android/android_kernel_samsung_sm8650
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b0f25ca1ff
android_kernel_samsung_sm8650/drivers
History
ChiYuan Huang b0f25ca1ff regulator: core: Use different devices for resource allocation and DT lookup 
[ Upstream commit 8f3cbcd6b440032ebc7f7d48a1689dcc70a4eb98 ]

Following by the below discussion, there's the potential UAF issue
between regulator and mfd.
https://lore.kernel.org/all/20221128143601.1698148-1-yangyingliang@huawei.com/

From the analysis of Yingliang

CPU A				|CPU B
mt6370_probe()			|
  devm_mfd_add_devices()	|
				|mt6370_regulator_probe()
				|  regulator_register()
				|    //allocate init_data and add it to devres
				|    regulator_of_get_init_data()
i2c_unregister_device()		|
  device_del()			|
    devres_release_all()	|
      // init_data is freed	|
      release_nodes()		|
				|  // using init_data causes UAF
				|  regulator_register()

It's common to use mfd core to create child device for the regulator.
In order to do the DT lookup for init data, the child that registered
the regulator would pass its parent as the parameter. And this causes
init data resource allocated to its parent, not itself. The issue happen
when parent device is going to release and regulator core is still doing
some operation of init data constraint for the regulator of child device.

To fix it, this patch expand 'regulator_register' API to use the
different devices for init data allocation and DT lookup.

Reported-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: ChiYuan Huang <cy_huang@richtek.com>
Link: https://lore.kernel.org/r/1670311341-32664-1-git-send-email-u0084500@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-12-31 13:33:04 +01:00
..
accessibility speakup: replace utils' u_char with unsigned char 2022-11-09 15:25:24 +01:00
acpi ACPI: x86: Add skip i2c clients quirk for Medion Lifetab S10346 2022-12-31 13:32:58 +01:00
amba
android binder: validate alloc->mm in ->mmap() handler 2022-11-09 15:41:27 +01:00
ata ata: libata: fix NCQ autosense logic 2022-12-31 13:32:02 +01:00
atm
auxdisplay
base class: fix possible memory leak in __class_register() 2022-12-31 13:32:38 +01:00
bcma Interrupt subsystem updates: 2022-10-12 10:23:24 -07:00
block drbd: destroy workqueue when drbd device was freed 2022-12-31 13:32:15 +01:00
bluetooth Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave() 2022-12-31 13:32:29 +01:00
bus bus: ixp4xx: Don't touch bit 7 on IXP42x 2022-11-22 23:12:18 +01:00
cdrom
char ipmi: fix memleak when unload ipmi driver 2022-12-31 13:32:59 +01:00
clk clk: st: Fix memory leak in st_of_quadfs_setup() 2022-12-31 13:33:04 +01:00
clocksource clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock() 2022-12-31 13:31:59 +01:00
comedi
connector
counter counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update 2022-12-31 13:32:41 +01:00
cpufreq cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() 2022-12-31 13:31:58 +01:00
cpuidle cpuidle: dt: Return the correct numbers of parsed idle states 2022-12-31 13:31:55 +01:00
crypto crypto: img-hash - Fix variable dereferenced before check 'hdev->req' 2022-12-31 13:32:37 +01:00
cxl cxl/region: Recycle region ids 2022-11-04 16:03:43 -07:00
dax device-dax: Fix duplicate 'hmem' device registration 2022-11-21 15:34:40 -08:00
dca
devfreq
dio drivers: dio: fix possible memory leak in dio_init() 2022-12-31 13:32:38 +01:00
dma dmaengine: idxd: Make read buffer sysfs attributes invisible for Intel IAA 2022-12-31 13:32:47 +01:00
dma-buf dma-buf: fix racing conflict of dma_heap_add() 2022-11-22 18:27:56 +05:30
edac EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper() 2022-12-31 13:31:57 +01:00
eisa
extcon extcon: usbc-tusb320: Update state on probe even if no IRQ pending 2022-12-31 13:32:39 +01:00
firewire
firmware firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe() 2022-12-31 13:32:40 +01:00
fpga fpga: m10bmc-sec: Fix kconfig dependencies 2022-11-15 21:46:58 +08:00
fsi
gnss
gpio gpiolib: protect the GPIO device against being dropped while in use by user-space 2022-12-31 13:32:42 +01:00
gpu drm/amd/display: Fix DTBCLK disable requests and SRC_SEL programming 2022-12-31 13:33:03 +01:00
greybus
hid HID: uclogic: Add support for XP-PEN Deco LW 2022-12-31 13:33:00 +01:00
hsi HSI: omap_ssi_core: Fix error handling in ssi_init() 2022-12-31 13:32:45 +01:00
hte
hv video: hyperv_fb: Avoid taking busy spinlock on panic path 2022-12-31 13:32:56 +01:00
hwmon hwmon: (nct6775) add ASUS CROSSHAIR VIII/TUF/ProArt B550M 2022-12-31 13:33:04 +01:00
hwspinlock
hwtracing coresight: cti: Fix null pointer error on CTI init before ETM 2022-12-31 13:32:41 +01:00
i2c i2c: ismt: Fix an out-of-bounds bug in ismt_access() 2022-12-31 13:32:42 +01:00
i3c i3c: master: Remove the wrong place of reattach. 2022-10-12 23:45:29 +02:00
idle
iio iio: adis: add '__adis_enable_irq()' implementation 2022-12-31 13:32:41 +01:00
infiniband RDMA/siw: Fix pointer cast warning 2022-12-31 13:32:45 +01:00
input Input: wistron_btns - disable on UML 2022-12-31 13:32:19 +01:00
interconnect interconnect: qcom: sc7180: fix dropped const of qcom_icc_bcm 2022-12-31 13:32:39 +01:00
iommu iommu/mediatek: Fix forever loop in error handling 2022-12-31 13:32:53 +01:00
ipack Char/Misc and other driver changes for 6.1-rc1 2022-10-08 08:56:37 -07:00
irqchip irqchip/loongson-liointc: Fix improper error handling in liointc_init() 2022-12-31 13:31:57 +01:00
isdn mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() 2022-12-31 13:32:53 +01:00
leds leds: is31fl319x: Fix setting current limit for is31fl319{0,1,3} 2022-12-31 13:32:45 +01:00
macintosh macintosh/macio-adb: check the return value of ioremap() 2022-12-31 13:32:50 +01:00
mailbox mailbox: zynq-ipi: fix error handling while device_register() fails 2022-12-31 13:32:55 +01:00
mcb mcb: mcb-parse: fix error handing in chameleon_parse_gdd() 2022-12-31 13:32:41 +01:00
md md/raid1: stop mdx_raid1 thread when raid1 array run failed 2022-12-31 13:33:02 +01:00
media media: si470x: Fix use-after-free in si470x_int_in_callback() 2022-12-31 13:33:04 +01:00
memory memory: renesas-rpc-if: Clear HS bit during hardware initialization 2022-12-31 13:31:48 +01:00
memstick memstick/ms_block: Add check for alloc_ordered_workqueue 2022-12-31 13:32:25 +01:00
message
mfd mfd: pm8008: Fix return value check in pm8008_probe() 2022-12-31 13:32:52 +01:00
misc cxl: Fix refcount leak in cxl_calc_capp_routing 2022-12-31 13:32:50 +01:00
mmc mmc: sdhci-tegra: Issue CMD and DAT resets together 2022-12-31 13:33:04 +01:00
most
mtd mtd: maps: pxa2xx-flash: fix memory leak in probe 2022-12-31 13:32:15 +01:00
mux
net wifi: mt76: do not run mt76u_status_worker if the device is not running 2022-12-31 13:33:04 +01:00
nfc nfc: pn533: Clear nfc_target before being used 2022-12-31 13:32:54 +01:00
ntb
nubus
nvdimm libnvdimm for 6.1 2022-10-14 18:41:41 -07:00
nvme nvme-auth: don't override ctrl keys before validation 2022-12-31 13:33:02 +01:00
nvmem nvmem: lan9662-otp: Change return type of lan9662_otp_wait_flag_clear() 2022-11-22 18:22:05 +01:00
of of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop() 2022-12-31 13:32:26 +01:00
opp
parisc parisc: Export iosapic_serial_irq() symbol for serial port driver 2022-10-27 09:12:05 +02:00
parport parport_pc: Avoid FIFO port location truncation 2022-11-09 15:40:32 +01:00
pci PCI: vmd: Fix secondary bus reset for Intel bridges 2022-12-31 13:32:36 +01:00
pcmcia
peci
perf drivers/perf: hisi: Fix some event id for hisi-pcie-pmu 2022-12-31 13:31:53 +01:00
phy phy: qcom-qmp-pcie: Fix sm8450_qmp_gen4x2_pcie_pcs_tbl[] register names 2022-12-31 13:32:48 +01:00
pinctrl pinctrl: thunderbay: fix possible memory leak in thunderbay_build_functions() 2022-12-31 13:32:23 +01:00
platform regulator: core: Use different devices for resource allocation and DT lookup 2022-12-31 13:33:04 +01:00
pnp PNP: fix name memory leak in pnp_alloc_dev() 2022-12-31 13:31:56 +01:00
power power: supply: fix null pointer dereferencing in power_supply_get_battery_info 2022-12-31 13:32:45 +01:00
powercap Scheduler changes for v6.1: 2022-10-10 09:10:28 -07:00
pps
ps3
ptp ] ptp: ocp: remove symlink for second GNSS 2022-10-10 08:37:24 +01:00
pwm pwm: mediatek: always use bus clock for PWM on MT7622 2022-12-31 13:32:51 +01:00
rapidio rapidio: devices: fix missing put_device in mport_cdev_open 2022-12-31 13:32:00 +01:00
ras
regulator regulator: core: Use different devices for resource allocation and DT lookup 2022-12-31 13:33:04 +01:00
remoteproc remoteproc: qcom: q6v5: Fix missing clk_disable_unprepare() in q6v5_wcss_qcs404_power_on() 2022-12-31 13:32:52 +01:00
reset Here's the main clk pull request for this merge window. We have some 2022-10-08 10:06:48 -07:00
rpmsg
rtc rtc: mxc_v2: Add missing clk_disable_unprepare() 2022-12-31 13:32:55 +01:00
s390 s390/lcs: Fix return type of lcs_start_xmit() 2022-12-31 13:33:01 +01:00
sbus
scsi scsi: snic: Fix possible UAF in snic_tgt_create() 2022-12-31 13:32:35 +01:00
sh
siox siox: fix possible memory leak in siox_device_add() 2022-11-09 15:40:14 +01:00
slimbus slimbus: qcom-ngd: Fix build error when CONFIG_SLIM_QCOM_NGD_CTRL=y && CONFIG_QCOM_RPROC_COMMON=m 2022-11-10 18:45:40 +01:00
soc soc: mediatek: pm-domains: Fix the power glitch issue 2022-12-31 13:32:55 +01:00
soundwire soundwire: qcom: check for outanding writes before doing a read 2022-10-28 17:00:38 +05:30
spi spi: spi-gpio: Don't set MOSI as an input if not 3WIRE mode 2022-12-31 13:32:25 +01:00
spmi spmi: pmic-arb: increase SPMI transaction timeout delay 2022-09-30 14:33:23 +02:00
ssb
staging vme: Fix error not catched in fake_init() 2022-12-31 13:32:42 +01:00
target scsi: target: tcm_loop: Fix possible name leak in tcm_loop_setup_hba_bus() 2022-11-17 17:46:16 +00:00
tc
tee tee: optee: fix possible memory leak in optee_register_device() 2022-11-17 09:22:12 +01:00
thermal thermal/core: Ensure that thermal device is registered in thermal_zone_get_temp 2022-12-31 13:32:57 +01:00
thunderbolt treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
tty serial: sunsab: Fix error handling in sunsab_init() 2022-12-31 13:32:40 +01:00
ufs scsi: ufs: core: Fix the polling implementation 2022-12-31 13:32:36 +01:00
uio uio: uio_dmem_genirq: Fix deadlock between irq config and handling 2022-12-31 13:32:38 +01:00
usb usb: typec: wusb3801: fix fwnode refcount leak in wusb3801_probe() 2022-12-31 13:32:42 +01:00
vdpa virtio: fixes, features 2022-10-10 14:02:53 -07:00
vfio vfio/iova_bitmap: refactor iova_bitmap_set() to better handle page boundaries 2022-12-31 13:32:41 +01:00
vhost virtio: fixes, features 2022-10-10 14:02:53 -07:00
video video: hyperv_fb: Avoid taking busy spinlock on panic path 2022-12-31 13:32:56 +01:00
virt virt/sev-guest: Add a MODULE_ALIAS 2022-12-31 13:32:09 +01:00
virtio virtio_pci: use irq to detect interrupt support 2022-10-13 09:33:03 -04:00
vlynq
w1 Char/Misc and other driver changes for 6.1-rc1 2022-10-08 08:56:37 -07:00
watchdog watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running 2022-12-31 13:32:44 +01:00
xen xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() 2022-12-31 13:31:59 +01:00
zorro
Kconfig
Makefile