[PATCH OLK-5.10 0/2] CVE-2022-50616
From: Mingrui Liu <liumingrui@huawei.com> CVE-2022-50616 ChiYuan Huang (2): regulator: core: Use different devices for resource allocation and DT lookup regulator: core: Fix resolve supply lookup issue drivers/regulator/core.c | 10 +++++----- drivers/regulator/devres.c | 2 +- drivers/regulator/dummy.c | 2 +- drivers/regulator/of_regulator.c | 2 +- drivers/regulator/stm32-vrefbuf.c | 2 +- drivers/staging/hikey9xx/hi6421v600-regulator.c | 2 +- include/linux/regulator/driver.h | 3 ++- 7 files changed, 12 insertions(+), 11 deletions(-) -- 2.34.1
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://atomgit.com/openeuler/kernel/merge_requests/20516 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/O4N... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://atomgit.com/openeuler/kernel/merge_requests/20516 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/O4N...
From: ChiYuan Huang <cy_huang@richtek.com> mainline inclusion from mainline-v6.2-rc1 commit 8f3cbcd6b440032ebc7f7d48a1689dcc70a4eb98 category: bugfix bugzilla: 1588d318a9e388d05b6cf5e2a63134c8beb6a355 CVE: CVE-2022-50616 Reference: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commi... -------------------------------- Following by the below discussion, there's the potential UAF issue between regulator and mfd. https://lore.kernel.org/all/20221128143601.1698148-1-yangyingliang@huawei.co... From the analysis of Yingliang CPU A |CPU B mt6370_probe() | devm_mfd_add_devices() | |mt6370_regulator_probe() | regulator_register() | //allocate init_data and add it to devres | regulator_of_get_init_data() i2c_unregister_device() | device_del() | devres_release_all() | // init_data is freed | release_nodes() | | // using init_data causes UAF | regulator_register() It's common to use mfd core to create child device for the regulator. In order to do the DT lookup for init data, the child that registered the regulator would pass its parent as the parameter. And this causes init data resource allocated to its parent, not itself. The issue happen when parent device is going to release and regulator core is still doing some operation of init data constraint for the regulator of child device. To fix it, this patch expand 'regulator_register' API to use the different devices for init data allocation and DT lookup. Reported-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: ChiYuan Huang <cy_huang@richtek.com> Link: https://lore.kernel.org/r/1670311341-32664-1-git-send-email-u0084500@gmail.c... Signed-off-by: Mark Brown <broonie@kernel.org> Conflicts: drivers/platform/x86/intel/int3472/clk_and_regulator.c drivers/regulator/core.c drivers/regulator/dummy.c drivers/staging/hikey9xx/hi6421v600-regulator.c include/linux/regulator/driver.h [commit 8bd836feb6cad not merged] Signed-off-by: Liu Mingrui <liumingrui@huawei.com> Signed-off-by: Mingrui Liu <liumingrui@huawei.com> --- drivers/regulator/core.c | 8 ++++---- drivers/regulator/devres.c | 2 +- drivers/regulator/dummy.c | 2 +- drivers/regulator/of_regulator.c | 2 +- drivers/regulator/stm32-vrefbuf.c | 2 +- drivers/staging/hikey9xx/hi6421v600-regulator.c | 2 +- include/linux/regulator/driver.h | 3 ++- 7 files changed, 11 insertions(+), 10 deletions(-) diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c index 6ec5a8316b71..a7e71d5a7124 100644 --- a/drivers/regulator/core.c +++ b/drivers/regulator/core.c @@ -5265,6 +5265,7 @@ static struct regulator_coupler generic_regulator_coupler = { /** * regulator_register - register regulator + * @dev: the device that drive the regulator * @regulator_desc: regulator to register * @cfg: runtime configuration for regulator * @@ -5273,7 +5274,8 @@ static struct regulator_coupler generic_regulator_coupler = { * or an ERR_PTR() on error. */ struct regulator_dev * -regulator_register(const struct regulator_desc *regulator_desc, +regulator_register(struct device *dev, + const struct regulator_desc *regulator_desc, const struct regulator_config *cfg) { const struct regulator_init_data *init_data; @@ -5282,7 +5284,6 @@ regulator_register(const struct regulator_desc *regulator_desc, struct regulator_dev *rdev; bool dangling_cfg_gpiod = false; bool dangling_of_gpiod = false; - struct device *dev; int ret, i; if (cfg == NULL) @@ -5294,8 +5295,7 @@ regulator_register(const struct regulator_desc *regulator_desc, goto rinse; } - dev = cfg->dev; - WARN_ON(!dev); + WARN_ON(!dev || !cfg->dev); if (regulator_desc->name == NULL || regulator_desc->ops == NULL) { ret = -EINVAL; diff --git a/drivers/regulator/devres.c b/drivers/regulator/devres.c index 3091210889e3..77403d8fe863 100644 --- a/drivers/regulator/devres.c +++ b/drivers/regulator/devres.c @@ -193,7 +193,7 @@ struct regulator_dev *devm_regulator_register(struct device *dev, if (!ptr) return ERR_PTR(-ENOMEM); - rdev = regulator_register(regulator_desc, config); + rdev = regulator_register(dev, regulator_desc, config); if (!IS_ERR(rdev)) { *ptr = rdev; devres_add(dev, ptr); diff --git a/drivers/regulator/dummy.c b/drivers/regulator/dummy.c index d8059f596391..78688e8ec6df 100644 --- a/drivers/regulator/dummy.c +++ b/drivers/regulator/dummy.c @@ -45,7 +45,7 @@ static int dummy_regulator_probe(struct platform_device *pdev) config.dev = &pdev->dev; config.init_data = &dummy_initdata; - dummy_regulator_rdev = regulator_register(&dummy_desc, &config); + dummy_regulator_rdev = regulator_register(&pdev->dev, &dummy_desc, &config); if (IS_ERR(dummy_regulator_rdev)) { ret = PTR_ERR(dummy_regulator_rdev); pr_err("Failed to register regulator: %d\n", ret); diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c index 5d844697c7b6..3d4a18240a66 100644 --- a/drivers/regulator/of_regulator.c +++ b/drivers/regulator/of_regulator.c @@ -439,7 +439,7 @@ struct regulator_init_data *regulator_of_get_init_data(struct device *dev, struct device_node *child; struct regulator_init_data *init_data = NULL; - child = regulator_of_get_init_node(dev, desc); + child = regulator_of_get_init_node(config->dev, desc); if (!child) return NULL; diff --git a/drivers/regulator/stm32-vrefbuf.c b/drivers/regulator/stm32-vrefbuf.c index 161622ea7259..2d976e1506e9 100644 --- a/drivers/regulator/stm32-vrefbuf.c +++ b/drivers/regulator/stm32-vrefbuf.c @@ -220,7 +220,7 @@ static int stm32_vrefbuf_probe(struct platform_device *pdev) pdev->dev.of_node, &stm32_vrefbuf_regu); - rdev = regulator_register(&stm32_vrefbuf_regu, &config); + rdev = regulator_register(&pdev->dev, &stm32_vrefbuf_regu, &config); if (IS_ERR(rdev)) { ret = PTR_ERR(rdev); dev_err(&pdev->dev, "register failed with error %d\n", ret); diff --git a/drivers/staging/hikey9xx/hi6421v600-regulator.c b/drivers/staging/hikey9xx/hi6421v600-regulator.c index 63204e460f53..74e799cd01a3 100644 --- a/drivers/staging/hikey9xx/hi6421v600-regulator.c +++ b/drivers/staging/hikey9xx/hi6421v600-regulator.c @@ -377,7 +377,7 @@ static int hi6421_spmi_regulator_probe_ldo(struct platform_device *pdev, config.of_node = pdev->dev.of_node; /* register regulator */ - rdev = regulator_register(rdesc, &config); + rdev = regulator_register(&pdev->dev, rdesc, &config); if (IS_ERR(rdev)) { dev_err(dev, "failed to register %s\n", rdesc->name); diff --git a/include/linux/regulator/driver.h b/include/linux/regulator/driver.h index 11cade73726c..1bb29fb4dd1d 100644 --- a/include/linux/regulator/driver.h +++ b/include/linux/regulator/driver.h @@ -473,7 +473,8 @@ struct regulator_dev { }; struct regulator_dev * -regulator_register(const struct regulator_desc *regulator_desc, +regulator_register(struct device *dev, + const struct regulator_desc *regulator_desc, const struct regulator_config *config); struct regulator_dev * devm_regulator_register(struct device *dev, -- 2.34.1
From: ChiYuan Huang <cy_huang@richtek.com> mainline inclusion from mainline-v6.2-rc1 commit 0debed5b117d11e33cba52870c4dcb64f5911891 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11299 CVE: CVE-2022-50616 Reference: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commi... -------------------------------- From Marek's log, the previous change modify the parent of rdev. https://lore.kernel.org/all/58b92e75-f373-dae7-7031-8abd465bb874@samsung.com... In 'regulator_resolve_supply', it uses the parent DT node of rdev as the DT-lookup starting node. But the parent DT node may not exist. This will cause the NULL supply issue. This patch modify the parent of rdev back to the device that provides from 'regulator_config' in 'regulator_register'. Fixes: 8f3cbcd6b440 ("regulator: core: Use different devices for resource allocation and DT lookup") Reported-by: Marek Szyprowski <m.szyprowski@samsung.com> Tested-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: ChiYuan Huang <cy_huang@richtek.com> Link: https://lore.kernel.org/r/1670981831-12583-1-git-send-email-u0084500@gmail.c... Signed-off-by: Mark Brown <broonie@kernel.org> Conflicts: drivers/regulator/core.c [just context conflicts] Signed-off-by: Liu Mingrui <liumingrui@huawei.com> Signed-off-by: Mingrui Liu <liumingrui@huawei.com> --- drivers/regulator/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c index a7e71d5a7124..f580e22ca538 100644 --- a/drivers/regulator/core.c +++ b/drivers/regulator/core.c @@ -5407,7 +5407,7 @@ regulator_register(struct device *dev, /* register with sysfs */ rdev->dev.class = ®ulator_class; - rdev->dev.parent = dev; + rdev->dev.parent = config->dev; dev_set_name(&rdev->dev, "regulator.%lu", (unsigned long) atomic_inc_return(®ulator_no)); dev_set_drvdata(&rdev->dev, rdev); -- 2.34.1
participants (2)
-
Liu Mingrui -
patchwork bot