02Kg+GW7YXEZjUc0mKWv6uhMs9XkWYq45TiD?= =?us-ascii?Q?1OOH8XRIEx2cRddhQHfR/IPLSmyJOzPJ+5h0lmQKx93J5M9JhNX6whWh4LPl?= =?us-ascii?Q?YZqC4e66wYUqzewuZdrOB/tTcKalVxKmuMu8AFdlu7EGK9rtU1V4kYCAoM1E?= =?us-ascii?Q?alBtd2thj9WvlJLv04UaC1NcjXjAzoY6Yvdvr7pjtSPBWvkGR7JauitLUtng?= =?us-ascii?Q?ki70Cs7AjmTWGUPQTW1txx6+jRrJ0Y8RRhXui87TW0rt+EhstJBeRRPdjw0R?= =?us-ascii?Q?29s2d5xCE2XvFgVb18NObSxWltejqZgAl9va76XmtPcYPhi9XFple5zoVCT/?= =?us-ascii?Q?B4spVVGm3qHY7SFf217l6qbFbgpzzwzdSpIm6Vm1yweoxums3sBPWh6pskXN?= =?us-ascii?Q?mOSuWa+idyjglRoO/Sfr14FwwcSeL95wHkYsN7fhPI7ShNOWz9sq/8LMAREM?= =?us-ascii?Q?UJ7KYEiWxZsJ+B+ZQH2HjiAe1xJ8tZxlE0+JEcoCg7Obh4oUujGOQ5z63eT/?= =?us-ascii?Q?ZQQ84n6HT/UOgwAv9VMvj5lRheD/VkG339oRyDRW0WdoUPS3d8UGf85iULcT?= =?us-ascii?Q?armhgzOoGNJcKLoNORrTYo71ZUf09GZipYOLRcR+22ehII5v3YQQBWg7vDC6?= =?us-ascii?Q?Hp3iAcG4SyhnURcaWXWid7acPF97ApvU3VOGst7NNg8ZQHfncOoXAGgE6ITO?= =?us-ascii?Q?K5V4mgVybRNw8tXB9gTkAti3Ae1sjF4UixqgUij9j1Pq63peG4SQin19CPc9?= =?us-ascii?Q?4BENwbKR3pK+oS+NEdA3sBf7ARH2wvrJg9tdDGi6crF4iEOOA87nu0+AUzix?= =?us-ascii?Q?4lScxq+G4VTDSn+r5ds=3D?= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(376014)(36860700013)(82310400026)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2025 22:35:59.8810 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: fd108ab0-e5c6-449e-cdc7-08de4018264f X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509FD.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR02MB10661 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Commit 1c1f13a006ed ("power: supply: ab8500: Move to componentized binding") introduced this issue during a refactorization. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Fixes: 1c1f13a006ed ("power: supply: ab8500: Move to componentized binding") Signed-off-by: Waqar Hameed Reviewed-by: Linus Walleij --- drivers/power/supply/ab8500_charger.c | 40 +++++++++++++-------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/drivers/power/supply/ab8500_charger.c b/drivers/power/supply/a= b8500_charger.c index 5f4537766e5b9..1813fbdfa1c1f 100644 --- a/drivers/power/supply/ab8500_charger.c +++ b/drivers/power/supply/ab8500_charger.c @@ -3466,26 +3466,6 @@ static int ab8500_charger_probe(struct platform_devi= ce *pdev) return ret; } =20 - /* Request interrupts */ - for (i =3D 0; i < ARRAY_SIZE(ab8500_charger_irq); i++) { - irq =3D platform_get_irq_byname(pdev, ab8500_charger_irq[i].name); - if (irq < 0) - return irq; - - ret =3D devm_request_threaded_irq(dev, - irq, NULL, ab8500_charger_irq[i].isr, - IRQF_SHARED | IRQF_NO_SUSPEND | IRQF_ONESHOT, - ab8500_charger_irq[i].name, di); - - if (ret !=3D 0) { - dev_err(dev, "failed to request %s IRQ %d: %d\n" - , ab8500_charger_irq[i].name, irq, ret); - return ret; - } - dev_dbg(dev, "Requested %s IRQ %d: %d\n", - ab8500_charger_irq[i].name, irq, ret); - } - /* initialize lock */ spin_lock_init(&di->usb_state.usb_lock); mutex_init(&di->usb_ipt_crnt_lock); @@ -3614,6 +3594,26 @@ static int ab8500_charger_probe(struct platform_devi= ce *pdev) return PTR_ERR(di->usb_chg.psy); } =20 + /* Request interrupts */ + for (i =3D 0; i < ARRAY_SIZE(ab8500_charger_irq); i++) { + irq =3D platform_get_irq_byname(pdev, ab8500_charger_irq[i].name); + if (irq < 0) + return irq; + + ret =3D devm_request_threaded_irq(dev, + irq, NULL, ab8500_charger_irq[i].isr, + IRQF_SHARED | IRQF_NO_SUSPEND | IRQF_ONESHOT, + ab8500_charger_irq[i].name, di); + + if (ret !=3D 0) { + dev_err(dev, "failed to request %s IRQ %d: %d\n" + , ab8500_charger_irq[i].name, irq, ret); + return ret; + } + dev_dbg(dev, "Requested %s IRQ %d: %d\n", + ab8500_charger_irq[i].name, irq, ret); + } + /* * Check what battery we have, since we always have the USB * psy, use that as a handle. --=20 2.39.5 From nobody Sun Feb 8 11:44:17 2026 Received: from DUZPR83CU001.outbound.protection.outlook.com (mail-northeuropeazon11012052.outbound.protection.outlook.com [52.101.66.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4EF6F2FE063; Sat, 20 Dec 2025 22:36:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.66.52 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270168; cv=fail; b=X9H9WZ3BAcsTxamwrdUnJ03R9eEy8+v66kbPtTY1aoQkIyokM0dLbD16XvuLWllRhYCjTUe93Mg78PFUnyZH2EDcpw036/sc66oIQEWnbshDExOlRu51yrNZz2SGglbWNbQJA4jAmqUVJIWLY7p98com/6fj4Rjg0M+8+PyMsko= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270168; c=relaxed/simple; bh=fz0FiGJ+OZcnB3ZUZEkSKUn7gkznZzeO+LuNHULEIGE=; h=From:To:CC:Subject:In-Reply-To:References:Message-ID:Date: MIME-Version:Content-Type; b=eS2jqaCiqo9SKah8e8NFu1AAdBcRKth5HMVYmiNCtgyVHh28MgcZAyYN9CRqrakuyOStxc+40kIREacSl2VRzRzY/ZItmy+SWRrLtZv5wWvzStmGxnWHNa9CDLyQyQ1+8tuoxPIoAIigZctDS4f89FslO3/J4OvRcnt11OKbmOo= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com; spf=pass smtp.mailfrom=axis.com; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b=RwS4jmPM; arc=fail smtp.client-ip=52.101.66.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=axis.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b="RwS4jmPM" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=V+qSij0eOHGbWQMITRb8sCl2aHzHGUlZos+uPm1Qs7BCngffRJDqxWNKtouh+/L7OLOaqPHLzBOp3f+zuvPBFaL9eHahy70YJvoTZOjyGrObB8WF+8UzC7q7hKkyjBoaPXNTARaku5I0x5U7GZQmk6l5YbyYfCTI0tojQ/cmWMqw/ODPslIGBwwXGpIKeDtLFaSd5jy0DCiFHaerQRA18n1CfH4kXAWSJzLe0PBkYBQevYRrH9OIcERKe08l4uCenm/PG5ic+xEi1XKfLScdGhDCS1Kfo0U3w+wbRagHZt0lUd+Q5EAxo6aGyUKa9PWEHhQmCMYbIzPrQ72gfKOR5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oW7NvjH9Daoqc+NGrZtZUjc9SpXSE1plNgvTCkm8Otg=; b=O9pX4I0kKb+cIpkUwnSZhJptzEx7vklIxIgrejfQ1+BU+HuYBlXnblKFNiUHLMOiDeQeTScKWIKXXhUWJdE4skRhsGeUTEodl3J5prH6EjtxGffFz9COuBaYRvmmep0GxHfkNqTWGC41g2eFccVX770gNvnLJIhhNL0xTtaOMUg8ZCKhMMrA5Vn/TE8U4IzrJE8y//AiOgg+V1pc8JtZAFlWoig3qDpZIV9hRpqvnkYzMyxNSAZAYkc6mqdAXPhrT7YV2abq5D9kx1Ga4vffCXILu1SifLTmoj/1wUj+ALXuL6b6eKV+Th5SNWzbN7+sCGbw+jAJCDtpUmx/+Xk1Mg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oW7NvjH9Daoqc+NGrZtZUjc9SpXSE1plNgvTCkm8Otg=; b=RwS4jmPM3LF+FTusoQt7bS/y45pgzLq2g+ZclmmYP6TLzq1s7UZFrVdsVMi1Iy5YlvGm5J9dMvC0jNpaMc59qO4jm2a3kqZap3F8LuQFy+q3sgMimeziQrvLhvXO2kO2uu8ZhXferPjKh7Wa9dWeVg/ow7sz0zZGA5JF0AYxrvQ= Received: from DU7P194CA0001.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:553::16) by AS4PR02MB8576.eurprd02.prod.outlook.com (2603:10a6:20b:58b::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.10; Sat, 20 Dec 2025 22:36:01 +0000 Received: from DB1PEPF000509FD.eurprd03.prod.outlook.com (2603:10a6:10:553:cafe::98) by DU7P194CA0001.outlook.office365.com (2603:10a6:10:553::16) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9434.10 via Frontend Transport; Sat, 20 Dec 2025 22:36:00 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509FD.mail.protection.outlook.com (10.167.242.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.6 via Frontend Transport; Sat, 20 Dec 2025 22:36:01 +0000 Received: from pc52311-2249 (10.4.0.13) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.39; Sat, 20 Dec 2025 23:35:59 +0100 From: Waqar Hameed To: Sebastian Reichel , Wenyou Yang CC: , , Subject: [PATCH 02/11] power: supply: act8945a: Fix use-after-free in power_supply_changed() In-Reply-To: References: User-Agent: a.out Message-ID: Date: Sat, 20 Dec 2025 23:35:59 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: se-mail01w.axis.com (10.20.40.7) To se-mail10w.axis.com (10.20.40.10) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509FD:EE_|AS4PR02MB8576:EE_ X-MS-Office365-Filtering-Correlation-Id: 9c68d75f-a781-44c9-d1ed-08de40182711 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|82310400026|36860700013|376014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?3L+/8M8uPwTWPU603H5B2MGFaNFGn1xO3SQGRFvkU1VWux0/8QfcZbGBYfeX?= =?us-ascii?Q?8na+2dACea/an02+2Beeog3W1EuRw9rBzJhLC6wArjivES13bnPF4XfDmOgG?= =?us-ascii?Q?cnp7FBWJ5kN/ryqccu+gXlCl6fHYuJijfmMib4TbgXDki4duFov660fFYFK3?= =?us-ascii?Q?SW4d1k3Xel/k/YZgs7YMHSmKe26kmZV7ZJ6m5ieh/OxtHfWt0qNkrqGwGmau?= =?us-ascii?Q?e0J6kFQ4S1Pb44cc/kWOLoZ6ryOW25TVOuiduX6mMi/P8eOlbSFT+Hjw9PAc?= =?us-ascii?Q?vDoSoaoswxfMAONEDIPxJPjY+Lp9x3txvJd8kfj4ylQrTiCEb3vHqjouHFLd?= =?us-ascii?Q?yezZWMie3ubYq82sFWo6PwuOxIOs82X9BbkCoAj6HLPx0b8avfXq5+wXXQpd?= =?us-ascii?Q?QFk8mHU6MHfhQBS28tkIBIre0i7QbWjwmFJUrz3xQnRpE/LzoaN+kOwCU0uZ?= =?us-ascii?Q?Tm9E27zAOIvNC7PQ+x2Ta0ur+4X52EwF3TMUEOfziZeNZvd7+77xrfUM36DD?= =?us-ascii?Q?2LhkL5QxqJ8uTZeKlsscGL2ttXZg977EfayYHlJWlU5bRqV9Oa4xteiF3wMX?= =?us-ascii?Q?aLMF3ZxCYqhla2QgB0OzoTBVJK2Au/jCkdufPUCJCAuOVUxryoBojx2MLG4I?= =?us-ascii?Q?EJ67p/+4MNL9rE+nq2mWXH3cmicRsm82kLo5KDuoX45lbvkl4l+VF0MDsqFD?= =?us-ascii?Q?tFtOCJUNqwGjBPbP42HfwVaGkZxra8LaL/1ZiEOb1c+Ve/wgB+nNt8QA3iHi?= =?us-ascii?Q?ds7IRj3eKpXfyHV1SI34LFU2sieYRUQrVCn1jmEbLlQH4gSoxuWuYiPARWTM?= =?us-ascii?Q?TpzG0w7aAdUk6z3hnbCzegKUD6BjJdlMyR+ZqhUjr1joeujcoW4sjGJL/xsS?= =?us-ascii?Q?2JDVVTYeJWwYCENmowBWihSed9Hhfed/M+KfmNe51oMMqZ89GtV/3M1TJsbK?= =?us-ascii?Q?fos6vIK/sAs331xxp5SwO6rmztmPLgLphN1G4a4bSKtJbH7V4LZePbrgcA7E?= =?us-ascii?Q?b2ADHevYkvBE9WVj1gJTbnG1WAABWMgYzjWsn3nlxQIRfpy1ikVG/gzvvqQX?= =?us-ascii?Q?5eSTRIgOY+GMVoRqewLN0lFylLIB52abh9t/ScTdU/9dngft4VHfPN1lB1wP?= =?us-ascii?Q?RMBinCXGlQaqtUGVr/1eT2Syp5KOzsbaDpbo3vdCPJIpW4vV9dK240OBC64Q?= =?us-ascii?Q?A242pn9uScnB3QX5g27IETEOMFE8aZb85CRId9wFWO1zFPmWdA6VtsWDgNvX?= =?us-ascii?Q?ZN86mP7E5k2QYkXXeEybpLMQ5gop9pHbOoTIfEnBEOlhJGV1hTfPcMOYPF/H?= =?us-ascii?Q?PX3GYGUTKGaSbVX55ga0kWmwDEety4eUbX6k47P2/AD1fQROMumJKpiuRFr4?= =?us-ascii?Q?cyEK8A6K5ZYW4nkYAbEbdsN+Z26F2GylGFJuaNxaPy/x/E/bdlj1YDMu93nD?= =?us-ascii?Q?DIV1cZYF2cn6zBWMOJ3sIyntkj+OeiPXQwk0kpy+zmffrILJpfbmPS5+o28B?= =?us-ascii?Q?zhEbLkUru6ZyG3/egTk+E48g/U+9kBb4tfqHfg1qDtCv80M7fY09LZktWmzq?= =?us-ascii?Q?5aqcHrcaIunmXcF2D/Q=3D?= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1800799024)(82310400026)(36860700013)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2025 22:36:01.1536 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 9c68d75f-a781-44c9-d1ed-08de40182711 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509FD.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4PR02MB8576 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Fixes: a09209acd6a8 ("power: supply: act8945a_charger: Add status change up= date support") Signed-off-by: Waqar Hameed --- drivers/power/supply/act8945a_charger.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/power/supply/act8945a_charger.c b/drivers/power/supply= /act8945a_charger.c index 3901a02f326a5..9dec4486b1439 100644 --- a/drivers/power/supply/act8945a_charger.c +++ b/drivers/power/supply/act8945a_charger.c @@ -597,14 +597,6 @@ static int act8945a_charger_probe(struct platform_devi= ce *pdev) return irq ?: -ENXIO; } =20 - ret =3D devm_request_irq(&pdev->dev, irq, act8945a_status_changed, - IRQF_TRIGGER_FALLING, "act8945a_interrupt", - charger); - if (ret) { - dev_err(&pdev->dev, "failed to request nIRQ pin IRQ\n"); - return ret; - } - charger->desc.name =3D "act8945a-charger"; charger->desc.get_property =3D act8945a_charger_get_property; charger->desc.properties =3D act8945a_charger_props; @@ -625,6 +617,14 @@ static int act8945a_charger_probe(struct platform_devi= ce *pdev) return PTR_ERR(charger->psy); } =20 + ret =3D devm_request_irq(&pdev->dev, irq, act8945a_status_changed, + IRQF_TRIGGER_FALLING, "act8945a_interrupt", + charger); + if (ret) { + dev_err(&pdev->dev, "failed to request nIRQ pin IRQ\n"); + return ret; + } + platform_set_drvdata(pdev, charger); =20 INIT_WORK(&charger->work, act8945a_work); --=20 2.39.5 From nobody Sun Feb 8 11:44:17 2026 Received: from PA4PR04CU001.outbound.protection.outlook.com (mail-francecentralazon11013027.outbound.protection.outlook.com [40.107.162.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4A7612F619A; Sat, 20 Dec 2025 22:36:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.162.27 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270169; cv=fail; b=YJ1llsihZN/RNCs90TfCuMTIFiVc9dKC6ZbIOiiiKvXY1SzdjI7hJ3QEAw4zwVbUs0iWmlSnQ0dbJkUGUL/F/jTTD+vs8NDtXNFm0JDGuQ9JTyxiZPHTcXttCuhXkcSZt5somyCUd8wbfXkhGnsJixKJqODuoHT4scFj58ouTHI= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270169; c=relaxed/simple; bh=6ygtsOzel7GzUOGXkaHy9TPnEMEcDWSZTOMza6PieGY=; h=From:To:CC:Subject:In-Reply-To:References:Message-ID:Date: MIME-Version:Content-Type; b=t4JLLVUZqzXqqlY+DY6pMVdxk1bzgGHuXzTcO54IKHuD87kMxHh0gaLgfCIZbMOFLVhjMxuA6NFzH8b4u9XUgbwepFE3LcttRWyKNksUfALxYBl4KqnBcGxWDoZz8FGqgB0DbNJ+4FPxd6tv2irJeIAztmryblo9ChImXYD441E= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com; spf=pass smtp.mailfrom=axis.com; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b=R6YS+R6D; arc=fail smtp.client-ip=40.107.162.27 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=axis.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b="R6YS+R6D" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ZT5GOwEKqzpLFsfdAytcabKAsd/MFyHgZ3RShZ+arDWRubKi08q92dPTIh6aIBaFlb2cMq4DRulA5/gGnhN0pHC1RqRaCP4koi6+EYbZOXp0rO1a80xzleITVxSQuU+oON6ZptAfvHKcJuXLJqaV1jKJcqE0mAdFHB4yE5T+lx2ySrIM6SBdnNFp+A7q2DHcHnOIADQOxLA9zg+ZK1SRidpr2BOttUGDRVGeWF4frwRHrhN7a6WSvrv0RraImLHLIYL9JB+dqv8lWI1vlzrl6NxiuSjqzIwO0zzAZ1YfnbBB727tPNKBs81HYiUCfjIcfrv9BTBxERw8X3tBBYHDIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2mR+GElbgIMfwvq7wV8WtP2X5vrcxQ3sl5Np1770ny8=; b=eAZ93vtkEnEvzDX04RTqBmzlGIFEm94rsHaPDlpwAUD1YXX1nozayXwrtlMoH0d4Vaq4pUDD4P/Q/QfxB46x7SDRQB3O4/TgjTJUKfI8bnPEWAT02vxD8a21AtfjYm1ONRKYtsRNMk/2PX/sdQ+ok6MWzbdH6gE6zcx7IxzbF47xyDg4kXbaLkTIqAh825N4Gkm4JEXiy/kxQsrP1BoXCsPWLh/Hj2fM99IfOeQ7U9hNAAIYeS4bWemj0PnbMqwcrAjB+1b3b/JhceU2Ma4/jktIzLYt/1JgzsFzpz877IlAejVMsmzx08xuH3DmpBCCbC1ZZrSKVJmpY4Il1C0Z0g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2mR+GElbgIMfwvq7wV8WtP2X5vrcxQ3sl5Np1770ny8=; b=R6YS+R6DqKz5fSbDRklTIMUAgYKBFSBYnJB1ipOh4SojYRZclD4bWjS4R9dh2Cv4G5nn6JsLSvQcixTa2BcRZoHbmX+bYvNYZM68wR28cuAdM4EDAhN291ffTlAh+HABFnfAsLgmOa44byRjfUViRdLAN/BCn0hwU98wDsZLc6Q= Received: from DU7P194CA0005.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:553::32) by VI1PR02MB6208.eurprd02.prod.outlook.com (2603:10a6:800:18a::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.10; Sat, 20 Dec 2025 22:36:02 +0000 Received: from DB1PEPF000509FD.eurprd03.prod.outlook.com (2603:10a6:10:553:cafe::1d) by DU7P194CA0005.outlook.office365.com (2603:10a6:10:553::32) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9434.10 via Frontend Transport; Sat, 20 Dec 2025 22:35:59 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509FD.mail.protection.outlook.com (10.167.242.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.6 via Frontend Transport; Sat, 20 Dec 2025 22:36:02 +0000 Received: from pc52311-2249 (10.4.0.13) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.39; Sat, 20 Dec 2025 23:35:59 +0100 From: Waqar Hameed To: Sebastian Reichel , Ricardo Rivera-Matos CC: , , Subject: [PATCH 03/11] power: supply: bq256xx: Fix use-after-free in power_supply_changed() In-Reply-To: References: User-Agent: a.out Message-ID: <39da6da8cc060fa0382ca859f65071e791cb6119.1766268280.git.waqar.hameed@axis.com> Date: Sat, 20 Dec 2025 23:35:59 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: se-mail02w.axis.com (10.20.40.8) To se-mail10w.axis.com (10.20.40.10) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509FD:EE_|VI1PR02MB6208:EE_ X-MS-Office365-Filtering-Correlation-Id: bb7d90ad-b936-413c-3903-08de4018279d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|36860700013|82310400026|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?cwYeCajceJON/QfsXVKy7QUKfNYDcfiwVv2dEFIJ6tqoz/MEKwhD6hH/ABKk?= =?us-ascii?Q?vL2wsXHkDzAw5VRJ0LhfO6rKPMr9G0VumJ1OV1W5MmV1oX0hpAdfVBerZuJs?= =?us-ascii?Q?TY4JqVNMXbCT36KjIsJyvRppOq2lrCSLuo/A89Z9T43PgZgQI3G2fFNOioVP?= =?us-ascii?Q?aC0mR4zSXhAIzqX48FcUH0jwDZKIeZgF8cMhTezbUAGBqKc7k51q+JgP8imf?= =?us-ascii?Q?P6gVU3Qn/zT9FEgP5RIRWRvS7AuKM1aTQmu+tm5ccW2CzALTGUFKUsnintP+?= =?us-ascii?Q?itN+gCvC0jMfxMD4A66MVFUZ4NbDxArgGdcuMcQOk0pLAzeQXbxrgrMjNj8s?= =?us-ascii?Q?2Gxa6xGk6gtkxwYGD9B1hLJFwyzkTL+7qe/kw7/0r6C3eFVWGTi+WF4EGNXt?= =?us-ascii?Q?OFlOtcG45Vn3laTORt7Xfjpl27MN/j0RzQNEVUZNm2+lpTqJ9fK8YUC5zUe6?= =?us-ascii?Q?dTJM1NY2dWsGaxxo+knIqqIWGSH/276NATGHsF9INPEJldH1nSFN+kPRqDjl?= =?us-ascii?Q?VcVngq1DIGIv250uI3PJ9Skebc0CVtFV+Ar57CnRuUCqeZ/ElGUtHcY2jdPr?= =?us-ascii?Q?QAlEd51/pW58qk4nrwLOjwG1z/juOI/dH73ZrdTQWu84hip9Zho1iaPlVeta?= =?us-ascii?Q?vfCyAseTR4KOoBjvRJf6ejkmVVNlDU/qtm5GT46c8a1brGuR7VhGP6is6ATn?= =?us-ascii?Q?psGLX5vn+65gkLs7EK3m9XlPWIkvNG1Jkn9t8IIZYeVyAUyP9yC13a/uK/66?= =?us-ascii?Q?sn2HCs3gfBHHIN7NwSu64jYMZ4haOYgVI2xZJ1rm0ZmKha0sxGI5x+00OJB6?= =?us-ascii?Q?XRNoDOVE9cwSE+2Kyvj0SDCpVpKyfQ3FYO4EwmgV1wlTrAtoc41jVHTvOpoQ?= =?us-ascii?Q?qlvt52KXOhCbmigwiJXBTEcHkTHOIoUhcWTtujbbhUGwMg3Ir0T7i0Mcupey?= =?us-ascii?Q?aZ9eG2CtEw0u/4aVfZuQl8yVGfPTG2JstO/zYyVGt4Q3OxBmpL8sWOs5V/hY?= =?us-ascii?Q?smlW4zyKnaZIYe9oAGhYeiC6QNk4yts8kdOxcyDakZZzKDhERQnaym6qEe0t?= =?us-ascii?Q?fgwi9VK6GgwFMYXrKdCwDOxKofBpwZubTrlEkq+PVNhcGEGiL1nnA/V3JeB2?= =?us-ascii?Q?Pu9wR9KPq1CjbN0WJh2B1LYiGrSUjjihxW8g3pF4vad6TPTb/YXQcdCvULt5?= =?us-ascii?Q?6H5jW6KSGibABjq5cvN9P/WJ6S0hjHEU3GthtlsK7af0LocqAPBLX14biaAU?= =?us-ascii?Q?MSmW9lRGzVPoZMIXJOQXv7/Pmq27k4Uamf3SUhSLRV16DHF4qJpGR9GQGOD0?= =?us-ascii?Q?Se43QYI982xlhOpEtQ5z0hvQEDD1hD3jamvp/DAB60qZ3bVwE0KJWqZnJrSr?= =?us-ascii?Q?Y1uTkVKiiPrqh/UUky3Xzr3CCcq7BcqerCy26Okamh/YNwv1UMBFZ1DSS5o3?= =?us-ascii?Q?qHKEf0nFukNpCqfwofEUy+d1hx9Dqxo8S6OMW2+FoUHxWO1U2k0BhPRlFuek?= =?us-ascii?Q?0eKYAcaeA++r0Efpg++3uL8y5LdSLN08BiVnDmq5dg+Q66dj4qWTCOsCqctj?= =?us-ascii?Q?qgLSv8hLHApjPPd6AHc=3D?= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(376014)(36860700013)(82310400026)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2025 22:36:02.0672 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: bb7d90ad-b936-413c-3903-08de4018279d X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509FD.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR02MB6208 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Fixes: 32e4978bb920 ("power: supply: bq256xx: Introduce the BQ256XX charger= driver") Signed-off-by: Waqar Hameed --- drivers/power/supply/bq256xx_charger.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/power/supply/bq256xx_charger.c b/drivers/power/supply/= bq256xx_charger.c index ae14162f017a9..d3de4f8b80db1 100644 --- a/drivers/power/supply/bq256xx_charger.c +++ b/drivers/power/supply/bq256xx_charger.c @@ -1741,6 +1741,12 @@ static int bq256xx_probe(struct i2c_client *client) usb_register_notifier(bq->usb3_phy, &bq->usb_nb); } =20 + ret =3D bq256xx_power_supply_init(bq, &psy_cfg, dev); + if (ret) { + dev_err(dev, "Failed to register power supply\n"); + return ret; + } + if (client->irq) { ret =3D devm_request_threaded_irq(dev, client->irq, NULL, bq256xx_irq_handler_thread, @@ -1753,12 +1759,6 @@ static int bq256xx_probe(struct i2c_client *client) } } =20 - ret =3D bq256xx_power_supply_init(bq, &psy_cfg, dev); - if (ret) { - dev_err(dev, "Failed to register power supply\n"); - return ret; - } - ret =3D bq256xx_hw_init(bq); if (ret) { dev_err(dev, "Cannot initialize the chip.\n"); --=20 2.39.5 From nobody Sun Feb 8 11:44:17 2026 Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazon11011069.outbound.protection.outlook.com [52.101.65.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B8992FE067; Sat, 20 Dec 2025 22:36:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.65.69 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270168; cv=fail; b=O8F/SvBUoSm3vlCOUE8PmZAhSgvaTtnhNLZuff2h520OKEaaDTxzQa5LYIKGkkSqrbyNqNoR+XdOmOAfE6/VCXKRbuFH/i00eo31H4jSidqCfmqb9kqkjHqMsz9qrJIJNyipuQa3Pu3/HHJtMzhkrYI6Y2Bl7cMF/8MZDL7M/d0= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270168; c=relaxed/simple; bh=mz/Vai5FEqNy+SiNArgYQY0J7wv6Kf8F70NxYIjmm1I=; h=From:To:CC:Subject:In-Reply-To:References:Message-ID:Date: MIME-Version:Content-Type; b=C1Dih11vbYoyF+C2i9aCcIfzTxBnOEe52bYTS6Y8nWVgRgLLhI7r0e/x3NZ3+W92Sd9HAq4qcqkS+ytM5QZtiHDR7Ghvycr/6lSBHTniMQ1mmMcYQHRfP/ySImTAmlkEPfKBn11lnQq+SQAbp0elod09rmKBSEvKTQuXkln/ANU= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com; spf=pass smtp.mailfrom=axis.com; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b=MWRkV7HA; arc=fail smtp.client-ip=52.101.65.69 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=axis.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b="MWRkV7HA" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=fCqpcRlmyr4LtDDGBYwvl5KbMiuUhjU8dv78GlyQDhkfpBEl5iUizY7LafRXVILWRMHVAfxTg0xKq0mljK4P4XVOevuD2sdxw5/e9uiBTWtvf2n6rOWUxpMpr6uRpp8KndH6YlTkhwvBrakBF6c1mrlA9K/15aLjqOLsLHoJVmgykRjokfyHzxyvj0QeCQjkCLLH9Nr+MXi3lhVEVN77EyuYsvbt4nEEuSoxPkj/UUy8XnD2lcEa6a/amzWL96WUY0OqWNw+KUHJG28rHR9fSDxH06crYINS3wGR94qiLsj47gQ/PwcOpJe/DpouXxE3zpjw6LlMIehDbvmkEIvrmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0JTJaU0H8TuDwtJe6thYxcfY/qHGWdx3ptEgDyfBiK4=; b=LXuJ6bL9rKZSGBNLw05UYgfD53SQuXPoWCHhyBi2Apaz/j7ujvKU4AQ1HevVxCnUWn0tAkcNrfDwXaDXVSmEHM0M/SQd5M1icVyC5ADQ1pQqdvfGdEH+OmajYGpbHjwboa+b4y5dis9N69PcpaqN7eWfJ1FuGdaije4HOQtCmSgRcTOfOmxdvMBiLrlyzxM55Q7uaeMY4cPK6S2K19H/DSgvQulemArS2RvM50d2CfmsFk09cYuq1Hlup0lOUGLDjrXnoJZJlPVko848+zP/YzrdO7a+Gd9aBsji/sQjBPwCec1jAP/Sg17rQbUY/ne0ZZEr9gPypNHprJ+wXtmtnQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0JTJaU0H8TuDwtJe6thYxcfY/qHGWdx3ptEgDyfBiK4=; b=MWRkV7HAsOx/+mWF4Prx8i6YviHWtf4AUIJdsnkOcm19lK/ou6S0+XsM4s71eKEa+vy2ja5kBDPH7MUmgaJ71RKEPbitveTKQo430BJpdRCLolbFbQBwTsdRseNiJLIlsT+s9y8GkH1YvXZXOZd2RXMR9SR0CmjZL65B1rNKFC0= Received: from DU7P194CA0012.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:553::18) by PA1PR02MB11211.eurprd02.prod.outlook.com (2603:10a6:102:4f5::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.9; Sat, 20 Dec 2025 22:36:03 +0000 Received: from DB1PEPF000509FD.eurprd03.prod.outlook.com (2603:10a6:10:553:cafe::83) by DU7P194CA0012.outlook.office365.com (2603:10a6:10:553::18) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9434.10 via Frontend Transport; Sat, 20 Dec 2025 22:36:06 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509FD.mail.protection.outlook.com (10.167.242.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.6 via Frontend Transport; Sat, 20 Dec 2025 22:36:03 +0000 Received: from pc52311-2249 (10.4.0.13) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.39; Sat, 20 Dec 2025 23:36:00 +0100 From: Waqar Hameed To: Sebastian Reichel , Dan Murphy CC: , , Subject: [PATCH 04/11] power: supply: bq25980: Fix use-after-free in power_supply_changed() In-Reply-To: References: User-Agent: a.out Message-ID: <8763035cadb959e14787b3837f2d3db61f6e1c34.1766268280.git.waqar.hameed@axis.com> Date: Sat, 20 Dec 2025 23:35:59 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: se-mail01w.axis.com (10.20.40.7) To se-mail10w.axis.com (10.20.40.10) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509FD:EE_|PA1PR02MB11211:EE_ X-MS-Office365-Filtering-Correlation-Id: df24dfef-4902-49e5-d5d2-08de40182847 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700013|82310400026|1800799024|376014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?gDd5vB/p+BC07wwOJWA70sBSa0ZUwrVQ1nEtxY+gJXvIJ2sNO73z8PqY18tF?= =?us-ascii?Q?gjFmn8ReK5/wNqNPCELK6NmeWMh3R52uzpz4s92eyao/QSPwMcEpXNSaPBtc?= =?us-ascii?Q?z1eAPQXaRYJlCZVCkSrdsg2hTHOQ1rDRxTvzTEDbwbBoJltFaehSQXcvgije?= =?us-ascii?Q?pYUgRjbKQmOF2+06uZIapcBzb8ttkVoqexDLhLgsHJxj+m1460FlZaAPxbnA?= =?us-ascii?Q?mR87UPPB0Ymztt0uqHBR+Dl7gTSrBCepJXDDju8n45iKII8WGEbZh+bSmlt/?= =?us-ascii?Q?f1BfeVvXeKGgPOa/HpgIP16hXBv7TPVx046b8VwdZqQP0YSKOGgQraFmeshI?= =?us-ascii?Q?1b6Q7p2oEEd7H4EcE8Z7WjUpLNlgpG7/O27RbAKHF+QxexSeDG5HEWuhiury?= =?us-ascii?Q?Lq/FXu7MeCtLabKYxne6qnFJrl6j2xHxspnc9oudvkeutjx5ZH+zoB+lG0e9?= =?us-ascii?Q?RlHt7sP5jH8mzxHQFg/uBnQG0PbxMLJWj2M9q+DmHOUtzDP22G60ltGydefj?= =?us-ascii?Q?efhEAkIsyNYcTo6plvbOjLiVtUE+PvmlBNYUopIz3TChldEWvvZnmFmRiMvv?= =?us-ascii?Q?qxwe8CBOOkhBG/c71P6P7RyD4VxnJ+0wI1nicICCxdUDEwyooKBSpucWV3RS?= =?us-ascii?Q?rC9zg9DAPexhj2+pE3nuC2iNQipi6B5icpqGEztqJ1iLHw3q6Une7pzVzA5U?= =?us-ascii?Q?ZnITp0N3KqjaUB93N+pq43eIunNeEczFgiKjNHlYnvcx8fflUj56QvhTrAYd?= =?us-ascii?Q?1jANOuJso6uH/KwmLM03Ce2tY9wIUGDhBtsHyn5umy5lHNkj3C44MUccRpZG?= =?us-ascii?Q?3StlnvJpKYPGNQJ5BZombwjpKu7jjucvtiFR4dqVl6LIgE481sZpSkCtZHWY?= =?us-ascii?Q?VZ3oU5XdrEB5hK2GiK0emGfxOCqGM81cqPKOT/61xgZ5dCTvPPNqopEKriRg?= =?us-ascii?Q?g68G7kFRDDWHtP630Eu4mHJeuj0+6jT53eG1LtbifsCZQHJFTM1m5GbHG36M?= =?us-ascii?Q?U2EBOAozjsy+fnQlGEpyWBJiMr+1Cm5/b5FeNM28dLN5f3LwKpk2sRaNRnQZ?= =?us-ascii?Q?uUqHpBv+K8yc6a/+HK0Nra2KxsH2QqLEcDMhS8tQt0fZk+0NLNFZ1Cp/EALH?= =?us-ascii?Q?KFd8fZi2C15m7EWiJCbjH0kBAsMI+O1uV327qcXA6Wt6aVDQATglR4Gm0zLM?= =?us-ascii?Q?8j6FMt4VSkRaK2h2l1D02cbAKYCJGPyj0/9CyvAwrmbJBvCm/uNNB4TwAEfg?= =?us-ascii?Q?67mLqnuSryXgKAyNhK6LGBkc8xFXqwyQRuEIwGgH/uE6ElgljN/QygfH6oWN?= =?us-ascii?Q?e3WiFK/GqdNDsUClmtNRDXrv0ZiQt9xBR4ezv81Qg9r5mAiI13nft/dcsKIF?= =?us-ascii?Q?JrngeSh4F0UM1wEiAJSdJ01GotaX3neX5BNruvVdqhOz8OwL/tRhVKJStWPp?= =?us-ascii?Q?jVaNG8TYsdv9OOP5V392ofdHys2xmdxR/yfBawRyKNqYutvA/V3uGSWkGaG3?= =?us-ascii?Q?R0XUvV0D0AE0HnLOWbWl/4k9Ej/AUmpoM9e+KMylk+82OUmezWx6yjZ9dz1Y?= =?us-ascii?Q?AAioPYhHZmaOBupVXco=3D?= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(36860700013)(82310400026)(1800799024)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2025 22:36:03.1853 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: df24dfef-4902-49e5-d5d2-08de40182847 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509FD.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA1PR02MB11211 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Fixes: 5069185fc18e ("power: supply: bq25980: Add support for the BQ259xx f= amily") Signed-off-by: Waqar Hameed --- drivers/power/supply/bq25980_charger.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/power/supply/bq25980_charger.c b/drivers/power/supply/= bq25980_charger.c index 723858d62d141..73f06f09f134c 100644 --- a/drivers/power/supply/bq25980_charger.c +++ b/drivers/power/supply/bq25980_charger.c @@ -1241,6 +1241,12 @@ static int bq25980_probe(struct i2c_client *client) return ret; } =20 + ret =3D bq25980_power_supply_init(bq, dev); + if (ret) { + dev_err(dev, "Failed to register power supply\n"); + return ret; + } + if (client->irq) { ret =3D devm_request_threaded_irq(dev, client->irq, NULL, bq25980_irq_handler_thread, @@ -1251,12 +1257,6 @@ static int bq25980_probe(struct i2c_client *client) return ret; } =20 - ret =3D bq25980_power_supply_init(bq, dev); - if (ret) { - dev_err(dev, "Failed to register power supply\n"); - return ret; - } - ret =3D bq25980_hw_init(bq); if (ret) { dev_err(dev, "Cannot initialize the chip.\n"); --=20 2.39.5 From nobody Sun Feb 8 11:44:17 2026 Received: from AM0PR83CU005.outbound.protection.outlook.com (mail-westeuropeazon11010034.outbound.protection.outlook.com [52.101.69.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C549C2FE589; Sat, 20 Dec 2025 22:36:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.69.34 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270170; cv=fail; b=Dc61a6S0j0WOCOEzb4Qy4CHxIFmpXiItCEDGmi+gFHHim8Kp57zxSgUD/ynEWZY6Icbqxb73WTsbNr6rWYaBvPMjZk1nDi1BVewp+uJgm9C1SrXZn8VyJpAGnVLaVHqJIC9XtQBQ/9IQknoboQdfP088aYha+6GmmuL8OaVkyOc= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270170; c=relaxed/simple; bh=oASRdbKaVEijQiABa69CHYEZwG3L9lK2TSF5OkN4aoQ=; h=From:To:CC:Subject:In-Reply-To:References:Message-ID:Date: MIME-Version:Content-Type; b=B2rliHcO/eAsXCti9BNp2OSlvLEiY9l8FjRa4ZjcFrb55DwfMM4kQTExCUg4pfqgTeuaRCczEmfj4lPFi4QQThgOXDv9E/mQKpkbTmwpPxTFYGk+9rlaxCxrlMsz0w4Oi0d8M0Y/KlunmlLDTovhiexIFlMa+qe4dyJuQHMU37I= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com; spf=pass smtp.mailfrom=axis.com; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b=BbiWNgiN; arc=fail smtp.client-ip=52.101.69.34 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=axis.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b="BbiWNgiN" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dTK/2MAFlbbo7EsO13RZXtv9qqvBBD53aO10frFlNazEbHScKAbL6pLIcMDiycCwtZCKtSmUcYFgbr9E55LDLzoy6OryV6nIFJsm3VBOqzzKQFVt7lhdFaqq7x5gh6xXdEwpMn8MfJKQ/YFg8H4SLdqiZmfoEMdPvNnyIlhWbLaPc2M4pke51vZDb7y5ehKp4BZt65YX4UGC4/90PmBaKZjVXHPMNIwyOn0BZSrSe3FQnJwR8K7k82ys4oupHlsk6vIKe4Vee4OoqBokZs+RSjA/P3epy6WLvwdQ+vxf3iaVM+Pb/KziFCTGN8guKrhP4ov8wKvOHiNjzAkBhZEG6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=y+LGJylCelU95HsQ6RmVvDpxnmS/z5osJVLBcVxHwMc=; b=KRN6cQSyKO1cIQxhGM4lqFovQZggs0K83L0GtI5ceQgRs7OPeVH0+5fQsaasxR6ayOL1GtChUwcpkn+xUQ+OVTzaZ8AyLLdW4cuSD9YX+0fE3kYd+bO9LtjEWyxnSIdqWBwLVktNKqo3jzJyzYLIrITe4LueovSx1fXu7XIOa4Le4issYy6HlcMOp0BAjZpyB4+QcOeeZMjVWAisVN/18YylB5EeRtw2esUqkdGdg+EIRVFSiav84FPu00/+u8q3fSv0+64TzGdIn9uer42+2vX1r+annlZtixB0m6GCHnV8hKGk1RkBAcQs3bFGse4EMvT4mnXkDMfT6E/+fBqHKg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y+LGJylCelU95HsQ6RmVvDpxnmS/z5osJVLBcVxHwMc=; b=BbiWNgiNrdQtf+OrtzbuGeu7hgx4yfcZG2r4PZ74NgrKI2BVz+RyX+rqUfHdtCjnk8LAsSKZy/DyIfRyTNBNYBUlKjwU6OMqev+719x5Twqb5p3dxJ6QdIICIFRaNz8fmnOvglDzWgd2AARz3n/UgRcyyjm43Z33LRKG4T0QoKE= Received: from DU7P194CA0027.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:553::7) by VI2PR02MB11023.eurprd02.prod.outlook.com (2603:10a6:800:26e::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.10; Sat, 20 Dec 2025 22:36:04 +0000 Received: from DB1PEPF000509FD.eurprd03.prod.outlook.com (2603:10a6:10:553:cafe::4f) by DU7P194CA0027.outlook.office365.com (2603:10a6:10:553::7) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9434.10 via Frontend Transport; Sat, 20 Dec 2025 22:36:02 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509FD.mail.protection.outlook.com (10.167.242.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.6 via Frontend Transport; Sat, 20 Dec 2025 22:36:03 +0000 Received: from pc52311-2249 (10.4.0.13) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.39; Sat, 20 Dec 2025 23:36:00 +0100 From: Waqar Hameed To: Sebastian Reichel , Tony Lindgren CC: , , Subject: [PATCH 05/11] power: supply: cpcap-battery: Fix use-after-free in power_supply_changed() In-Reply-To: References: User-Agent: a.out Message-ID: <81db58d610c9a51a68184f856cd431a934cccee2.1766268280.git.waqar.hameed@axis.com> Date: Sat, 20 Dec 2025 23:36:00 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: se-mail02w.axis.com (10.20.40.8) To se-mail10w.axis.com (10.20.40.10) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509FD:EE_|VI2PR02MB11023:EE_ X-MS-Office365-Filtering-Correlation-Id: 07781e08-1728-4a41-5a1d-08de401828b9 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|1800799024|376014|36860700013; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?W65m1O6Jntwbj6lXu3xoR6vJFwDjpvJO8H3xw9Se+vqNzfv++kA/EHSYMfAF?= =?us-ascii?Q?n74OFWxvHBkmgUQEZ62j3L3vGQsYAcBe23c2Bp0iWrIkdBm03ftJgh0K6qHh?= =?us-ascii?Q?0qW/kGDSGLLODIgnXGyJ0tUZjmsWzQQKFJ+fG06lChf7lN4cxKQWFUeyugiq?= =?us-ascii?Q?Vc/t7dzrzvCwcigqdmV2Fo7S2D9Nonm58Jhs2tZeWKHofVqOUldBcFF4Yzsz?= =?us-ascii?Q?kuugurG2FbSUT5LxOFvTeGr/DzVT3AAeMWUVXP+0HJ5zvjGEPlbiiGA7Enfo?= =?us-ascii?Q?lKOtFKwZWLChMYmVm4nwR4IXN8oQ4RxbFVslbNbOsUSai+/9eEoJCzgCML+E?= =?us-ascii?Q?5qGHCVYlTOynMeNg3m2cP+PGl2Ih91D2aNPOIq3y8+BhdCFGEihQB2Hf329r?= =?us-ascii?Q?JTF0JiviTOA0nrqndHU6urENMdqRVLPI+0gkM+FGzPZvdtFXK6EMxfI5cp95?= =?us-ascii?Q?XuUGbPDgaWoaclWbfU1CpSXKy4m2ZqqgutES016kmePzJs3RyafgRnbuRf86?= =?us-ascii?Q?aAnhUZTupCfjY/OVfAaRu+P+/PsESZNq2TSkcilIPByvkCrqeWArkp5wT0q5?= =?us-ascii?Q?+FLvfK/xcA3sVnjny2UKbMnv7hTeoBuKytirJNKxABLFFtUcUTKxRnV9lRxU?= =?us-ascii?Q?VDog52bCcCPltGuYz7n0Spg03WW/KOHPtdd/hiQhwt+uC3Hj5/zlL8IqNbRH?= =?us-ascii?Q?NQTrnkAly+X+2PH/E9Vik4gkMqyIptKkZvkEtzUXv1+310E6tGjmInsKv6UJ?= =?us-ascii?Q?AtHavGEKWaviUfZcHRTqM3Wcqf283GnnLrktc4RU8752/rWKLAKi9fVHDTLV?= =?us-ascii?Q?paotjCqJLlktyL/1JmfVnLrlBck5jP7S5tV8rn94YEssNzvQ4TBrr/jbdhIW?= =?us-ascii?Q?a5ONzB5CJMd9Iw1q34WJw0lRAG/RtaadaTSo90HRG6f9TFtJCitDOerMEpEm?= =?us-ascii?Q?MmkyWtmOLKnAekokY7OhHtt5gd7whC1Gc4GXFIB0d3/i94ILGaYJMoxzpEQl?= =?us-ascii?Q?npKNBPNIlEx0mNA+OFrkCFLPWfkCimcUyzTyZZCrl0o+TLu0tIOCI/Bj3jYU?= =?us-ascii?Q?Lk8iXKAfj5sle/IxEjBb6Anp8DigiaMf5aDd2M1PmTCQn+5WXutMyw2ANA9y?= =?us-ascii?Q?gpA23FUxQq0Dz0edRm4zMi/gQQ5dm2Eb8Mky6fOYmiwVWqFZ8UgCr4qod4rE?= =?us-ascii?Q?Z6afTv7CHiFdP2B7fWYQqVjdwtnmpd4GKcugmWJRlUDW2tdX3GCBQFZhzUm2?= =?us-ascii?Q?PmFwexDAaW2Ik2wi3B30RkgcJa802xaW6+tIk6rr+gMhzUywKPOkt/4Cn33F?= =?us-ascii?Q?yERxFCrf6tAbxTzGZPJU8GiS3cPreQO8AFUMYWgQ1i+WwqY6M/rG+VAqNwTZ?= =?us-ascii?Q?4G0bL5HkeQpk4qhy1p9633D+E9ZNkOPZWKyo8xHNoquWPwW6PfdY/Tso4aYV?= =?us-ascii?Q?vP/V4nnnNgQYgukLVfEX2hZe+oIGG9l7s7McBxDnM14dKtV94+UGcQyW79a/?= =?us-ascii?Q?exVBTy275g6Uc1RMctG3QmcZNW8g8TWFhukCYc02qNwir4oqjU14bgW3ipBl?= =?us-ascii?Q?h7hIKlPaTl5NtO7EhNc=3D?= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(376014)(36860700013);DIR:OUT;SFP:1101; X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2025 22:36:03.9281 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 07781e08-1728-4a41-5a1d-08de401828b9 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509FD.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI2PR02MB11023 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Fixes: 874b2adbed12 ("power: supply: cpcap-battery: Add a battery driver") Signed-off-by: Waqar Hameed --- drivers/power/supply/cpcap-battery.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/power/supply/cpcap-battery.c b/drivers/power/supply/cp= cap-battery.c index 8106d1edcbc26..507fdc1c866d5 100644 --- a/drivers/power/supply/cpcap-battery.c +++ b/drivers/power/supply/cpcap-battery.c @@ -1122,10 +1122,6 @@ static int cpcap_battery_probe(struct platform_devic= e *pdev) =20 platform_set_drvdata(pdev, ddata); =20 - error =3D cpcap_battery_init_interrupts(pdev, ddata); - if (error) - return error; - error =3D cpcap_battery_init_iio(ddata); if (error) return error; @@ -1142,6 +1138,10 @@ static int cpcap_battery_probe(struct platform_devic= e *pdev) return error; } =20 + error =3D cpcap_battery_init_interrupts(pdev, ddata); + if (error) + return error; + atomic_set(&ddata->active, 1); =20 error =3D cpcap_battery_calibrate(ddata); --=20 2.39.5 From nobody Sun Feb 8 11:44:17 2026 Received: from AM0PR02CU008.outbound.protection.outlook.com (mail-westeuropeazon11013033.outbound.protection.outlook.com [52.101.72.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0D8622F9D83; Sat, 20 Dec 2025 22:36:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.72.33 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270171; cv=fail; b=AkXcNl6l+nGKBfiz/Z97ps98yp67YM7Ga/6/rnnh3oHAxUivDkAKzcUyjszkZdpFwhEcP7STDPp7NOiMbsNfZPT3rBUT45X3blBwghLsL9QQrh+7FY1ZCXJevjY5jt8SuorwsRS9twAwRc+PGAqal6UtVwcIddczkZSKjL4pQvQ= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270171; c=relaxed/simple; bh=GT0kkl2Rv2En0DYnXvk5lhBfUeK5lR7OULeFpgZByrQ=; h=From:To:CC:Subject:In-Reply-To:References:Message-ID:Date: MIME-Version:Content-Type; b=Sihq0xJtGHhi2q+CAJ0WoTZOjOepcmFHXUmcc7hUW8FqgIw0mOTFjp0DIlmMRco91k1cv4W3R1Oz54KrE+hhVRiSa2CSuOAMf0vDy2EyYU76oJeXIjrm2Y8LwSHqj3eptzGxHHnq43OYYPtQqAqiBGV9yhCsu9RDM85staIu3l4= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com; spf=pass smtp.mailfrom=axis.com; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b=dkt0hN65; arc=fail smtp.client-ip=52.101.72.33 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=axis.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b="dkt0hN65" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=o1K8EhzIOFeWGdSEQfcYwBUaulCUWizt8NoXNWY4hnBJL3zvROJ8jXajo5xbKWl300nBtWzFUxb441LXS7miEDXfVHNRlKRCsAHscbsAwcOHkA5MPRUMDBiyZRFAKCWbIjUBSLRZTnoQrlzoNsqliIqfQXEPhylPktKgbxWNMCoBk0NwaOSyEqI40fAUR+48LwAgphDDSzGixm7DJpW9Ltn9cKJq5U5yL9UmN5FxvYpMZqlZGdubp226OT4moJDccwboGO1kPTk5OHajF9/d3Y+UP+neKW3pQ5BgAwwz/DlpvGe/Mdjn2XWgLZYXioCCAfQYY9AEbdte34oagCRbsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QTvEtgIKI4saeJmZe4WQqc3gLG8/0jgpLp90NFrLFew=; b=ae0s/m/zLQ0Q8v+2cc5mq7YlJUQKJikuFAttFAjHN3ifnxGHVJdyxpunDdmMU8SezbNEP8IJGJE4HVfw2eP1nhQlxGGq+Qb1j2HrVbO309Mkn1iLtt5ewIP5ZLRceje231m366DNbVeSXwVT7qe7QxmPD6gnNOG5xZV+jM93oScu4zalfVz0goXBKEqX9r9OpGkNxScMhstCFK5lJuHgpTIcCGiAiD7+tA538iRixa5l7spNEx+mx9QDv0H2CVgo4JmKPyw+obVEmMKWEBSVbuVRsYM7zqeyVenwWctk/kBiMrHrGkK6uAhSC0w3Wp8WOxS3NEFz6UJlWHc2Pur0uQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QTvEtgIKI4saeJmZe4WQqc3gLG8/0jgpLp90NFrLFew=; b=dkt0hN65Y3sc1ncPTMeGS95bZm2EUi7nUzXgTJokeOkFAbFTnv6P9meGwK6fDbj0rVk6jB35dPDsRbWh3jZlC59bhf+LWw/2T1+vAEenDFt9cqBDGqUnqkfPwTX763EiYGpijmyOrEoXIA5LGso5DIaaKyGi9AoJdfQZ7Ta0CLk= Received: from DU7P194CA0013.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:553::29) by PAWPR02MB9904.eurprd02.prod.outlook.com (2603:10a6:102:2ef::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.10; Sat, 20 Dec 2025 22:36:05 +0000 Received: from DB1PEPF000509FD.eurprd03.prod.outlook.com (2603:10a6:10:553:cafe::6d) by DU7P194CA0013.outlook.office365.com (2603:10a6:10:553::29) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9434.10 via Frontend Transport; Sat, 20 Dec 2025 22:35:59 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509FD.mail.protection.outlook.com (10.167.242.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.6 via Frontend Transport; Sat, 20 Dec 2025 22:36:05 +0000 Received: from pc52311-2249 (10.4.0.13) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.39; Sat, 20 Dec 2025 23:36:00 +0100 From: Waqar Hameed To: Sebastian Reichel , "Mike A. Chan" , Alan Cox , Tom Keel , "Yunhong Jiang" , Sheng Yang CC: , Bruce Beare , Anton Vorontsov , Jun Nakajima , , Subject: [PATCH 06/11] power: supply: goldfish: Fix use-after-free in power_supply_changed() In-Reply-To: References: User-Agent: a.out Message-ID: <500a606bb6fb6f2bb8d797e19a00cea9dd7b03c1.1766268280.git.waqar.hameed@axis.com> Date: Sat, 20 Dec 2025 23:36:00 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: se-mail01w.axis.com (10.20.40.7) To se-mail10w.axis.com (10.20.40.10) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509FD:EE_|PAWPR02MB9904:EE_ X-MS-Office365-Filtering-Correlation-Id: bd459934-7888-4315-abb1-08de40182961 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|7416014|376014|36860700013|82310400026|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?l7ylEGsDSMq2+IEylpwnNxH+l6tEcBcks7e9ss4K90JO1rljs9eye/6bCWjV?= =?us-ascii?Q?MQiWAKydZNAd+pxVFh2el7iaXLOpjfXdhB8/nbjgKW7W8HOzboVSAPaICe8/?= =?us-ascii?Q?JhPCmRAtUFeDdy5NTstOKIblCjeFiaiRLe+JoDTy9N5J1TEIm+zFg8BeB7ek?= =?us-ascii?Q?M0miGxrV0H2hktA7BB7VN3MMjSpUQVW1xkFrTtu64iPtTEnolc2NDlVozh+p?= =?us-ascii?Q?I9gW48Z2cY+pOmUB19a9p9XQwoo2rXV68PQc+Zx9V9YeSc4xoOwRKuD8luOW?= =?us-ascii?Q?ous7Oh90GapdTD6WsOCm8U4kNznHembaL7TCu4KNUdwq621+ZN2wRFKxd/DF?= =?us-ascii?Q?nRdx3n8kOJcoWtr1vpQEeSlV/jQOSvHdeQBVF9qa5F1ObNBCBnOQ5iFX5atB?= =?us-ascii?Q?7e3KJNUksYhk19nrrGygKXjBJEtvB51SCYgq4Nh3pHz8qQRDB5+U3z6xw5Oc?= =?us-ascii?Q?l+eGgAy+0MzKXvcISOU26OsUKe9CJoFmVkvyI4z3EVTDQ3puiR6nStZ3gagj?= =?us-ascii?Q?pW9UR5Ez1Z1IrNy4IOTJriw8/Nltb7raDD0k4CTWnbWhHXUCzwUoCla2dhux?= =?us-ascii?Q?L1e7BvBekEZvu1mAKa/ZbNE4FH0x8hScrqe67G66sQ30/vYga2bmx8aBDz+5?= =?us-ascii?Q?BxdwRN19qtPKmeAnBgTv5Pea8c0ohAS7TYSKy2eX9k5ugacG9JPMWGLHsjX5?= =?us-ascii?Q?51hR2OoqpnwiGHgs4D/ThlP7XoZu0GkQ6yHI6xsQTahfyeVquj94q8hMRauq?= =?us-ascii?Q?2tNr7kDRbfZFS5h4lDJoBNq5FDlohN08x/vueLq0b84aibXZVk5VGm2I5IIZ?= =?us-ascii?Q?Z49k41+TcB11aYi5vUtyS9dHCWvvi5Ov+A3hn7DUIkhh2C3j75IteXaOIPj6?= =?us-ascii?Q?QFUgLhZriw/PmDI1K9kq3bq9F8tb2uq1sqHGQmb/3U4L/mUcRF8krlScEttO?= =?us-ascii?Q?w37nYz1Pqhfmy4PIYNsNoEgIugwfM1i30IUri05xvpgTjG22XsFEguKdIeSx?= =?us-ascii?Q?f1czzW2DhDc9ENZuExJ7Cq2sx8gK/+9nH0XBop4XVhdIESnIYgSExBMAOPag?= =?us-ascii?Q?DPpApP1umaNc8cznRsQQIuZmCZNt/HZlApIFoKjSKE4Z8AN8km0InuzVv36A?= =?us-ascii?Q?qaKfK2Clu0XLlHVSY0qQArT2HJdoOy9r55RJxfmedLaGZGdjdfHk/J7dIijU?= =?us-ascii?Q?IaGykXlaL6qNNQ0sHPqWRduWXJ3mFHAF6hREugNCJNuKyFEuOjkCEDS7Q2SU?= =?us-ascii?Q?9lk60E0mj73mRCjmndic3pmFJuxXyRrmLY0H0Il9QLJp8R9swbXtG2BuX6J7?= =?us-ascii?Q?j9RCbCnbHQN9P9BtvkoS4Me7hLU/Fg8Wkf5ObGfSpsU/JLI8ccg8Wv6+PWB+?= =?us-ascii?Q?kSN8+cXP4Ny0fbglyMdT/Jd82nLDV7mWfgKGZDfRAhPPM1Xq4VN2TT0ZyG5e?= =?us-ascii?Q?yYeYyWHZulqMD53RjdtLmb/hhw/eusOt9l/otwMSnZhHHEMTSsy4M1/xD/qF?= =?us-ascii?Q?cwiQ74uhwuHZQh58SkYXJsKoRnaPWI2Nj1JZ4HH/gc+Gh7sMkpxqicYKiAK4?= =?us-ascii?Q?89aUb/iDiiKS7TKUnO0=3D?= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(7416014)(376014)(36860700013)(82310400026)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2025 22:36:05.0324 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: bd459934-7888-4315-abb1-08de40182961 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509FD.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR02MB9904 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Fixes: 84d7b7687489 ("power: Add battery driver for goldfish emulator") Signed-off-by: Waqar Hameed --- drivers/power/supply/goldfish_battery.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/power/supply/goldfish_battery.c b/drivers/power/supply= /goldfish_battery.c index 479195e35d734..5aa24e4dc4455 100644 --- a/drivers/power/supply/goldfish_battery.c +++ b/drivers/power/supply/goldfish_battery.c @@ -224,12 +224,6 @@ static int goldfish_battery_probe(struct platform_devi= ce *pdev) if (data->irq < 0) return -ENODEV; =20 - ret =3D devm_request_irq(&pdev->dev, data->irq, - goldfish_battery_interrupt, - IRQF_SHARED, pdev->name, data); - if (ret) - return ret; - psy_cfg.drv_data =3D data; =20 data->ac =3D devm_power_supply_register(&pdev->dev, @@ -244,6 +238,12 @@ static int goldfish_battery_probe(struct platform_devi= ce *pdev) if (IS_ERR(data->battery)) return PTR_ERR(data->battery); =20 + ret =3D devm_request_irq(&pdev->dev, data->irq, + goldfish_battery_interrupt, + IRQF_SHARED, pdev->name, data); + if (ret) + return ret; + GOLDFISH_BATTERY_WRITE(data, BATTERY_INT_ENABLE, BATTERY_INT_MASK); return 0; } --=20 2.39.5 From nobody Sun Feb 8 11:44:17 2026 Received: from AM0PR83CU005.outbound.protection.outlook.com (mail-westeuropeazon11010023.outbound.protection.outlook.com [52.101.69.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EC1542FDC52; Sat, 20 Dec 2025 22:36:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.69.23 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270172; cv=fail; b=HiC0G+C8sdL3s5FwsJryYgLfRqZ49FPLuJLMZILyW1eZF0q7CbyufQcHT4Tl+RZRZh2RAHYyA3NVbWwNYAxpeXBG7ZvUncODfT4Aduqo54TfqunLxPWGU1cLGniChyo8vQY1RuGrYLFEUx9/NbPZMD5ZRR0bAIRWNfk7E4A7MeM= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270172; c=relaxed/simple; bh=isMg+jyBfjD6keBTuSxBaDzHKtzqQrEWUA29U62WUsM=; h=From:To:CC:Subject:In-Reply-To:References:Message-ID:Date: MIME-Version:Content-Type; b=fAicqhOI6dqv0FjpunSjXZjlHuRu/vJg3cOcK26q/Wl3JBxfTO1ayUJKA6wKzPUMBeJj75d10Ll+lomad31j9X2yuT8zwV7sXmSKUakTVwXS+tDPgunvLGb25lZezsBKLdJn2kvtJTiCLWGH3GtL87+N1faWyuOR1LrjxiB54W4= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com; spf=pass smtp.mailfrom=axis.com; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b=G0OwIC9c; arc=fail smtp.client-ip=52.101.69.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=axis.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b="G0OwIC9c" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=rUG23iwU89wJWKE2BNwKccp7t3pUJ9a0+Y3pMlvvFS7YQ7gh20/ApQzNQok7xNmlYy83KbFBBBhXDH2+Z5J9RYW9lVkQp9ejTgXgTuDiAPbNxd9x05rTqbCx8OsXgV0ToSNV9FNKN/ayp9IdkkoiGySM/ipo3JbryABzDam9oNoKaSXWs3ZHpeM2Iqh56wUMN/yPr9g0lNvaSXnhkqEkgIZN+U4XpvYZvVz6pC8MAee+2slL4IVWEbJa+RWiOEh876SjRZXmikddVu+/xrw0sBw/tCjzl9KXiN/6UZ+Nz8EcAhNDUWiGCoQZpofJcm14KvU/z2aZzKTwJ0zsSC5TVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dcD6Lobb4vxzCnhh086hQoR1Lf9dMaS24w3glWIvXrA=; b=PdKwcT5WOGgMz4Zm0ikgDnmtCPVr5YZOoAmN7isLWUA71c7WSE1eZ9qVnuShkdHAXjWw3l+P7dCB/U0podiJwpEZ1l5fhBp8jNLU2kQgXzt1n4i7vJGudQoeIWUC4cuzN5odV2eIP5w5PU9yTvhUgA6BcGigSE9VrqgSnjOKLdkxUSvCkaHli/gGfkEBNw90YVCDbfT2+nweMcRZLHoS3p6cLaarTjzlcdDmH+AZ9msR0474acd8N9LdbbZjbqv/J4CaCQ9emWJYTPyE6CRD8EX3VRp4YFQxhBPV+k5UveVfpmlIGVGsqGpK93uIDAyxHQkmDh12BwFFgAADQbT3Qw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dcD6Lobb4vxzCnhh086hQoR1Lf9dMaS24w3glWIvXrA=; b=G0OwIC9c3pyjr156KEJDeDK+o97kALADOHKNTze5+CL7fAJfRuhQ4IMJKBqfUvFm8Fbp4Uyx3Y3Zi8OB51UXcxJxc+3n6xkbIrWgtiQnel/a8IHLlmXQlXm1quDDTsQb1dyv4tHIoqmlxgXrpyZbhEVPcv2UuduxeLcx0Fe7jcM= Received: from DU7P194CA0022.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:553::26) by PR3PR02MB6220.eurprd02.prod.outlook.com (2603:10a6:102:5e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.10; Sat, 20 Dec 2025 22:36:06 +0000 Received: from DB1PEPF000509FD.eurprd03.prod.outlook.com (2603:10a6:10:553:cafe::9) by DU7P194CA0022.outlook.office365.com (2603:10a6:10:553::26) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9434.10 via Frontend Transport; Sat, 20 Dec 2025 22:36:05 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509FD.mail.protection.outlook.com (10.167.242.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.6 via Frontend Transport; Sat, 20 Dec 2025 22:36:06 +0000 Received: from pc52311-2249 (10.4.0.13) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.39; Sat, 20 Dec 2025 23:36:01 +0100 From: Waqar Hameed To: Samuel Kayode , Sebastian Reichel , Frank Li , Lee Jones CC: , , , Subject: [PATCH 07/11] power: supply: pf1550: Fix use-after-free in power_supply_changed() In-Reply-To: References: User-Agent: a.out Message-ID: Date: Sat, 20 Dec 2025 23:36:01 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: se-mail02w.axis.com (10.20.40.8) To se-mail10w.axis.com (10.20.40.10) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509FD:EE_|PR3PR02MB6220:EE_ X-MS-Office365-Filtering-Correlation-Id: 39a8b81e-453d-44e0-47f3-08de401829fc X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700013|82310400026|376014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?Rh/1nv0Po1b7uhMEwJQh5Ks8fZF2CfFtsCFmlp1Dw93WWBwBHjvXRPBIQztz?= =?us-ascii?Q?g1+tmmu/SVl1emt78CfO/tH9d0etpI6X9oaTX84EsFOtcdGvUGwK1ezTH/WF?= =?us-ascii?Q?/u0cmk55Af78FjEqBrY472cuQjYpxCDBPNGGlNGU2bBeuc6gaW2mEVLrSzSE?= =?us-ascii?Q?/kYuu9ELjVMRINwI8oIWHKRqDD0Px8UMI8kkykqjC2OPPF+x2LVuz/LPgRDu?= =?us-ascii?Q?2qcjcHnXkPUGL5BW5QmeY4q4mPf2B2fRzWjdeBQ2Yl70EZeI6a0EUqtwIANv?= =?us-ascii?Q?bw4l8g2FGZJz6B5PsLvZZbxI1RNPCWfiHwoI3ZU3FS7/lWm+qIyFb4gw44Ju?= =?us-ascii?Q?mV4GsJ0QVsDgjTQU7O6rWqmw9WnnMFR6sQZSVBdp6BIZI7oNutF72LOz6Jzk?= =?us-ascii?Q?sXogH6u8UIPCIx+hi+Q8T+TBHhar4+IytBXr7shvQQa3RKa/C/rg0SItO6l8?= =?us-ascii?Q?bvIyTh+JkpY5XD4nw6hYW76FRF/O4CwSrSf0f70MTqO6G/OuWTde48etTD1W?= =?us-ascii?Q?yYyFCCaM2oFFXPHUfupT3UZORzRaelwlmkDjn5HSrTScI1TCOejMe865dkTZ?= =?us-ascii?Q?1X0NpjzvK8zcOlDLv+ae0as3u5Xhp1hxvt4KyDc3+fmI69VoqMB86fXaOJY5?= =?us-ascii?Q?kUJ+p1NHmT4jQw5+j5ohEoezJOqXsCslsRbCr3GblgkYpza5+01M6Adfpgb8?= =?us-ascii?Q?oc8JHU6CM8UCxAhm2z7cgeru+7jJD2uV/af0qCqNvOAKP+4DdROByKzohFw3?= =?us-ascii?Q?YQ4fQFMwVvkkkrCWWHIfm0DkSNSTRGaCLyi0E9vElN3g+4zCaztCIqklh4qc?= =?us-ascii?Q?Z0m8M8WOtUBaYVsyNOrndAd/+HVev/BQgDo3+yV+pjilg3j6KMybrBzQRBIM?= =?us-ascii?Q?T5WZfLHtwaK9uih5B4RSywI7PUgllLVc/a9TzR1rCyp8tAsyfBK16SaMo9dg?= =?us-ascii?Q?RETzn1OvoUtpmagSzUjEVVm2OCtaBnhets0TMKhRqWrs9uj40J0wjwFgPR1D?= =?us-ascii?Q?OpHTl9Tu++iDXb3tqdb1irt1Z1nCDStIY3OjvvvDiI+oCgY2tWwaWZiGBAHS?= =?us-ascii?Q?NP79W3IaISIhSgBBiJCpV6T8N+7bK5SHKLCRKdZQt4HtMZxgyc/js5qsvIw2?= =?us-ascii?Q?pysWm3GDUc+qoasd7+2EyTVdd1Vh8wZ/mAMICaUIKCSltsLLUyqna1BXDkVN?= =?us-ascii?Q?/3W15gZ1CoRQJDuaivmFzaoJTcT/H5KQnv1ldDTRBoqTzUWpQfsVwRTY0489?= =?us-ascii?Q?WY12Gge8T5HFIff27yJb1E3yDWYO4Mswhy7VWtzhxWOE+xWDv4wgvWEr7SKV?= =?us-ascii?Q?Y+AGuP7dirEeAfV0mn5BTdedGhg3s/q/Unoph1zFmJPMcNXgp+UquuGlVdrY?= =?us-ascii?Q?/v4OMTVbHGPlL2drXOy2Xvz8BtRIZALTyoE2P5E6tGR7tw7W5UxMdcZgKyL2?= =?us-ascii?Q?+L7soFMgreaMOKFDAvPL8HvtVBiRvtaCnkqJfdgS2WN47aIZy2r4XaGB4w0n?= =?us-ascii?Q?HUziVWqBA/P4Qcj64vRnfsNOdqC+RGw9X8aYpY9jtaXyNMnmtkpgGBfWX3iY?= =?us-ascii?Q?QtEch9MZ/cF+kgLgf2w=3D?= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1800799024)(36860700013)(82310400026)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2025 22:36:06.0445 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 39a8b81e-453d-44e0-47f3-08de401829fc X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509FD.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR02MB6220 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Fixes: 4b6b6433a97d ("power: supply: pf1550: add battery charger support") Signed-off-by: Waqar Hameed Reviewed-by: Samuel Kayode --- drivers/power/supply/pf1550-charger.c | 32 +++++++++++++-------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/drivers/power/supply/pf1550-charger.c b/drivers/power/supply/p= f1550-charger.c index 98f1ee8eca3bc..a457862ef4610 100644 --- a/drivers/power/supply/pf1550-charger.c +++ b/drivers/power/supply/pf1550-charger.c @@ -584,22 +584,6 @@ static int pf1550_charger_probe(struct platform_device= *pdev) return dev_err_probe(chg->dev, ret, "failed to add battery sense work\n"); =20 - for (i =3D 0; i < PF1550_CHARGER_IRQ_NR; i++) { - irq =3D platform_get_irq(pdev, i); - if (irq < 0) - return irq; - - chg->virqs[i] =3D irq; - - ret =3D devm_request_threaded_irq(&pdev->dev, irq, NULL, - pf1550_charger_irq_handler, - IRQF_NO_SUSPEND, - "pf1550-charger", chg); - if (ret) - return dev_err_probe(&pdev->dev, ret, - "failed irq request\n"); - } - psy_cfg.drv_data =3D chg; =20 chg->charger =3D devm_power_supply_register(&pdev->dev, @@ -616,6 +600,22 @@ static int pf1550_charger_probe(struct platform_device= *pdev) return dev_err_probe(&pdev->dev, PTR_ERR(chg->battery), "failed: power supply register\n"); =20 + for (i =3D 0; i < PF1550_CHARGER_IRQ_NR; i++) { + irq =3D platform_get_irq(pdev, i); + if (irq < 0) + return irq; + + chg->virqs[i] =3D irq; + + ret =3D devm_request_threaded_irq(&pdev->dev, irq, NULL, + pf1550_charger_irq_handler, + IRQF_NO_SUSPEND, + "pf1550-charger", chg); + if (ret) + return dev_err_probe(&pdev->dev, ret, + "failed irq request\n"); + } + pf1550_dt_parse_dev_info(chg); =20 return pf1550_reg_init(chg); --=20 2.39.5 From nobody Sun Feb 8 11:44:17 2026 Received: from AM0PR02CU008.outbound.protection.outlook.com (mail-westeuropeazon11013023.outbound.protection.outlook.com [52.101.72.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CBEF02FDC22; Sat, 20 Dec 2025 22:36:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.72.23 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270174; cv=fail; b=hhcGJL1Suo+f16bl2aek9t+BSzxXbszA6sK2Ru4+blrdJnMNfUCq4S+rnoWGq81zOQI5g8c703RTRyvEPjp2qIuPYc/tEayI5Z/+CuygQndliZMtOMI7az8StsvRgcQXZ8iTX6XwCDWimaKgGxJh0z6MialtunWr8PWXVIvpKWw= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270174; c=relaxed/simple; bh=zMHmxuNpZia48mVFphmzqBVe/q6Zopow3HBSNn5CQvk=; h=From:To:CC:Subject:In-Reply-To:References:Message-ID:Date: MIME-Version:Content-Type; b=RNHDnLnT25rpMhCZK0NYqniRoKKAgz3R1DxHVtuQi+Kh+q6FMfa69bUmEBtxoKVemTIE+eE8+P3TA7ZTOlL/U3BXM8VasH/4V+UDS7P1VNj/yHoL2+KyGezibPOLsQC96aYFJD2dttSnAF46nz+fNq49/y3q2067vlPA7zj0oss= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com; spf=pass smtp.mailfrom=axis.com; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b=fBIQPair; arc=fail smtp.client-ip=52.101.72.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=axis.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b="fBIQPair" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=wbsyGTWBzVuyMKeu8+Ek6mqKc15WZ9APrlnFqm1RWNTaUQWNTOrrGSGIVeJcFRMNlFxkZhZbnnNFwWdsyOfJD0m4jUOP2bZPK3HfLFlKWlQaoBqtmZi1pliHWDr6fvgSFdUy7rhudLTf/jYQbZF2yNUqjA8AZvBvlrotoY67QPpMLzg5846sha3kBaNEV+iDdcVc+31EepHs6jGOsmk5Yuc18pO0PDOq+RA5JADLiQ5ZYohwy4lIXnykhEtp4KptfT98kncEbuJTaWYjbjstJC3wfeBUzLDHmjxJ5RnNH+KO/jk4O2nvDE8CSYzxDBXCtUMFrPsxKCgR3lchBSamPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D7ZsVuWo0vaweejhMkaUiTR3tiSrF/ZvkBSe2rUG7d8=; b=mTQuW62Yxi0+U3DHWXF3JoyOxCDv4lEnIebJmOYLpxQQQ6GCF7IPk3TP8u2XZc0mnLcggATjaqlb8/l/UmgvHaBaWwDdQsuefO/W8TiN7iyK+yL41o64QpZE1CqcwxQkKUR9ylZsH50Jf8aq7kVl4fhAOhT1Pp2QNF17MhMb61xrFyv8IdDPjhXmYuHESxiJ2vYj6t5p68L6y6AlIMJ0Xyxk3b54T1Dj5HTsKY6YLoPzKvb6ZFTEAoe/9PxRihIUgy1HCIYA257Ddf0HKrlzxvj0Sp0JLznMwt+JBvgzC8NOd/Mh+9pmRQLCbxsXqQ3DKWauY3dwIqNlmA4+HUsVtQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D7ZsVuWo0vaweejhMkaUiTR3tiSrF/ZvkBSe2rUG7d8=; b=fBIQPairO1/2xtUpWdSEEpv4uerHVKmeVlaHxm6WWH9X3q53R9rz1dpH6HkAueW0OnMCF7DMIDk//1wQlsL2QwZX4ks0jgtVtRimJBfW9CrkbrbUCCge01D23vSO/4f9x74SAjF3llbLXkmahNdfrDiTakgxP81AoMH/uSIlijE= Received: from DU7P194CA0014.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:553::31) by AS4PR02MB8527.eurprd02.prod.outlook.com (2603:10a6:20b:586::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.10; Sat, 20 Dec 2025 22:36:07 +0000 Received: from DB1PEPF000509FD.eurprd03.prod.outlook.com (2603:10a6:10:553:cafe::ba) by DU7P194CA0014.outlook.office365.com (2603:10a6:10:553::31) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9434.11 via Frontend Transport; Sat, 20 Dec 2025 22:36:04 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509FD.mail.protection.outlook.com (10.167.242.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.6 via Frontend Transport; Sat, 20 Dec 2025 22:36:06 +0000 Received: from pc52311-2249 (10.4.0.13) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.39; Sat, 20 Dec 2025 23:36:01 +0100 From: Waqar Hameed To: Sebastian Reichel , Nikita Travkin CC: , , Subject: [PATCH 08/11] power: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed() In-Reply-To: References: User-Agent: a.out Message-ID: <2749c09ff81fcac87ae48147e216135450d8c067.1766268280.git.waqar.hameed@axis.com> Date: Sat, 20 Dec 2025 23:36:01 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: se-mail01w.axis.com (10.20.40.7) To se-mail10w.axis.com (10.20.40.10) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509FD:EE_|AS4PR02MB8527:EE_ X-MS-Office365-Filtering-Correlation-Id: 16a975e6-0327-4ded-0f72-08de40182a7a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|36860700013|82310400026|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?UoM0Ao7sngAEB8GK89Bu2VJTZgdQBhby9ElV7egirKRi9XIYFwh/1OFHKp9F?= =?us-ascii?Q?pLy8UBSsU3bg6Fv5nstQcShMzjqbXi4qfQSaYP47abYyIqb/zrsKeZOK7jx4?= =?us-ascii?Q?GnOSUeiyWlbmEbsbrIKjU511syXg1hwVM+11jcj8RvgLf4rtbAxv03Wuh+EB?= =?us-ascii?Q?6r4pA0kvzojUSjPZO1kzKWgHYgOIA/shmfqvKjkb1OqEh7t59119NY6A0kf3?= =?us-ascii?Q?MiGQhlQCy1UQAr00G/YKRd5DVfqcsjSEUq2TEtgnJCBEQ4p7+iHFLot7qGDb?= =?us-ascii?Q?IS7/su7B9YRKD8FnmlTqQgRUADzVBhg1LOvwHs9lcCTUPVA0AqDSCyZ+r5ir?= =?us-ascii?Q?gL7aKhOFmN6X8+Vohpxfa1XOUpsnfYpUUq+1RGbSdWljvjKK6NpbwcHvrWDU?= =?us-ascii?Q?W0X2MRdw2ooS9MQbG3+5Xww9CirzwAr7opd8iBRTZXrwfacJDPSKU4WvNxnt?= =?us-ascii?Q?mDIt5HNObYOmembS5Qrng4cDuiGGUANsbJcEASZjFLQLSOWbz1EFFw0Z+jIB?= =?us-ascii?Q?YjzXQBWXsaPnjLdKo948aSpBIMAAuYzm0kXPodxTLMlFPi4zkevfhvXeA0fa?= =?us-ascii?Q?0fClzfYAggOCa5CD18P1Q9r0D+i4k1Olw3VzlkmCtLUhHxI4Pyq52TLPJ8uD?= =?us-ascii?Q?aTbP9ubQcyC9WGk0L4PXVoQW6u7LSbrJXKo2SiFrKsAsqpiMYK8I3g2GG/7w?= =?us-ascii?Q?kjmlXB6xaPHqdQ0wJMlajbZQ3H1VUbdpo/VPGzNUsePlxvoohfjQa29yM4Bn?= =?us-ascii?Q?OLnENck2cJQ5pJIkQV3SOwg3TYk/cckwX5SPZwBk/IIQxvuAvS9sufz7gYl/?= =?us-ascii?Q?c58WOV0w8X1gBw2kXooZWfXZBstD21SH9ZrQIdBdRRtPu4EOT/cxSA06f/6i?= =?us-ascii?Q?tMvsGNfVCjXUNt36Vy3SJUPraONdgc0UKj2EI5UPUfIyOp5uWQLDGTPb8MZ1?= =?us-ascii?Q?YdPCjBMKPaGUolBqSbP/mG7i9/Yhau674C5MEj0xdzitE5+CHSHecAa6Oesa?= =?us-ascii?Q?G9l8VJtt/mhTvChcmpDzluz8vAloDFxeU70e6fh6jsgVrTSoAFEyBsQAevBL?= =?us-ascii?Q?F602Gh/meWvCO3dEFtPVU5wsF9ZJD45i0LDb7k+xJJLKfi8cMVQtl4TF/WGN?= =?us-ascii?Q?j3mLJ5FmSyjq6j3PObH69I0+FomRUC6zvx/1cnFPeXYqvriZOHv6jSJCjth5?= =?us-ascii?Q?+WjqyoW52ZOl54CpGNLf31XoyyZwq16t7PdKSuyVpcUEL5/Xjxepc0MnAfRx?= =?us-ascii?Q?z2wMasS0NcxYUr/a9dnxK4e6N4N7hfHVU2hk7ZPcVOjBAnY3C4Da2DYT3YQ4?= =?us-ascii?Q?L0VXMHW9zRdyiJf1slYicNMOcpbf2WTygfSCry1TUct2KKixoe1TrH0Xtz4y?= =?us-ascii?Q?hHp164yWTby/fm3qCUbjy3bVBn4e5Uzqo8eDW8Tsf4ms0siYhrjBr7lHUsQ9?= =?us-ascii?Q?4IYmEJ5SXW6LCKsZwzDz5205ctzRPviuGpqAtCIDzvegGEI0SiLPE7DjlA4k?= =?us-ascii?Q?YnzWddH8tzE3ZPdPiHx/DK0CzDVx9Qa5/eTV9vAIxHHlP2SBpTyVN3Hw6H+m?= =?us-ascii?Q?Tp67yuuYWJenDNogWho=3D?= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(376014)(36860700013)(82310400026)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2025 22:36:06.8700 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 16a975e6-0327-4ded-0f72-08de40182a7a X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509FD.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4PR02MB8527 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Fixes: 098bce1838e0 ("power: supply: Add pm8916 VM-BMS support") Signed-off-by: Waqar Hameed Reviewed-by: Nikita Travkin --- drivers/power/supply/pm8916_bms_vm.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/power/supply/pm8916_bms_vm.c b/drivers/power/supply/pm= 8916_bms_vm.c index 5120be086e6ff..de5d571c03e21 100644 --- a/drivers/power/supply/pm8916_bms_vm.c +++ b/drivers/power/supply/pm8916_bms_vm.c @@ -167,15 +167,6 @@ static int pm8916_bms_vm_battery_probe(struct platform= _device *pdev) if (ret < 0) return -EINVAL; =20 - irq =3D platform_get_irq_byname(pdev, "fifo"); - if (irq < 0) - return irq; - - ret =3D devm_request_threaded_irq(dev, irq, NULL, pm8916_bms_vm_fifo_upda= te_done_irq, - IRQF_ONESHOT, "pm8916_vm_bms", bat); - if (ret) - return ret; - ret =3D regmap_bulk_read(bat->regmap, bat->reg + PM8916_PERPH_TYPE, &tmp,= 2); if (ret) goto comm_error; @@ -220,6 +211,15 @@ static int pm8916_bms_vm_battery_probe(struct platform= _device *pdev) if (ret) return dev_err_probe(dev, ret, "Unable to get battery info\n"); =20 + irq =3D platform_get_irq_byname(pdev, "fifo"); + if (irq < 0) + return irq; + + ret =3D devm_request_threaded_irq(dev, irq, NULL, pm8916_bms_vm_fifo_upda= te_done_irq, + IRQF_ONESHOT, "pm8916_vm_bms", bat); + if (ret) + return ret; + platform_set_drvdata(pdev, bat); =20 return 0; --=20 2.39.5 From nobody Sun Feb 8 11:44:17 2026 Received: from OSPPR02CU001.outbound.protection.outlook.com (mail-norwayeastazon11013025.outbound.protection.outlook.com [40.107.159.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E4397301026; Sat, 20 Dec 2025 22:36:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.159.25 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270176; cv=fail; b=f/nCcXBhNJNYaJZDrAL3g60CROJIhlSFbmjbNx1n2axU6/Kl3Cy550PmmITCKeQcojNg1xxZRU/urBhBY+VKcHJBLwkCsbP52h3/yeAQ193VQTsQUkq9c3QyccQzdliC3heMj3HGIIexg2vxn4iGq9eqnT8RptsFBP5s3sRgNYs= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270176; c=relaxed/simple; bh=GBu2Rpp/m557lHhs0V5AlaO9eyCxvaJJ/sbCA9ocdSg=; h=From:To:CC:Subject:In-Reply-To:References:Message-ID:Date: MIME-Version:Content-Type; b=uK0TU48KeFjJ6z/R/HNQpQyzIC+qQfnVclwe6LTY/1cTOjfsVzZzEvWf9M1rMolkMhdxp19zooLxwemyg1b6CxYFIP8971mviHMqsGp6mRbj9xcwBwkSqMCRe33Tjta74sPEQ6yiBhD5eOqHseGQhcGNmMYCn7jjpZsNGuUT4mo= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com; spf=pass smtp.mailfrom=axis.com; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b=Mw599/sh; arc=fail smtp.client-ip=40.107.159.25 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=axis.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b="Mw599/sh" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=sIpOpCTKwvX8084ebyRNnf/iZdECSXmCfxxQWGv8rycIKjIJZA4E4sG5GIsdqOayk5YIBWGzRdOYY8WIeULsfYk+d6+l7otv/l8AjmWWrh2BXIdiSzwETA1ofzTg062JqeGCj9wRLU85Q09MDIYOFuyAhWowRQPCtzWiPUpq/0+Px/Bd2uRC1fPxa3OOuSSGqgW8xnb4OXQvei5632KhPyHDoVvAeaFqhK4LxfMpmVE+e0F2RLyqbkOdz80OBfPwRDWMvK5Qy0l/x5RDkED5+xZhTD1OvN2UVcWXdweiTWyb3O0v6SaOLUkP6INkjNvL6HA5XuSWM/vBvY3k5z9kkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EixoFflCSiLPms/qWvBi3qc8gClGNRYy7y6N0PFhnNM=; b=P8wZWe4eUdEeafYY7lMzn+u9jJA0Mg1fNZEDAc6cr4s06BHew2nasomBwJv5AXHP/ZRdFOQ2c1xunpa2e3p0tDPEB/lAjY41JaQCjr0Ot7q0a8jsHun/JHKv6K0j6B+iyzP/KDyBAaqR9Arkl98FBoRH6CR7geHsXJUhhUP75KCRN8Rku8IwkrSzH3P/pUMssemXS51cNP7lo7WXlo3mLEWkh491eukBCnwH+TIqbQhAC+TFg4YzW0xT3R0YRiKXw8yXZw5or86NjUGI8Eth7C6cZcwX8SMNlbzxVjqcrD45L3D2ODB/lcEgqmrDprsi8tzXYh9VsmdyiMjPKVTPlg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EixoFflCSiLPms/qWvBi3qc8gClGNRYy7y6N0PFhnNM=; b=Mw599/shhogvd+7phVGXn+tv8+WLouMtEG8vI3PUAFMaRqaUy4f2GunMrF9OKFA1aqq2dGw2l0vqmxs+W2GW8rHWSEgFtn45PRDwTs37U8YqJtCordBpL77amOx0706tEu+M8l5gN/ZrTS9UEEKW5/lz06hI9xHIV81NT6XEe7o= Received: from DU7P194CA0021.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:553::27) by MRWPR02MB11799.eurprd02.prod.outlook.com (2603:10a6:501:8b::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.10; Sat, 20 Dec 2025 22:36:08 +0000 Received: from DB1PEPF000509FD.eurprd03.prod.outlook.com (2603:10a6:10:553:cafe::ff) by DU7P194CA0021.outlook.office365.com (2603:10a6:10:553::27) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9434.10 via Frontend Transport; Sat, 20 Dec 2025 22:36:09 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509FD.mail.protection.outlook.com (10.167.242.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.6 via Frontend Transport; Sat, 20 Dec 2025 22:36:07 +0000 Received: from pc52311-2249 (10.4.0.13) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.39; Sat, 20 Dec 2025 23:36:02 +0100 From: Waqar Hameed To: Sebastian Reichel , Nikita Travkin CC: , , Subject: [PATCH 09/11] power: supply: pm8916_lbc: Fix use-after-free in power_supply_changed() In-Reply-To: References: User-Agent: a.out Message-ID: <64d8dd3675a4e59fa32c3e0ef451f12d1f7ed18f.1766268280.git.waqar.hameed@axis.com> Date: Sat, 20 Dec 2025 23:36:01 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: se-mail01w.axis.com (10.20.40.7) To se-mail10w.axis.com (10.20.40.10) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509FD:EE_|MRWPR02MB11799:EE_ X-MS-Office365-Filtering-Correlation-Id: 7e291b70-4749-45f1-8d3f-08de40182b02 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|82310400026|36860700013; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?ooduLO5Uzn7KpgfnUGY9+FqzeHG+PxZXc3/6ql72C4sj9jK7+w8qqyi48EAl?= =?us-ascii?Q?LO6ipZIfpK58rkrxKeCv54PiHDfwBCJEGZym43pRk/2T/Pdb1Yztl9YLYn2u?= =?us-ascii?Q?lkAnPZ7/Zy7WMbWgBbUF6PgPa2KqICckMJ73I9bmB4LATBGyqXutyedVxq1c?= =?us-ascii?Q?A1TOQCeJ0/Duc1JgofjSFxlfpQpijKY4LlWyC3SPkSUbYhia1xhcRKDt5IEZ?= =?us-ascii?Q?yuI6+MN2zHsdwxztQ6YH+8pspCHdHzmbIO6z5zH8oMumyfuQ3EU42iuHup7G?= =?us-ascii?Q?8/+IkbL0Fzg+XU0jijIhtmDNdsJhlcjDV9FyM7G/RFrbPAnJVByhYZ20kOYU?= =?us-ascii?Q?ZG5Xo/wHLzz7ytoXGHbf5/q0dgm6QV9Lx+uy17pxpmDNF2nL1Vrmr62fo50x?= =?us-ascii?Q?gOocji+3RNGgtouxc0p1XJ0S3qtBpBwOehzouLXFFVIqOflHoUueaDhYhY/e?= =?us-ascii?Q?eiadrLUGAsCq61MBuIa8hlyHGyAtoTxFU/Gc7HTSxSYoROLHPfwCBbTvv0oE?= =?us-ascii?Q?b3I/RSDMbqD9AfZWGQn1CmXMkgl8LlIgMYFzoRc10QRKjSlEnwaf+bM/94Dj?= =?us-ascii?Q?LdylrhUOuqNtDnbDnArRV370KbumCiWsOQoxqczFZRAmjoNbbO24JFmCBec2?= =?us-ascii?Q?Z1XXJRDBGndEkBX4ih2TR6c9XSK1vTywQTJmzjDAozdszVWjuo8Vraw0UCT6?= =?us-ascii?Q?wHvLAhH7TRwfm35v0tcYNrW1DThkrwKSBXPDWrYQyOfYcFobhPpqJ4PQvpCo?= =?us-ascii?Q?T9/ZGht/iu3mtBbe0Oh3BLj9Nu3E4UL5sHTT8j8uVRKZV0yurMgsnglnHv03?= =?us-ascii?Q?QVaZJFH62DgxVDEa9smj/p91cTqz6o6mQIKOI8BACIj1FVa7Yz86GAz3Ucin?= =?us-ascii?Q?tbemsvODxLoh1iHsltm0qLUGvMwiuxWCt5C07oCr/HaBlDh5kONa92NVQ8l5?= =?us-ascii?Q?gCObMPtvgqAUn9uWDnSf2ugv5RFLAdWkj12As1hvCDXKw7jZ3xFk+6CjC6TM?= =?us-ascii?Q?wqR0xFwa371mOanUzl4ZnizL+Me6P/nQO65ByiyvGyRZAIGqYTvv4mBEUq1j?= =?us-ascii?Q?774AswpiHIZqajKoPk+Vi3cGvStxTPwr6t4sfZTCiKcNW2bIydkVo3I6vE7c?= =?us-ascii?Q?cf2pn4GNV47Yv+IBd7apQ+W5l1TQyxLWhp78pYD0n22PmAEIuQyEe9VqXZmX?= =?us-ascii?Q?5fxxJwMOJE4atgiIGitGwy60VrOH29qaHmYQjrk8sQrVR43XDsd/Ph/R/yCO?= =?us-ascii?Q?GHzjYbAGgeBm2pL82vlE5RIMlqqC2Dy1xhg+KIAtKhqn9MgPy+ezEyQo/P69?= =?us-ascii?Q?o2inzBICNXLqh3xCCjv07AUKxCWSLvh0cWlvFwD/q24qHIESZzQX8k9MG5lC?= =?us-ascii?Q?S4Or+bDvRY6gI/FwR5+UH5Km0mtp3LGSGKge/+JchcM/cK5AoqiuoX5lcJOC?= =?us-ascii?Q?pV9vNBPXGx42DZ3cU+0IbSbf3XNsY90Xr7Byf/bhzTY5UHT/1vEjzpMEFnth?= =?us-ascii?Q?WyjRf5gphkxSYr+KFLXMIIACCJXOf5i8oj+Bw5EaFAfJiogv5CVHd1s7aA60?= =?us-ascii?Q?jT3/iqGLinaas5P2m7U=3D?= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1800799024)(376014)(82310400026)(36860700013);DIR:OUT;SFP:1101; X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2025 22:36:07.7635 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 7e291b70-4749-45f1-8d3f-08de40182b02 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509FD.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MRWPR02MB11799 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Fixes: f8d7a3d21160 ("power: supply: Add driver for pm8916 lbc") Signed-off-by: Waqar Hameed Reviewed-by: Nikita Travkin --- drivers/power/supply/pm8916_lbc.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/power/supply/pm8916_lbc.c b/drivers/power/supply/pm891= 6_lbc.c index c74b75b1b2676..3ca717d84aade 100644 --- a/drivers/power/supply/pm8916_lbc.c +++ b/drivers/power/supply/pm8916_lbc.c @@ -274,15 +274,6 @@ static int pm8916_lbc_charger_probe(struct platform_de= vice *pdev) return dev_err_probe(dev, -EINVAL, "Wrong amount of reg values: %d (4 expected)\n", len); =20 - irq =3D platform_get_irq_byname(pdev, "usb_vbus"); - if (irq < 0) - return irq; - - ret =3D devm_request_threaded_irq(dev, irq, NULL, pm8916_lbc_charger_stat= e_changed_irq, - IRQF_ONESHOT, "pm8916_lbc", chg); - if (ret) - return ret; - ret =3D device_property_read_u32_array(dev, "reg", chg->reg, len); if (ret) return ret; @@ -332,6 +323,15 @@ static int pm8916_lbc_charger_probe(struct platform_de= vice *pdev) if (ret) return dev_err_probe(dev, ret, "Unable to get battery info\n"); =20 + irq =3D platform_get_irq_byname(pdev, "usb_vbus"); + if (irq < 0) + return irq; + + ret =3D devm_request_threaded_irq(dev, irq, NULL, pm8916_lbc_charger_stat= e_changed_irq, + IRQF_ONESHOT, "pm8916_lbc", chg); + if (ret) + return ret; + chg->edev =3D devm_extcon_dev_allocate(dev, pm8916_lbc_charger_cable); if (IS_ERR(chg->edev)) return PTR_ERR(chg->edev); --=20 2.39.5 From nobody Sun Feb 8 11:44:17 2026 Received: from PA4PR04CU001.outbound.protection.outlook.com (mail-francecentralazon11013027.outbound.protection.outlook.com [40.107.162.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ACFFE30216D; Sat, 20 Dec 2025 22:36:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.162.27 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270178; cv=fail; b=iI7qlFvrIyQPXFAf5cREbiSMPsgJE1ivJ547GE/MRz/IpuLUxvOQkaZyhQQiXlQKjG5JBeuAHZYWPpFgESneNWTSmJc4gf4vhYtRgjjtJ+HPKFcqka2/MfmJYvJZfXvenJRXE2aHV0DT1xd2kFsCGys7SbPG/VSdIVKsTczOKrU= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270178; c=relaxed/simple; bh=9eZJDRmKjcHFQyjatkxVXVx0kSyii9XvQ1KvBzJZ8Bk=; h=From:To:CC:Subject:In-Reply-To:References:Message-ID:Date: MIME-Version:Content-Type; b=HExDjO3hBIsVecuuuehSH+b65O6MX10iuZhJJzQyO2pLpoHkbxHN2/T17yT/S2cCqRJMXp8oeEHVtTX+OMHPNj9S7z4kolRfaBXk3DMZhoekloeusyR06AzbQUp12CNMzSHCkixTLSUGc5QEYh3NcUrpxEwIbbaa4MHvzuLg++4= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com; spf=pass smtp.mailfrom=axis.com; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b=Hlp6XmdS; arc=fail smtp.client-ip=40.107.162.27 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=axis.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b="Hlp6XmdS" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=eIpGqJ+/DWsaXiMDsRJgqV6gLAgu7VxXwF7BoJ3g74qZcZJQbCbfcYQ+g78BICnPY8LirNy9lX5lZw6Y0WZpRlFYVkeY/9I4Aw+ox+OeRvlMz11sQHyQ7+ABwIGTiAqmtrbHkys8GPTSOIBccIdfMGBLuiRt3HNSr3bvb/w7ixJv770V4UxGZ7sN+lE3LhIuoB4Slj7q4ftfqVx9c0NLluOgyZyD+B40s8+N61DvJtddbXLx2tQPc1DzuH6N8vjcjVIY4aU0QKXrtUoITqwTWu8ETqNKsFLIN+hXVT5rKnH686+thT2dBHYt4Jx1ZKZHN73C+PvxVfQ9kpTe95502A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iKN/y/4HZEGhxalWNMzhrrbUAgqlQ+sqNeyCp92bNvQ=; b=UoVXlGEyqREM2tktPXgawaKYwFeeM6jUMp0lBknwAX/RO9bGqytY7b4o5esykrG7gKxSdNsiE0jrIbLjRGOzwCfdWjWDKaZ8+sADgY+i/42kPo1IQwZ3bykDgkmMcaovAnUQX1HvyR0Wz9mldeoDW22okMDjQ32mL6uvU/YGA70bDoEUAW8JagKEq/BwMirvNUkWYOcpUrFofgQGz+u8bBqs1Jp2RpjZgyozSJ5Hf4Qst2yeAkPx6nF7jgYJWDAaZgqzv2mmUsahe3rgRWVP9sD/7kuvQPT44xNG+RPhU/ijeYYeBko+hR6oEuRI2V7irDZrnrON9zq1G7lbYMK8/g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iKN/y/4HZEGhxalWNMzhrrbUAgqlQ+sqNeyCp92bNvQ=; b=Hlp6XmdSh7PR1px8qTlPvjRWxURh+v83RpLuw8K5VoDQwRNgmO7JGLrImeaawqvovAcWZxT2D1flBmIC7cJrFR2zK5yln2u2mSy78u8/hKGX4VBGzmdz+7Vyl6GvvZPK7qKdpHCGBev3W2zAePv1o9yuYQq49dhBE5ur1LcdNug= Received: from DUZPR01CA0097.eurprd01.prod.exchangelabs.com (2603:10a6:10:4bb::10) by GV4PR02MB11208.eurprd02.prod.outlook.com (2603:10a6:150:297::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.9; Sat, 20 Dec 2025 22:36:09 +0000 Received: from DB1PEPF000509FB.eurprd03.prod.outlook.com (2603:10a6:10:4bb:cafe::10) by DUZPR01CA0097.outlook.office365.com (2603:10a6:10:4bb::10) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9434.10 via Frontend Transport; Sat, 20 Dec 2025 22:36:17 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509FB.mail.protection.outlook.com (10.167.242.37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.6 via Frontend Transport; Sat, 20 Dec 2025 22:36:08 +0000 Received: from pc52311-2249 (10.4.0.13) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.39; Sat, 20 Dec 2025 23:36:02 +0100 From: Waqar Hameed To: Sebastian Reichel , Krzysztof Kozlowski , Anda-Maria Nicolae CC: , , Subject: [PATCH 10/11] power: supply: rt9455: Fix use-after-free in power_supply_changed() In-Reply-To: References: User-Agent: a.out Message-ID: <1567d831e04c3e2fcb9e18dd36b7bcba4634581a.1766268280.git.waqar.hameed@axis.com> Date: Sat, 20 Dec 2025 23:36:02 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: se-mail02w.axis.com (10.20.40.8) To se-mail10w.axis.com (10.20.40.10) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509FB:EE_|GV4PR02MB11208:EE_ X-MS-Office365-Filtering-Correlation-Id: 3f108994-c88f-46c8-f4b4-08de40182bbc X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700013|376014|1800799024|82310400026; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?FK7ymwGXP9PVFKS2en6oXAzowpT1JmkQDSOYGbPv83CqVQyKG1s6ZH8kHOg8?= =?us-ascii?Q?iIvi8LPmKn94WcZwamEhqhI6SxA4IyAwOPBPHI/5w90j03dgCds5adVJj3Rg?= =?us-ascii?Q?mtgDkqLHdqmaLnRVYWZNgnHqumuCqDA5hLhd2n21gRg2dfXE+sIuzLoqavkf?= =?us-ascii?Q?n2W2tuLnAEKpdaaKUQ3VLSwUvjsvZeyP7dEse7B0Hr9m/2QtnXPZB2/dSUlG?= =?us-ascii?Q?7M7YauNokZoOrBqk4xzqYJDNxEmvZgIsNsUv/wnSOk5TwzW9Y65hFAJOGRt1?= =?us-ascii?Q?JpkIs7Q//5mrozcWV1MuW5hwvj59ReZpZunsZ55tPCm09SuIoOAKX4cv2kvN?= =?us-ascii?Q?TrRdKZCBairiNits7QUGBWUeshkW+CK9HGE3KbVNTlTjCETqowLj5rxd6+6v?= =?us-ascii?Q?PvQ9ndZ/mcynwJHTsOUyo57jHull95DOGogRe6QFtW3OkHsNEN9Luw8rFDaG?= =?us-ascii?Q?/eVxN4pdEaEn44NKGqbNheWBBilEpVoTr1UL2X8gEwYN+/Tt7metTWZzRvRA?= =?us-ascii?Q?C2Q/gdqSdi/t8RS32QpLq4Lna1ptxmBjPqjifMEN9dAevLfXJDop2skHvE8F?= =?us-ascii?Q?RnbUyD3edFw4L6C1+UuM6EWlyIdwRIHGMScXmitkpdXf6PwoQt6C4j61I/AX?= =?us-ascii?Q?x+eAcrrZssTnhh+d36D3Q7OZ/Ll9btI4CRb2VU4VrGWPZzuSjbiw26Sd51aX?= =?us-ascii?Q?LREt2QDQXu+j4RfFXK9zVw5wlCKvQOXS/dzgLAoRtWyWj6+WTrNfaff9yOlg?= =?us-ascii?Q?umnZm6QdiuN9q0MLDWe2Z/EQEaOpkK6Bu6mwS1j8Q5ZQTp/WZCUyL7QuYdr7?= =?us-ascii?Q?xWmdTq+HIL1H+2kjF9GdrWEkhKlMVAfntx3Een5qjx3OlWf0wkRYd5WO1JPw?= =?us-ascii?Q?qFW1zHgHddHBz7mJ6XbiUpCNHcdZOqIGlR4t+06BwCWbYT8+bXH9/BudxHpd?= =?us-ascii?Q?PnSLsU/o8m/Ymqo24LSEJlIwpNXlljZG1PcuwsAWXi6wiEsgJ0VAFZKTCQXy?= =?us-ascii?Q?sb3nCLQLZ/bF+lk/PVDVFLG3e7Yt3+XpmRg0B32CvkPFiKAAF2hSyRWFxZvJ?= =?us-ascii?Q?r1EX4WajDXHB+I++MirpJxwwkKghCF4r9qKIY+/b7diA8AdZAlzqVOB5VZzh?= =?us-ascii?Q?J4t8NWEGNPZ7lTFA9GmgvMIT5VkCsZxhq6cRP335Gy6We29BOmixUYzvf144?= =?us-ascii?Q?EZpuH0b7L441+bI+9b5sZUiwDv2G336Iv5nA6PM32sWEJRMZW8AxN/Y6p3XQ?= =?us-ascii?Q?yakdaXS41A3YssTnjwIDPHTiTaCXvAI+C9buA6qVNEm7uZDqRbxktHBo9f9I?= =?us-ascii?Q?0AsJPQajBFG+6RKpYhgthE7ZfMbXkVApsm+zjPI8c/3QB7ADTqdrb6aBQhWX?= =?us-ascii?Q?abCyWAx3jT22e9YzaTbtZiA2+RofP/eRCfxA396GUST7UQEoA3+7ytdslBQo?= =?us-ascii?Q?3911gFK/83KuqJeL3km2p5Th5nV+DnfbdbsoCEGS3hJpmhyHT+G25/bPwKL2?= =?us-ascii?Q?D+VPz+XwJraWH++cyVUTvn6EYKVc83Cy+cmDznaX8Cga80Im1YxibGEMii15?= =?us-ascii?Q?VjMcKZ/+VpcF+rU0VLY=3D?= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(36860700013)(376014)(1800799024)(82310400026);DIR:OUT;SFP:1101; X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2025 22:36:08.9870 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 3f108994-c88f-46c8-f4b4-08de40182bbc X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509FB.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV4PR02MB11208 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Fixes: e86d69dd786e ("power_supply: Add support for Richtek RT9455 battery = charger") Signed-off-by: Waqar Hameed --- drivers/power/supply/rt9455_charger.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/r= t9455_charger.c index 1ffe7f02932f6..5130d2395e88f 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1663,6 +1663,15 @@ static int rt9455_probe(struct i2c_client *client) rt9455_charger_config.supplied_to =3D rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants =3D ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger =3D devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret =3D PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret =3D devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1678,14 +1687,6 @@ static int rt9455_probe(struct i2c_client *client) goto put_usb_notifier; } =20 - info->charger =3D devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret =3D PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; =20 put_usb_notifier: --=20 2.39.5 From nobody Sun Feb 8 11:44:17 2026 Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazon11011026.outbound.protection.outlook.com [52.101.65.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 70795302CD5; Sat, 20 Dec 2025 22:36:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.65.26 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270179; cv=fail; b=PZljvs2vWAb1k8dMsMA6KcDb2UjoU6BVx8aDvaDTrFHCazEe7F6bGQ5gI5wcG5o5zSxOZ63x6bhiq+yAPodGOy+Vl4wgU4xOSQDLGw4WL8zVRQHgh3csPn/zESogv+J1Zt6U1hpm6uSQ0ByxzY/6jt/8N0DwGcU+6qrdybcHwtE= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766270179; c=relaxed/simple; bh=Pt77Jxs1O+ts9BVpkv7Qg37UDVx9p84vulpEAXMIdWk=; h=From:To:CC:Subject:In-Reply-To:References:Message-ID:Date: MIME-Version:Content-Type; b=P2C9TYce3cVDDhx8hBMwG40IFW3a9bgdQ9A3+a14uW/TMLvv5N8HnUY/rDTHykl2M7Ti6Tvqacx6/XjOJAf4VgSNsp6JP8IU0fkjo4C3EEDRaJtmF6TbHThs76P1vd7634N+/Sw89Kw91OY9MIZ9X8Mx/epeTOH6QfeBRQ8wYJ8= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com; spf=pass smtp.mailfrom=axis.com; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b=hhSz9J5w; arc=fail smtp.client-ip=52.101.65.26 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=axis.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=axis.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=axis.com header.i=@axis.com header.b="hhSz9J5w" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=FFLduYZf4wn9B8kVb0TSeyh1I/WoLOubawbSQnEtjQ9V3AZlPoTL/3OUnjIXzqsLfZr757rw+1g6c9r0wFgQiXVDZE9VzbuG2mBvq7v109OY1Hnx+e6Q/tfs1qYL0as3DgDTUoOAay8ca3M8eNP8hCWzFNbl9TemKtXV4XmurTm3ipgovEUQUV0IxptMYvCGhQHn2lbgYYrbyVoNEV7bVEN4ubowiIMImf0Evjg8wPHIhjYV0ZrqJM6CP56t9c8qEKN0kkBYi8xO0ebmnFh17SdO67akso0KA9FDYGNyJrHdGgHzvoTp8cdUmpaNTXHw6vhWT1WV3DT8FRUWqvLqPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KFbfp/NRro8dwa8pMSb4r7Vnhrs+YaQBSBddEa06iRQ=; b=wJc0uCEei5scGWbpIugo0SoKWeo+SeooZpwiW9T/oksO/qCrmwpbNIC+gWB/Mtp3x7QOD2l1o1i53q6FXHuohAdadqdV6T/b0ucV3H1hT7pG7VS2Rcq6GDDj5l9Zx5ltIWGXejIv2lXDx4X8Ir/OZjkfkMuHNIo7UfZ1GJZVSh+cn9GpX3ROX/TnZTWfRV8A6vFiNJXM+GpFow56Rxq4JY/EjlU579eAa1Sx1i9od6iuukY8JfbwTze9g+/ntUszSWsAGEUJci0aD6LebLno9ltMxOm6pLTmsbBZ00MB4yvRtyw9EMJIgEGbp4Z5dJcNNz7xq+qDZ+f7DTXFVqIljA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KFbfp/NRro8dwa8pMSb4r7Vnhrs+YaQBSBddEa06iRQ=; b=hhSz9J5wrSQEdjt22sGZhJNsRInsKML3HOBbZJgCzkptRujGokjjD6BAxRtmCkPA3hhXfn6cUK73Op0BK1hZGyHz8hPxFcv8iNMuyzddecnMWwEkSW9jfmPGZ4oxePzvqkZ12X5xfkGDMYng+qJH+L8n2eSxO0+W5CzchNOr3fg= Received: from DUZPR01CA0104.eurprd01.prod.exchangelabs.com (2603:10a6:10:4bb::17) by VI1PR02MB10265.eurprd02.prod.outlook.com (2603:10a6:800:1c4::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.9; Sat, 20 Dec 2025 22:36:10 +0000 Received: from DB1PEPF000509FB.eurprd03.prod.outlook.com (2603:10a6:10:4bb:cafe::a6) by DUZPR01CA0104.outlook.office365.com (2603:10a6:10:4bb::17) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9434.10 via Frontend Transport; Sat, 20 Dec 2025 22:36:15 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509FB.mail.protection.outlook.com (10.167.242.37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.6 via Frontend Transport; Sat, 20 Dec 2025 22:36:10 +0000 Received: from pc52311-2249 (10.4.0.13) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.39; Sat, 20 Dec 2025 23:36:02 +0100 From: Waqar Hameed To: Sebastian Reichel , Phil Reid CC: , Sebastian Reichel , Phil Reid , , Subject: [PATCH 11/11] power: supply: sbs-battery: Fix use-after-free in power_supply_changed() In-Reply-To: References: User-Agent: a.out Message-ID: <0ef896e002495e615157b482d18a437af19ddcd0.1766268280.git.waqar.hameed@axis.com> Date: Sat, 20 Dec 2025 23:36:02 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: se-mail01w.axis.com (10.20.40.7) To se-mail10w.axis.com (10.20.40.10) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509FB:EE_|VI1PR02MB10265:EE_ X-MS-Office365-Filtering-Correlation-Id: 4a14ca6e-9750-4d66-dffd-08de40182c66 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|82310400026|36860700013; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?AaI7PIB4Y8UfHGCwdoB+Q/+vqLpgVL7kHBjTYFG5QXRFU5fMfsSViR2qPyEU?= =?us-ascii?Q?uOSG/e+V38yZzgMb/HWH3m5Qitw9dQpPQc9FqHaKtEn0WvC9PXN0/LchGoT2?= =?us-ascii?Q?M/RZjfn1cIvApD1snHsjRZnB9L0WmXaOXCIDL2EpFRnJU2OsquqjUAbiEg9/?= =?us-ascii?Q?VfJnIiE0LQenFRXhlERye46CzDQ16KhbQ9qBUbsld82DgEncp/asiEpoLspY?= =?us-ascii?Q?PB7DmZWj4Y5/ITCfNmu5UU1R2SAdkNhk++hAm7B8KmEpNRwN626pEvwSeaq4?= =?us-ascii?Q?dV/Frqz0Qt0whRSo6ft4aKkh3jbX9zS/fy9mVFW94MITrw02fxMEa3arljqk?= =?us-ascii?Q?5rg9YX+O6atsZKE4/UgUMpRHkDRcPq1s2fZZnSQbleKKcPSfPRzTWCXY5UEs?= =?us-ascii?Q?8ifgXKC3ohIA+1apA849yd8fIP86WhB+JE5KaUwPAnnW16NJaCG1RMAiUE3h?= =?us-ascii?Q?z2ceNAC+DScyzZbGGOaY0A3gLsMXKN4e8Ho706Hv5jJUaBUNlxKxkxIClzvl?= =?us-ascii?Q?qA1bQV7uLwUY/4gEQ5Yy/zoK4J/KTS/ZWoGFtsEXvW47b/PxyNH7xbUSup12?= =?us-ascii?Q?UHsPbAn2jxpPzYmRkFkQSV5pm+3KYPJLULgcEHO0ooXnINhRpMYBDaIAyR4L?= =?us-ascii?Q?HlU6IRdRQfMNJ6AiMMpHg8FxL0BHjlo8XTRzY9jsN1xtVg7h/OEx3c+/2PW+?= =?us-ascii?Q?rkYNp8gdfnCtuFAdvB1fANH0nipdIX2RJwM81DvJN+MutbEnEf0eUV2FrQWC?= =?us-ascii?Q?FJThc1FF7BunnlKAphyPT6CzFii6Oyezy+lCRzKUOi+E4WfRcY/IW6T22dqD?= =?us-ascii?Q?LO4Fz+gn5TT2bgSyILmGyRRDPewuXPSGeee1ALttZ07m9e2QnxlWp5W1BDi1?= =?us-ascii?Q?RAu0vwi319raoetETbol2c28eQil3BejypeyA4zRXvqJA6rjbuLsTsCauFVJ?= =?us-ascii?Q?r748T6dSs8/TKPFxSxFCfPz7h0VSwg3Bq4zki1kQbxe6E56ODna3XFxOyCMp?= =?us-ascii?Q?EXKUnyd4ofWSq3FV7PujYzQ20CI44y607i/I6KIfHmCf64SSnxwBCg4guSiT?= =?us-ascii?Q?7LItu0hxaTwqrRfMZU83m2WLqzMkOLn/1pLTvOOr1W9EMxyDPSoQqHBH+6HK?= =?us-ascii?Q?GqLtzqdIQoyoEfA8qvekA6OiNtoewPhMFfRGFiRi+/epnj9W1n87uKn0IAri?= =?us-ascii?Q?w9joQrTg4HWRXKWcR7CWHUG+COfwFAMNsm5AMv96Iw3L+/t+lVX9YD6SqHjx?= =?us-ascii?Q?FN9I63CLMJGZuhO0+vyDPxcBJQpbq5kvlMfUn+7LG/I0obGM74DDwFI/gIUW?= =?us-ascii?Q?bI+cn/0p4igSOyuSHkLWRr4nA0LQQFbc3+KJQeQd6DsAIxPwY169IQ45THAC?= =?us-ascii?Q?6cIUdWZkpHp/y6j0JrRH+IVbw8oKYCL1yBMl/n1/wuJWtdkSRhjb/PRbBAOB?= =?us-ascii?Q?mRfdaCWXf7TjTrjQiprdCazarGXMKznB1cwZfBcZ954yMLdt4ObG0m8sVtVW?= =?us-ascii?Q?p+mCgWRAe+wKjsRIz1NOdtM0UXdah9HsALM0HTYKMRs0SunRRTjLCndSyBWY?= =?us-ascii?Q?E7Fjx+NgspYQiKbLGrQ=3D?= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(376014)(1800799024)(82310400026)(36860700013);DIR:OUT;SFP:1101; X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2025 22:36:10.1011 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 4a14ca6e-9750-4d66-dffd-08de40182c66 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509FB.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR02MB10265 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Keep the old behavior of just printing a warning in case of any failures during the IRQ request and finishing the probe successfully. Fixes: d2cec82c2880 ("power: sbs-battery: Request threaded irq and fix dev = callback cookie") Signed-off-by: Waqar Hameed Reviewed-by: Phil Reid --- drivers/power/supply/sbs-battery.c | 36 +++++++++++++++--------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/drivers/power/supply/sbs-battery.c b/drivers/power/supply/sbs-= battery.c index 943c82ee978f4..43c48196c1674 100644 --- a/drivers/power/supply/sbs-battery.c +++ b/drivers/power/supply/sbs-battery.c @@ -1174,24 +1174,6 @@ static int sbs_probe(struct i2c_client *client) =20 i2c_set_clientdata(client, chip); =20 - if (!chip->gpio_detect) - goto skip_gpio; - - irq =3D gpiod_to_irq(chip->gpio_detect); - if (irq <=3D 0) { - dev_warn(&client->dev, "Failed to get gpio as irq: %d\n", irq); - goto skip_gpio; - } - - rc =3D devm_request_threaded_irq(&client->dev, irq, NULL, sbs_irq, - IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, - dev_name(&client->dev), chip); - if (rc) { - dev_warn(&client->dev, "Failed to request irq: %d\n", rc); - goto skip_gpio; - } - -skip_gpio: /* * Before we register, we might need to make sure we can actually talk * to the battery. @@ -1217,6 +1199,24 @@ static int sbs_probe(struct i2c_client *client) return dev_err_probe(&client->dev, PTR_ERR(chip->power_supply), "Failed to register power supply\n"); =20 + if (!chip->gpio_detect) + goto out; + + irq =3D gpiod_to_irq(chip->gpio_detect); + if (irq <=3D 0) { + dev_warn(&client->dev, "Failed to get gpio as irq: %d\n", irq); + goto out; + } + + rc =3D devm_request_threaded_irq(&client->dev, irq, NULL, sbs_irq, + IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, + dev_name(&client->dev), chip); + if (rc) { + dev_warn(&client->dev, "Failed to request irq: %d\n", rc); + goto out; + } + +out: dev_info(&client->dev, "%s: battery gas gauge device registered\n", client->name); =20 --=20 2.39.5