Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-22 12:11:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

spmi: mediatek: Fix UAF on device remove

Browse Source 
The pmif driver data that contains the clocks is allocated along with
spmi_controller.
On device remove, spmi_controller will be freed first, and then devres
, including the clocks, will be cleanup.
This leads to UAF because putting the clocks will access the clocks in
the pmif driver data, which is already freed along with spmi_controller.

This can be reproduced by enabling DEBUG_TEST_DRIVER_REMOVE and
building the kernel with KASAN.

Fix the UAF issue by using unmanaged clk_bulk_get() and putting the
clocks before freeing spmi_controller.

Reported-by: Fei Shao <fshao@chromium.org>
Signed-off-by: Yu-Che Cheng <giver@chromium.org>
Link: https://lore.kernel.org/r/20230717173934.1.If004a6e055a189c7f2d0724fa814422c26789839@changeid
Tested-by: Fei Shao <fshao@chromium.org>
Reviewed-by: Fei Shao <fshao@chromium.org>
Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Link: https://lore.kernel.org/r/20231206231733.4031901-3-sboyd@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Yu-Che Cheng 2023-12-06 15:17:25 -08:00 committed by Greg Kroah-Hartman
parent f200fff8d0
commit e821d50ab5
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
drivers/spmi/spmi-mtk-pmif.c
View File

@ -475,7 +475,7 @@ static int mtk_spmi_probe(struct platform_device *pdev)
for (i = 0; i < arb->nclks; i++)
arb->clks[i].id = pmif_clock_names[i];
err = devm_clk_bulk_get(&pdev->dev, arb->nclks, arb->clks);
err = clk_bulk_get(&pdev->dev, arb->nclks, arb->clks);
if (err) {
dev_err(&pdev->dev, "Failed to get clocks: %d\n", err);
goto err_put_ctrl;
@ -484,7 +484,7 @@ static int mtk_spmi_probe(struct platform_device *pdev)
err = clk_bulk_prepare_enable(arb->nclks, arb->clks);
if (err) {
dev_err(&pdev->dev, "Failed to enable clocks: %d\n", err);
goto err_put_ctrl;
goto err_put_clks;
}
ctrl->cmd = pmif_arb_cmd;
@ -510,6 +510,8 @@ static int mtk_spmi_probe(struct platform_device *pdev)
err_domain_remove:
clk_bulk_disable_unprepare(arb->nclks, arb->clks);
err_put_clks:
clk_bulk_put(arb->nclks, arb->clks);
err_put_ctrl:
spmi_controller_put(ctrl);
return err;
@ -521,6 +523,7 @@ static void mtk_spmi_remove(struct platform_device *pdev)
struct pmif *arb = spmi_controller_get_drvdata(ctrl);
clk_bulk_disable_unprepare(arb->nclks, arb->clks);
clk_bulk_put(arb->nclks, arb->clks);
spmi_controller_remove(ctrl);
spmi_controller_put(ctrl);
}