From: Vincent Donnefort vincent.donnefort@arm.com
[ Upstream commit 2f061fd0c2d852e32e03a903fccd810663c5c31e ]
device_release() is freeing the resources before calling the device specific release callback which is, in the case of devfreq, stopping the governor.
It is a problem as some governors are using the device resources. e.g. simpleondemand which is using the devfreq deferrable monitoring work. If it is not stopped before the resources are freed, it might lead to a use after free.
Signed-off-by: Vincent Donnefort vincent.donnefort@arm.com Reviewed-by: John Einar Reitan john.reitan@arm.com [cw00.choi: Fix merge conflict] Reviewed-by: Chanwoo Choi cw00.choi@samsung.com Signed-off-by: MyungJoo Ham myungjoo.ham@samsung.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/devfreq/devfreq.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c index 8e21bedc74c38..bcd2279106760 100644 --- a/drivers/devfreq/devfreq.c +++ b/drivers/devfreq/devfreq.c @@ -578,10 +578,6 @@ static void devfreq_dev_release(struct device *dev) list_del(&devfreq->node); mutex_unlock(&devfreq_list_lock);
- if (devfreq->governor) - devfreq->governor->event_handler(devfreq, - DEVFREQ_GOV_STOP, NULL); - if (devfreq->profile->exit) devfreq->profile->exit(devfreq->dev.parent);
@@ -717,7 +713,7 @@ struct devfreq *devfreq_add_device(struct device *dev, err_init: mutex_unlock(&devfreq_list_lock);
- device_unregister(&devfreq->dev); + devfreq_remove_device(devfreq); devfreq = NULL; err_dev: if (devfreq) @@ -738,6 +734,9 @@ int devfreq_remove_device(struct devfreq *devfreq) if (!devfreq) return -EINVAL;
+ if (devfreq->governor) + devfreq->governor->event_handler(devfreq, + DEVFREQ_GOV_STOP, NULL); device_unregister(&devfreq->dev);
return 0;