[PATCH openEuler-1.0-LTS] leds: trigger: Unregister sysfs attributes before calling deactivate() - Kernel

19 Aug 2024

From: Hans de Goede hdegoede@redhat.com
mainline inclusion
from mainline-v6.11-rc1
commit c0dc9adf9474ecb7106e60e5472577375aedaed3
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ89
CVE: CVE-2024-43830
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Triggers which have trigger specific sysfs attributes typically store
related data in trigger-data allocated by the activate() callback and
freed by the deactivate() callback.
Calling device_remove_groups() after calling deactivate() leaves a window
where the sysfs attributes show/store functions could be called after
deactivation and then operate on the just freed trigger-data.
Move the device_remove_groups() call to before deactivate() to close
this race window.
This also makes the deactivation path properly do things in reverse order
of the activation path which calls the activate() callback before calling
device_add_groups().
Fixes: a7e7a3156300 ("leds: triggers: add device attribute support")
Cc: Uwe Kleine-König u.kleine-koenig@pengutronix.de
Signed-off-by: Hans de Goede hdegoede@redhat.com
Acked-by: Uwe Kleine-König u.kleine-koenig@pengutronix.de
Link: https://lore.kernel.org/r/20240504162533.76780-1-hdegoede@redhat.com
Signed-off-by: Lee Jones lee@kernel.org
Conflicts:
    drivers/leds/led-triggers.c
[Fix context conflict]
Signed-off-by: Luo Gengkun luogengkun2@huawei.com
---
 drivers/leds/led-triggers.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/leds/led-triggers.c b/drivers/leds/led-triggers.c
index 4e7b78a84149..cbe70f38cb57 100644
--- a/drivers/leds/led-triggers.c
+++ b/drivers/leds/led-triggers.c
@@ -177,9 +177,9 @@ int led_trigger_set(struct led_classdev *led_cdev, struct led_trigger *trig)
    		flags);
    	cancel_work_sync(&led_cdev->set_brightness_work);
    	led_stop_software_blink(led_cdev);
+		device_remove_groups(led_cdev->dev, led_cdev->trigger->groups);
    	if (led_cdev->trigger->deactivate)
    		led_cdev->trigger->deactivate(led_cdev);
-		device_remove_groups(led_cdev->dev, led_cdev->trigger->groups);
    	led_cdev->trigger = NULL;
    	led_cdev->trigger_data = NULL;
    	led_cdev->activated = false;
-- 
2.34.1


    