From patchwork Mon Sep  9 01:10:39 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hui Wang <hui.wang@canonical.com>
X-Patchwork-Id: 1982249
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4X280x5y7zz1y1l
	for <incoming@patchwork.ozlabs.org>; Mon,  9 Sep 2024 11:11:13 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1snSvi-0004rK-GX; Mon, 09 Sep 2024 01:10:58 +0000
Received: from smtp-relay-canonical-1.internal ([10.131.114.174]
 helo=smtp-relay-canonical-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <hui.wang@canonical.com>)
 id 1snSvh-0004r3-B1
 for kernel-team@lists.ubuntu.com; Mon, 09 Sep 2024 01:10:57 +0000
Received: from hwang4-ThinkPad-T14s-Gen-2a.. (unknown [120.85.105.240])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id C66B23F3A5
 for <kernel-team@lists.ubuntu.com>; Mon,  9 Sep 2024 01:10:55 +0000 (UTC)
From: Hui Wang <hui.wang@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][F][PATCH 2/3] misc: eeprom: at24: register nvmem only after
 eeprom is ready to use
Date: Mon,  9 Sep 2024 09:10:39 +0800
Message-Id: <20240909011040.355032-3-hui.wang@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240909011040.355032-1-hui.wang@canonical.com>
References: <20240909011040.355032-1-hui.wang@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Vadym Kochan <vadym.kochan@plvision.eu>

During nvmem_register() the nvmem core sends notifications when:

    - cell added
    - nvmem added

and during these notifications some callback func may access the nvmem
device, which will fail in case of at24 eeprom because regulator and pm
are enabled after nvmem_register().

Fixes: cd5676db0574 ("misc: eeprom: at24: support pm_runtime control")
Fixes: b20eb4c1f026 ("eeprom: at24: drop unnecessary label")
Cc: stable@vger.kernel.org
Signed-off-by: Vadym Kochan <vadym.kochan@plvision.eu>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
(backported from commit 45df80d7605c25055a85fbc5a8446c81c6c0ca24)
[hui: To fix this CVE issue, we need to backport the commit
f42c97027fb7 and the commit needs devm_nvmem_register() to be moved
immediate ahead of one-byte reading test. This backporting drops
regulator_disable(at24->vcc_reg) since the regulator is introduced
by commit cd5676db0574 and the commit is not in focal kernel yet.]
CVE-2024-35848
Signed-off-by: Hui Wang <hui.wang@canonical.com>
---
 drivers/misc/eeprom/at24.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/misc/eeprom/at24.c b/drivers/misc/eeprom/at24.c
index b1c17a058215..96cd8630838f 100644
--- a/drivers/misc/eeprom/at24.c
+++ b/drivers/misc/eeprom/at24.c
@@ -695,16 +695,18 @@ static int at24_probe(struct i2c_client *client)
 	nvmem_config.word_size = 1;
 	nvmem_config.size = byte_len;
 
-	at24->nvmem = devm_nvmem_register(dev, &nvmem_config);
-	if (IS_ERR(at24->nvmem))
-		return PTR_ERR(at24->nvmem);
-
 	i2c_set_clientdata(client, at24);
 
 	/* enable runtime pm */
 	pm_runtime_set_active(dev);
 	pm_runtime_enable(dev);
 
+	at24->nvmem = devm_nvmem_register(dev, &nvmem_config);
+	if (IS_ERR(at24->nvmem)) {
+		pm_runtime_disable(dev);
+		return PTR_ERR(at24->nvmem);
+	}
+
 	/*
 	 * Perform a one-byte test read to verify that the
 	 * chip is functional.