From patchwork Mon Sep 9 01:10:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hui Wang X-Patchwork-Id: 1982251 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X280x6WHCz1y1q for ; Mon, 9 Sep 2024 11:11:13 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1snSvg-0004qp-Cl; Mon, 09 Sep 2024 01:10:56 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1snSve-0004qg-W2 for kernel-team@lists.ubuntu.com; Mon, 09 Sep 2024 01:10:55 +0000 Received: from hwang4-ThinkPad-T14s-Gen-2a.. (unknown [120.85.105.240]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id A22403F3A5 for ; Mon, 9 Sep 2024 01:10:51 +0000 (UTC) From: Hui Wang To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/3] misc: eeprom: at24: fix regulator underflow Date: Mon, 9 Sep 2024 09:10:38 +0800 Message-Id: <20240909011040.355032-2-hui.wang@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240909011040.355032-1-hui.wang@canonical.com> References: <20240909011040.355032-1-hui.wang@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Michael Auchter The at24 driver attempts to read a byte from the device to validate that it's actually present, and if not, disables the vcc regulator and returns -ENODEV. However, between the read and the error handling path, pm_runtime_idle() is called and invokes the driver's suspend callback, which also disables the vcc regulator. This leads to an underflow of the regulator enable count if the EEPROM is not present. Move the pm_runtime_suspend() call to be after the error handling path to resolve this. Fixes: cd5676db0574 ("misc: eeprom: at24: support pm_runtime control") Signed-off-by: Michael Auchter Signed-off-by: Bartosz Golaszewski (backported from commit 58d6fee50e67bb1c69977f1a534ccb17bf58b0f1) [hui: To fix this CVE issue, we need to backport the commit f42c97027fb7 and the commit needs the pm_runtime_idle() to be moved behind the error checking. Here adjust the context due to missing the commit 285be87c79e1 ("eeprom: at24: Improve confusing log message")] CVE-2024-35848 Signed-off-by: Hui Wang --- drivers/misc/eeprom/at24.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/misc/eeprom/at24.c b/drivers/misc/eeprom/at24.c index 2cccd82a3106..b1c17a058215 100644 --- a/drivers/misc/eeprom/at24.c +++ b/drivers/misc/eeprom/at24.c @@ -710,12 +710,13 @@ static int at24_probe(struct i2c_client *client) * chip is functional. */ err = at24_read(at24, 0, &test_byte, 1); - pm_runtime_idle(dev); if (err) { pm_runtime_disable(dev); return -ENODEV; } + pm_runtime_idle(dev); + dev_info(dev, "%u byte %s EEPROM, %s, %u bytes/write\n", byte_len, client->name, writable ? "writable" : "read-only", at24->write_max); From patchwork Mon Sep 9 01:10:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hui Wang X-Patchwork-Id: 1982249 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X280x5y7zz1y1l for ; Mon, 9 Sep 2024 11:11:13 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1snSvi-0004rK-GX; Mon, 09 Sep 2024 01:10:58 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1snSvh-0004r3-B1 for kernel-team@lists.ubuntu.com; Mon, 09 Sep 2024 01:10:57 +0000 Received: from hwang4-ThinkPad-T14s-Gen-2a.. (unknown [120.85.105.240]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id C66B23F3A5 for ; Mon, 9 Sep 2024 01:10:55 +0000 (UTC) From: Hui Wang To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 2/3] misc: eeprom: at24: register nvmem only after eeprom is ready to use Date: Mon, 9 Sep 2024 09:10:39 +0800 Message-Id: <20240909011040.355032-3-hui.wang@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240909011040.355032-1-hui.wang@canonical.com> References: <20240909011040.355032-1-hui.wang@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Vadym Kochan During nvmem_register() the nvmem core sends notifications when: - cell added - nvmem added and during these notifications some callback func may access the nvmem device, which will fail in case of at24 eeprom because regulator and pm are enabled after nvmem_register(). Fixes: cd5676db0574 ("misc: eeprom: at24: support pm_runtime control") Fixes: b20eb4c1f026 ("eeprom: at24: drop unnecessary label") Cc: stable@vger.kernel.org Signed-off-by: Vadym Kochan Signed-off-by: Bartosz Golaszewski (backported from commit 45df80d7605c25055a85fbc5a8446c81c6c0ca24) [hui: To fix this CVE issue, we need to backport the commit f42c97027fb7 and the commit needs devm_nvmem_register() to be moved immediate ahead of one-byte reading test. This backporting drops regulator_disable(at24->vcc_reg) since the regulator is introduced by commit cd5676db0574 and the commit is not in focal kernel yet.] CVE-2024-35848 Signed-off-by: Hui Wang --- drivers/misc/eeprom/at24.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/misc/eeprom/at24.c b/drivers/misc/eeprom/at24.c index b1c17a058215..96cd8630838f 100644 --- a/drivers/misc/eeprom/at24.c +++ b/drivers/misc/eeprom/at24.c @@ -695,16 +695,18 @@ static int at24_probe(struct i2c_client *client) nvmem_config.word_size = 1; nvmem_config.size = byte_len; - at24->nvmem = devm_nvmem_register(dev, &nvmem_config); - if (IS_ERR(at24->nvmem)) - return PTR_ERR(at24->nvmem); - i2c_set_clientdata(client, at24); /* enable runtime pm */ pm_runtime_set_active(dev); pm_runtime_enable(dev); + at24->nvmem = devm_nvmem_register(dev, &nvmem_config); + if (IS_ERR(at24->nvmem)) { + pm_runtime_disable(dev); + return PTR_ERR(at24->nvmem); + } + /* * Perform a one-byte test read to verify that the * chip is functional. From patchwork Mon Sep 9 01:10:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hui Wang X-Patchwork-Id: 1982252 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X280y2k6Qz1y1r for ; Mon, 9 Sep 2024 11:11:14 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1snSvl-0004su-Ma; Mon, 09 Sep 2024 01:11:01 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1snSvj-0004ru-Ol for kernel-team@lists.ubuntu.com; Mon, 09 Sep 2024 01:10:59 +0000 Received: from hwang4-ThinkPad-T14s-Gen-2a.. (unknown [120.85.105.240]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 135063F3A5 for ; Mon, 9 Sep 2024 01:10:57 +0000 (UTC) From: Hui Wang To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 3/3] eeprom: at24: fix memory corruption race condition Date: Mon, 9 Sep 2024 09:10:40 +0800 Message-Id: <20240909011040.355032-4-hui.wang@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240909011040.355032-1-hui.wang@canonical.com> References: <20240909011040.355032-1-hui.wang@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Daniel Okazaki If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device. Signed-off-by: Daniel Okazaki Fixes: b20eb4c1f026 ("eeprom: at24: drop unnecessary label") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240422174337.2487142-1-dtokazaki@google.com Signed-off-by: Bartosz Golaszewski (backported from commit f42c97027fb75776e2e9358d16bf4a99aeb04cf2) [hui: This backporting drops pm_runtime_status_suspended(), regulator_disable() and dev_err_probe() since there are several prerequisite commits missing in the focal kernel: cd5676db0574 ("misc: eeprom: at24: support pm_runtime control") 2962484dfef8 ("misc: eeprom: at24: check suspend status before disable regulator") a3c10035d12f ("eeprom: at24: Use dev_err_probe for nvmem register failure")] CVE-2024-35848 Signed-off-by: Hui Wang --- drivers/misc/eeprom/at24.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/misc/eeprom/at24.c b/drivers/misc/eeprom/at24.c index 96cd8630838f..07092df45d5e 100644 --- a/drivers/misc/eeprom/at24.c +++ b/drivers/misc/eeprom/at24.c @@ -701,12 +701,6 @@ static int at24_probe(struct i2c_client *client) pm_runtime_set_active(dev); pm_runtime_enable(dev); - at24->nvmem = devm_nvmem_register(dev, &nvmem_config); - if (IS_ERR(at24->nvmem)) { - pm_runtime_disable(dev); - return PTR_ERR(at24->nvmem); - } - /* * Perform a one-byte test read to verify that the * chip is functional. @@ -717,6 +711,12 @@ static int at24_probe(struct i2c_client *client) return -ENODEV; } + at24->nvmem = devm_nvmem_register(dev, &nvmem_config); + if (IS_ERR(at24->nvmem)) { + pm_runtime_disable(dev); + return PTR_ERR(at24->nvmem); + } + pm_runtime_idle(dev); dev_info(dev, "%u byte %s EEPROM, %s, %u bytes/write\n",