rc_unregister_device() will first call ir_free_table(), and later
device_del(); however, the latter causes a call to rc_dev_uevent(),
which prints rc_map.name, which at this point has already bee freed.
This fixes a use-after-free bug found with KASAN.
As reported by Shuah:
"I am seeing the following when I do rmmod on au0828
BUG: KASAN: use-after-free in string+0x170/0x1f0 at addr ffff8801bd513000
Read of size 1 by task rmmod/1831
CPU: 1 PID: 1831 Comm: rmmod Tainted: G W 4.9.0-rc5 #5
Hardware name: Hewlett-Packard HP ProBook 6475b/180F, BIOS 68TTU Ver. F.04 08/03/2012
ffff8801aea2f680 ffffffff81b37ad3 ffff8801fa403b80 ffff8801bd513000
ffff8801aea2f6a8 ffffffff8156c301 ffff8801aea2f738 ffff8801bd513000
ffff8801fa403b80 ffff8801aea2f728 ffffffff8156c59a ffff8801aea2f770
Call Trace:
dump_stack+0x67/0x94
[<ffffffff8156c301>] kasan_object_err+0x21/0x70
[<ffffffff8156c59a>] kasan_report_error+0x1fa/0x4d0
[<ffffffffa116f05f>] ? au0828_exit+0x10/0x21 [au0828]
[<ffffffff8156c8b3>] __asan_report_load1_noabort+0x43/0x50
[<ffffffff81b58b20>] ? string+0x170/0x1f0
[<ffffffff81b58b20>] string+0x170/0x1f0
[<ffffffff81b621c4>] vsnprintf+0x374/0x1c50
[<ffffffff81b61e50>] ? pointer+0xa80/0xa80
[<ffffffff8156b676>] ? save_stack+0x46/0xd0
[<ffffffff81566faa>] ? __kmalloc+0x14a/0x2a0
[<ffffffff81b3d70a>] ? kobject_get_path+0x9a/0x200
[<ffffffff81b408c2>] ? kobject_uevent_env+0x282/0xca0
[<ffffffff81b412eb>] ? kobject_uevent+0xb/0x10
[<ffffffff81f10104>] ? device_del+0x434/0x6d0
[<ffffffffa0fea717>] ? rc_unregister_device+0x177/0x240 [rc_core]
[<ffffffffa116eeb0>] ? au0828_rc_unregister+0x60/0xb0 [au0828]
The problem is fixed with this patch on Linux 4.9-rc4"
Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
Tested-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
c183d3584b