From: William Breathitt Gray <vilhelm.gray@gmail.com>
Date: Wed, 5 Jan 2022 09:30:52 +0000 (+0900)
Subject: counter: 104-quad-8: Fix use-after-free by quad8_irq_handler
X-Git-Url: https://repo.jachan.dev/J-linux.git/commitdiff_plain/663d8fb0f84c0f3aade8974fbf3a2ddb255f54a5

counter: 104-quad-8: Fix use-after-free by quad8_irq_handler

On unbind an irq might be pending which results in quad8_irq_handler()
calling counter_push_event() for a counter that is already unregistered.
This patch fixes that situation by passing the struct counter_device dev
to devm_request_irq() rather than the parent's so that the irq handler
is cleaned before the counter is unregistered.

Fixes: 7aa2ba0df651 ("counter: 104-quad-8: Add IRQ support for the ACCES 104-QUAD-8")
Cc: Syed Nayyar Waris <syednwaris@gmail.com>
Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
Link: https://lore.kernel.org/r/20220105093052.258791-1-vilhelm.gray@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/counter/104-quad-8.c b/drivers/counter/104-quad-8.c
index 1fbb3923797c..a17e51d65aca 100644
--- a/drivers/counter/104-quad-8.c
+++ b/drivers/counter/104-quad-8.c
@@ -1188,8 +1188,8 @@ static int quad8_probe(struct device *dev, unsigned int id)
 	/* Enable all counters and enable interrupt function */
 	outb(QUAD8_CHAN_OP_ENABLE_INTERRUPT_FUNC, base[id] + QUAD8_REG_CHAN_OP);
 
-	err = devm_request_irq(dev, irq[id], quad8_irq_handler, IRQF_SHARED,
-			       counter->name, counter);
+	err = devm_request_irq(&counter->dev, irq[id], quad8_irq_handler,
+			       IRQF_SHARED, counter->name, counter);
 	if (err)
 		return err;