firmware: ti_sci: resource leak and use after free

[Uwe Kleine-König]

Hello,

The ti_sci firmware driver (drivers/firmware/ti_sci.c) has a problem in
its remove callback. I didn't check it to an end and I also don't have
the needed hardware available to test, so take my diagnosis with a grain
of salt.

The problem is that if ti_sci_remove() is called while info->users is
non-zero it skips ti_sci_debugfs_destroy() and mbox_free_channel(),
however the device will be unbound after ti_sci_remove() completes and
(among other stuff) *info will be freed. (See platform_remove() in
drivers/base/platform.c.) However the debugfs entries stay available and
accessing them will access *info. Also info stays linked in ti_sci_list
and might be traversed there. Maybe similar problems can happen with the
unfreed mbox channels.

Fixing that requires (at least) that info stays around until it's
completely unreferenced. I don't know enough about the firmware
framework and the involved hardware to suggest a fix though.

Best regards
Uwe

-- 
Pengutronix e.K.                           | Uwe Kleine-König            |
Industrial Linux Solutions                 | https://www.pengutronix.de/ |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20230216/4242dc30/attachment.sig>