From: ChiYuan Huang <cy_huang@richtek.com> mainline inclusion from mainline-v6.2-rc1 commit 8f3cbcd6b440032ebc7f7d48a1689dcc70a4eb98 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11299 CVE: CVE-2022-50616 Reference: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commi... -------------------------------- Following by the below discussion, there's the potential UAF issue between regulator and mfd. https://lore.kernel.org/all/20221128143601.1698148-1-yangyingliang@huawei.co... From the analysis of Yingliang CPU A |CPU B mt6370_probe() | devm_mfd_add_devices() | |mt6370_regulator_probe() | regulator_register() | //allocate init_data and add it to devres | regulator_of_get_init_data() i2c_unregister_device() | device_del() | devres_release_all() | // init_data is freed | release_nodes() | | // using init_data causes UAF | regulator_register() It's common to use mfd core to create child device for the regulator. In order to do the DT lookup for init data, the child that registered the regulator would pass its parent as the parameter. And this causes init data resource allocated to its parent, not itself. The issue happen when parent device is going to release and regulator core is still doing some operation of init data constraint for the regulator of child device. To fix it, this patch expand 'regulator_register' API to use the different devices for init data allocation and DT lookup. Reported-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: ChiYuan Huang <cy_huang@richtek.com> Link: https://lore.kernel.org/r/1670311341-32664-1-git-send-email-u0084500@gmail.c... Signed-off-by: Mark Brown <broonie@kernel.org> Conflicts: drivers/platform/x86/intel/int3472/clk_and_regulator.c drivers/regulator/core.c drivers/regulator/dummy.c drivers/staging/hikey9xx/hi6421v600-regulator.c include/linux/regulator/driver.h [commit 8bd836feb6cad not merged] Signed-off-by: Liu Mingrui <liumingrui@huawei.com> Signed-off-by: Mingrui Liu <liumingrui@huawei.com> --- drivers/regulator/core.c | 8 ++++---- drivers/regulator/devres.c | 2 +- drivers/regulator/dummy.c | 2 +- drivers/regulator/of_regulator.c | 2 +- drivers/regulator/stm32-vrefbuf.c | 2 +- drivers/staging/hikey9xx/hi6421v600-regulator.c | 2 +- include/linux/regulator/driver.h | 3 ++- 7 files changed, 11 insertions(+), 10 deletions(-) diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c index 6ec5a8316b71..a7e71d5a7124 100644 --- a/drivers/regulator/core.c +++ b/drivers/regulator/core.c @@ -5265,6 +5265,7 @@ static struct regulator_coupler generic_regulator_coupler = { /** * regulator_register - register regulator + * @dev: the device that drive the regulator * @regulator_desc: regulator to register * @cfg: runtime configuration for regulator * @@ -5273,7 +5274,8 @@ static struct regulator_coupler generic_regulator_coupler = { * or an ERR_PTR() on error. */ struct regulator_dev * -regulator_register(const struct regulator_desc *regulator_desc, +regulator_register(struct device *dev, + const struct regulator_desc *regulator_desc, const struct regulator_config *cfg) { const struct regulator_init_data *init_data; @@ -5282,7 +5284,6 @@ regulator_register(const struct regulator_desc *regulator_desc, struct regulator_dev *rdev; bool dangling_cfg_gpiod = false; bool dangling_of_gpiod = false; - struct device *dev; int ret, i; if (cfg == NULL) @@ -5294,8 +5295,7 @@ regulator_register(const struct regulator_desc *regulator_desc, goto rinse; } - dev = cfg->dev; - WARN_ON(!dev); + WARN_ON(!dev || !cfg->dev); if (regulator_desc->name == NULL || regulator_desc->ops == NULL) { ret = -EINVAL; diff --git a/drivers/regulator/devres.c b/drivers/regulator/devres.c index 3091210889e3..77403d8fe863 100644 --- a/drivers/regulator/devres.c +++ b/drivers/regulator/devres.c @@ -193,7 +193,7 @@ struct regulator_dev *devm_regulator_register(struct device *dev, if (!ptr) return ERR_PTR(-ENOMEM); - rdev = regulator_register(regulator_desc, config); + rdev = regulator_register(dev, regulator_desc, config); if (!IS_ERR(rdev)) { *ptr = rdev; devres_add(dev, ptr); diff --git a/drivers/regulator/dummy.c b/drivers/regulator/dummy.c index d8059f596391..78688e8ec6df 100644 --- a/drivers/regulator/dummy.c +++ b/drivers/regulator/dummy.c @@ -45,7 +45,7 @@ static int dummy_regulator_probe(struct platform_device *pdev) config.dev = &pdev->dev; config.init_data = &dummy_initdata; - dummy_regulator_rdev = regulator_register(&dummy_desc, &config); + dummy_regulator_rdev = regulator_register(&pdev->dev, &dummy_desc, &config); if (IS_ERR(dummy_regulator_rdev)) { ret = PTR_ERR(dummy_regulator_rdev); pr_err("Failed to register regulator: %d\n", ret); diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c index 5d844697c7b6..3d4a18240a66 100644 --- a/drivers/regulator/of_regulator.c +++ b/drivers/regulator/of_regulator.c @@ -439,7 +439,7 @@ struct regulator_init_data *regulator_of_get_init_data(struct device *dev, struct device_node *child; struct regulator_init_data *init_data = NULL; - child = regulator_of_get_init_node(dev, desc); + child = regulator_of_get_init_node(config->dev, desc); if (!child) return NULL; diff --git a/drivers/regulator/stm32-vrefbuf.c b/drivers/regulator/stm32-vrefbuf.c index 161622ea7259..2d976e1506e9 100644 --- a/drivers/regulator/stm32-vrefbuf.c +++ b/drivers/regulator/stm32-vrefbuf.c @@ -220,7 +220,7 @@ static int stm32_vrefbuf_probe(struct platform_device *pdev) pdev->dev.of_node, &stm32_vrefbuf_regu); - rdev = regulator_register(&stm32_vrefbuf_regu, &config); + rdev = regulator_register(&pdev->dev, &stm32_vrefbuf_regu, &config); if (IS_ERR(rdev)) { ret = PTR_ERR(rdev); dev_err(&pdev->dev, "register failed with error %d\n", ret); diff --git a/drivers/staging/hikey9xx/hi6421v600-regulator.c b/drivers/staging/hikey9xx/hi6421v600-regulator.c index 63204e460f53..74e799cd01a3 100644 --- a/drivers/staging/hikey9xx/hi6421v600-regulator.c +++ b/drivers/staging/hikey9xx/hi6421v600-regulator.c @@ -377,7 +377,7 @@ static int hi6421_spmi_regulator_probe_ldo(struct platform_device *pdev, config.of_node = pdev->dev.of_node; /* register regulator */ - rdev = regulator_register(rdesc, &config); + rdev = regulator_register(&pdev->dev, rdesc, &config); if (IS_ERR(rdev)) { dev_err(dev, "failed to register %s\n", rdesc->name); diff --git a/include/linux/regulator/driver.h b/include/linux/regulator/driver.h index 11cade73726c..1bb29fb4dd1d 100644 --- a/include/linux/regulator/driver.h +++ b/include/linux/regulator/driver.h @@ -473,7 +473,8 @@ struct regulator_dev { }; struct regulator_dev * -regulator_register(const struct regulator_desc *regulator_desc, +regulator_register(struct device *dev, + const struct regulator_desc *regulator_desc, const struct regulator_config *config); struct regulator_dev * devm_regulator_register(struct device *dev, -- 2.34.1