char: tlclk: fix use-after-free in tlclk_cleanup()

This patch improves the module cleanup process in the tlclk driver to
prevent potential use-after-free and race conditions.

Currently, the file_operations structure does not specify the .owner
field, which could allow the module to be unloaded while user-space
processes are still interacting with the device. Additionally, the
tlclk_cleanup() function frees the alarm_events memory before ensuring
that blocked processes in the waitqueue are fully awakened and that the
switchover_timer has completed.

To address these cases, this patch:
- Sets '.owner = THIS_MODULE' in tlclk_fops to safely defer module
  unloading while the device is in use.
- Updates tlclk_cleanup() to explicitly wake up all blocked readers
  (wake_up_all), properly release hardware I/O regions, and safely
  delete the timer (timer_delete_sync) prior to freeing memory.

Fixes: 1a80ba882730 ("[PATCH] Telecom Clock Driver for MPCBL0010 ATCA computer blade")
Signed-off-by: James Kim <james010kim@gmail.com>
Link: https://patch.msgid.link/20260503101131.64219-1-james010kim@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/char/tlclk.c b/drivers/char/tlclk.c
index 677d230a226cf5735ffb13c8b8f13242f5c3dd23..dd45fe5eb6f2701bdc53f5b977a334ba80c154f5 100644 (file)
--- a/drivers/char/tlclk.c
+++ b/drivers/char/tlclk.c
@@ -264,6 +264,7 @@ static ssize_t tlclk_read(struct file *filp, char __user *buf, size_t count,
 }
 
 static const struct file_operations tlclk_fops = {
+       .owner = THIS_MODULE,
        .read = tlclk_read,
        .open = tlclk_open,
        .release = tlclk_release,
@@ -837,6 +838,9 @@ static void __exit tlclk_cleanup(void)
        misc_deregister(&tlclk_miscdev);
        unregister_chrdev(tlclk_major, "telco_clock");
 
+       got_event = 1;
+       wake_up_all(&wq);
+
        release_region(TLCLK_BASE, 8);
        timer_delete_sync(&switchover_timer);
        kfree(alarm_events);