Commit 36f7e2b2 authored by Felix Fietkau's avatar Felix Fietkau
Browse files

mt76: do not use devm API for led classdev 



With the devm API, the unregister happens after the device cleanup is done,
after which the struct mt76_dev which contains the led_cdev has already been
freed. This leads to a use-after-free bug that can crash the system.

Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
parent 55857ab8

drivers/net/wireless/mediatek/mt76/mac80211.c

+10 −1
Original line number Original line Diff line number Diff line
@@ -105,7 +105,15 @@ static int mt76_led_init(struct mt76_dev *dev) 
		dev->led_al = of_property_read_bool(np, "led-active-low");

		dev->led_al = of_property_read_bool(np, "led-active-low");

	}

	}





	return devm_led_classdev_register(dev->dev, &dev->led_cdev);

	return led_classdev_register(dev->dev, &dev->led_cdev);

}



static void mt76_led_cleanup(struct mt76_dev *dev)

{

	if (!dev->led_cdev.brightness_set && !dev->led_cdev.blink_set)

		return;



	led_classdev_unregister(&dev->led_cdev);

}

}





static void mt76_init_stream_cap(struct mt76_dev *dev,

static void mt76_init_stream_cap(struct mt76_dev *dev,
@@ -362,6 +370,7 @@ void mt76_unregister_device(struct mt76_dev *dev) 
{

{

	struct ieee80211_hw *hw = dev->hw;

	struct ieee80211_hw *hw = dev->hw;





	mt76_led_cleanup(dev);

	mt76_tx_status_check(dev, NULL, true);

	mt76_tx_status_check(dev, NULL, true);

	ieee80211_unregister_hw(hw);

	ieee80211_unregister_hw(hw);

}

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE