counter: 104-quad-8: Fix use-after-free by quad8_irq_handler

On unbind an irq might be pending which results in quad8_irq_handler()
calling counter_push_event() for a counter that is already unregistered.
This patch fixes that situation by passing the struct counter_device dev
to devm_request_irq() rather than the parent's so that the irq handler
is cleaned before the counter is unregistered.

Fixes: 7aa2ba0df651 ("counter: 104-quad-8: Add IRQ support for the ACCES 104-QUAD-8")
Cc: Syed Nayyar Waris <syednwaris@gmail.com>
Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
Link: https://lore.kernel.org/r/20220105093052.258791-1-vilhelm.gray@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/counter/104-quad-8.c b/drivers/counter/104-quad-8.c
index 1fbb3923797c43013a1e6276643bee2ea28df734..a17e51d65aca8b9aff14d57a1a6f4b0901991abd 100644 (file)
--- a/drivers/counter/104-quad-8.c
+++ b/drivers/counter/104-quad-8.c
@@ -1188,8 +1188,8 @@ static int quad8_probe(struct device *dev, unsigned int id)
        /* Enable all counters and enable interrupt function */
        outb(QUAD8_CHAN_OP_ENABLE_INTERRUPT_FUNC, base[id] + QUAD8_REG_CHAN_OP);
 
-       err = devm_request_irq(dev, irq[id], quad8_irq_handler, IRQF_SHARED,
-                              counter->name, counter);
+       err = devm_request_irq(&counter->dev, irq[id], quad8_irq_handler,
+                              IRQF_SHARED, counter->name, counter);
        if (err)
                return err;