On 01/06/2023 05:33, Trevor Wu wrote:
During mt8195_afe_init_clock(), mt8195_audsys_clk_register() was called followed by several other devm functions. At mt8195_afe_deinit_clock() located at mt8195_afe_pcm_dev_remove(), mt8195_audsys_clk_unregister() was called.
However, there was an issue with the order in which these functions were called. Specifically, the remove callback of platform_driver was called before devres released the resource, resulting in a use-after-free issue during remove time.
At probe time, the order of calls was:
- mt8195_audsys_clk_register
- afe_priv->clk = devm_kcalloc
- afe_priv->clk[i] = devm_clk_get
At remove time, the order of calls was:
- mt8195_audsys_clk_unregister
- free afe_priv->clk[i]
- free afe_priv->clk
To resolve the problem, we can utilize devm_add_action_or_reset() in mt8195_audsys_clk_register() so that the remove order can be changed to 3->2->1.
Reviewed-by: Alexandre Mergnat amergnat@baylibre.com