From: Stephen Boyd <sboyd@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Yu-Che Cheng <giver@chromium.org>,
linux-kernel@vger.kernel.org, patches@lists.linux.dev,
Fei Shao <fshao@chromium.org>, Chen-Yu Tsai <wenst@chromium.org>
Subject: [PATCH 2/8] spmi: mediatek: Fix UAF on device remove
Date: Wed, 6 Dec 2023 15:17:25 -0800 [thread overview]
Message-ID: <20231206231733.4031901-3-sboyd@kernel.org> (raw)
In-Reply-To: <20231206231733.4031901-1-sboyd@kernel.org>
From: Yu-Che Cheng <giver@chromium.org>
The pmif driver data that contains the clocks is allocated along with
spmi_controller.
On device remove, spmi_controller will be freed first, and then devres
, including the clocks, will be cleanup.
This leads to UAF because putting the clocks will access the clocks in
the pmif driver data, which is already freed along with spmi_controller.
This can be reproduced by enabling DEBUG_TEST_DRIVER_REMOVE and
building the kernel with KASAN.
Fix the UAF issue by using unmanaged clk_bulk_get() and putting the
clocks before freeing spmi_controller.
Reported-by: Fei Shao <fshao@chromium.org>
Signed-off-by: Yu-Che Cheng <giver@chromium.org>
Link: https://lore.kernel.org/r/20230717173934.1.If004a6e055a189c7f2d0724fa814422c26789839@changeid
Tested-by: Fei Shao <fshao@chromium.org>
Reviewed-by: Fei Shao <fshao@chromium.org>
Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
---
drivers/spmi/spmi-mtk-pmif.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/spmi/spmi-mtk-pmif.c b/drivers/spmi/spmi-mtk-pmif.c
index 54c35f5535cb..1261f381cae6 100644
--- a/drivers/spmi/spmi-mtk-pmif.c
+++ b/drivers/spmi/spmi-mtk-pmif.c
@@ -475,7 +475,7 @@ static int mtk_spmi_probe(struct platform_device *pdev)
for (i = 0; i < arb->nclks; i++)
arb->clks[i].id = pmif_clock_names[i];
- err = devm_clk_bulk_get(&pdev->dev, arb->nclks, arb->clks);
+ err = clk_bulk_get(&pdev->dev, arb->nclks, arb->clks);
if (err) {
dev_err(&pdev->dev, "Failed to get clocks: %d\n", err);
goto err_put_ctrl;
@@ -484,7 +484,7 @@ static int mtk_spmi_probe(struct platform_device *pdev)
err = clk_bulk_prepare_enable(arb->nclks, arb->clks);
if (err) {
dev_err(&pdev->dev, "Failed to enable clocks: %d\n", err);
- goto err_put_ctrl;
+ goto err_put_clks;
}
ctrl->cmd = pmif_arb_cmd;
@@ -510,6 +510,8 @@ static int mtk_spmi_probe(struct platform_device *pdev)
err_domain_remove:
clk_bulk_disable_unprepare(arb->nclks, arb->clks);
+err_put_clks:
+ clk_bulk_put(arb->nclks, arb->clks);
err_put_ctrl:
spmi_controller_put(ctrl);
return err;
@@ -521,6 +523,7 @@ static void mtk_spmi_remove(struct platform_device *pdev)
struct pmif *arb = spmi_controller_get_drvdata(ctrl);
clk_bulk_disable_unprepare(arb->nclks, arb->clks);
+ clk_bulk_put(arb->nclks, arb->clks);
spmi_controller_remove(ctrl);
spmi_controller_put(ctrl);
}
--
https://git.kernel.org/pub/scm/linux/kernel/git/clk/linux.git/
https://git.kernel.org/pub/scm/linux/kernel/git/sboyd/spmi.git
next prev parent reply other threads:[~2023-12-06 23:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-06 23:17 [PATCH 0/8] SPMI patches for the merge window Stephen Boyd
2023-12-06 23:17 ` [PATCH 1/8] spmi: mtk-pmif: Serialize PMIF status check and command submission Stephen Boyd
2023-12-15 16:12 ` Greg Kroah-Hartman
2023-12-06 23:17 ` Stephen Boyd [this message]
2023-12-06 23:17 ` [PATCH 3/8] spmi: Introduce device-managed functions Stephen Boyd
2023-12-06 23:17 ` [PATCH 4/8] spmi: Use devm_spmi_controller_alloc() Stephen Boyd
2023-12-06 23:17 ` [PATCH 5/8] spmi: mtk-pmif: Reorder driver remove sequence Stephen Boyd
2023-12-06 23:17 ` [PATCH 6/8] spmi: hisi-spmi-controller: Use devm_spmi_controller_add() Stephen Boyd
2023-12-06 23:17 ` [PATCH 7/8] spmi: Return meaningful errors in spmi_controller_alloc() Stephen Boyd
2023-12-06 23:17 ` [PATCH 8/8] spmi: mediatek: add device id check Stephen Boyd
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231206231733.4031901-3-sboyd@kernel.org \
--to=sboyd@kernel.org \
--cc=fshao@chromium.org \
--cc=giver@chromium.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=wenst@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.