niansa-misc/linux
1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
Code Issues Projects Releases Packages Wiki Activity

mt76: do not use devm API for led classdev

Browse source 
With the devm API, the unregister happens after the device cleanup is done,
after which the struct mt76_dev which contains the led_cdev has already been
freed. This leads to a use-after-free bug that can crash the system.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
This commit is contained in:
Felix Fietkau 2019-09-29 22:04:37 +02:00
parent 55857ab857
commit 36f7e2b2bb
1 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
drivers/net/wireless/mediatek/mt76/mac80211.c
View file

@ -105,7 +105,15 @@ static int mt76_led_init(struct mt76_dev *dev)
dev->led_al = of_property_read_bool(np, "led-active-low"); dev->led_al = of_property_read_bool(np, "led-active-low");
} }
return devm_led_classdev_register(dev->dev, &dev->led_cdev); return led_classdev_register(dev->dev, &dev->led_cdev);
}
static void mt76_led_cleanup(struct mt76_dev *dev)
{
if (!dev->led_cdev.brightness_set && !dev->led_cdev.blink_set)
return;
led_classdev_unregister(&dev->led_cdev);
} }
static void mt76_init_stream_cap(struct mt76_dev *dev, static void mt76_init_stream_cap(struct mt76_dev *dev,
@ -362,6 +370,7 @@ void mt76_unregister_device(struct mt76_dev *dev)
{ {
struct ieee80211_hw *hw = dev->hw; struct ieee80211_hw *hw = dev->hw;
mt76_led_cleanup(dev);
mt76_tx_status_check(dev, NULL, true); mt76_tx_status_check(dev, NULL, true);
ieee80211_unregister_hw(hw); ieee80211_unregister_hw(hw);
} }