From: Shubham Kulkarni skulkarni@mvista.com
Hi Greg/All,
This patch series backports the fix for CVE-2023-33288 along with its 2 dependency commits to 5.4 stable kernel. These patches are already part of stable kernel v5.10.y and I have referred to those commits to generate this series for v5.4.
[CVE-2023-33288 - kernel: use-after-free in bq24190_remove in drivers/power/supply/bq24190_charger.c]
Patch 1: Dependency Patch #1 - mainline commit 1a37a0397116 (v5.9-rc1) Patch 2: Dependency Patch #2 - v5.10.y commit 18359b8e30c4 (v5.10.177) Patch 3: CVE-2023-33288 fix - v5.10.y commit 2b346876b931 (v5.10.177)
---
Dinghao Liu (1): power: supply: bq24190_charger: Fix runtime PM imbalance on error
Minghao Chi (1): power: supply: bq24190_charger: using pm_runtime_resume_and_get instead of pm_runtime_get_sync
Zheng Wang (1): power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition
drivers/power/supply/bq24190_charger.c | 60 +++++++++----------------- 1 file changed, 21 insertions(+), 39 deletions(-)
From: Dinghao Liu dinghao.liu@zju.edu.cn
[ Upstream commit 1a37a039711610dd53ec03d8cab9e81875338225 ]
pm_runtime_get_sync() increments the runtime PM usage counter even it returns an error code. Thus a pairing decrement is needed on the error handling path to keep the counter balanced.
Signed-off-by: Dinghao Liu dinghao.liu@zju.edu.cn Reviewed-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Signed-off-by: Sebastian Reichel sebastian.reichel@collabora.com Stable-dep-of: 47c29d692129 ("power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition") Signed-off-by: Shubham Kulkarni skulkarni@mvista.com --- drivers/power/supply/bq24190_charger.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c index f912284b2e55..446b6f13dc8a 100644 --- a/drivers/power/supply/bq24190_charger.c +++ b/drivers/power/supply/bq24190_charger.c @@ -484,8 +484,10 @@ static ssize_t bq24190_sysfs_store(struct device *dev, return ret;
ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) + if (ret < 0) { + pm_runtime_put_noidle(bdi->dev); return ret; + }
ret = bq24190_write_mask(bdi, info->reg, info->mask, info->shift, v); if (ret)
[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected. No action required from the submitter.
The upstream commit SHA1 provided is correct: 1a37a039711610dd53ec03d8cab9e81875338225
WARNING: Author mismatch between patch and upstream commit: Backport author: skulkarni@mvista.com Commit author: Dinghao Liu dinghao.liu@zju.edu.cn
Status in newer kernel trees: 6.15.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Present (exact SHA1) 6.1.y | Present (exact SHA1) 5.15.y | Present (exact SHA1) 5.10.y | Present (exact SHA1)
Note: The patch differs from the upstream commit: --- 1: 1a37a0397116 ! 1: 8755abaf563f power: supply: bq24190_charger: Fix runtime PM imbalance on error @@ Metadata ## Commit message ## power: supply: bq24190_charger: Fix runtime PM imbalance on error
+ [ Upstream commit 1a37a039711610dd53ec03d8cab9e81875338225 ] + pm_runtime_get_sync() increments the runtime PM usage counter even it returns an error code. Thus a pairing decrement is needed on the error handling path to keep the counter balanced. @@ Commit message Signed-off-by: Dinghao Liu dinghao.liu@zju.edu.cn Reviewed-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Signed-off-by: Sebastian Reichel sebastian.reichel@collabora.com + Stable-dep-of: 47c29d692129 ("power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition") + Signed-off-by: Shubham Kulkarni skulkarni@mvista.com
## drivers/power/supply/bq24190_charger.c ## @@ drivers/power/supply/bq24190_charger.c: static ssize_t bq24190_sysfs_store(struct device *dev,
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | 5.4 | Success | Success |
From: Minghao Chi chi.minghao@zte.com.cn
[ Upstream commit d96a89407e5f682d1cb22569d91784506c784863 ]
Using pm_runtime_resume_and_get is more appropriate for simplifing code
Reported-by: Zeal Robot zealci@zte.com.cn Signed-off-by: Minghao Chi chi.minghao@zte.com.cn Signed-off-by: Sebastian Reichel sebastian.reichel@collabora.com [ skulkarni: Minor changes in hunk #3/12 wrt the mainline commit ] Stable-dep-of: 47c29d692129 ("power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition") Signed-off-by: Shubham Kulkarni skulkarni@mvista.com --- drivers/power/supply/bq24190_charger.c | 63 +++++++++----------------- 1 file changed, 21 insertions(+), 42 deletions(-)
diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c index 446b6f13dc8a..0107b43ff554 100644 --- a/drivers/power/supply/bq24190_charger.c +++ b/drivers/power/supply/bq24190_charger.c @@ -448,11 +448,9 @@ static ssize_t bq24190_sysfs_show(struct device *dev, if (!info) return -EINVAL;
- ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) { - pm_runtime_put_noidle(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) return ret; - }
ret = bq24190_read_mask(bdi, info->reg, info->mask, info->shift, &v); if (ret) @@ -483,11 +481,9 @@ static ssize_t bq24190_sysfs_store(struct device *dev, if (ret < 0) return ret;
- ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) { - pm_runtime_put_noidle(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) return ret; - }
ret = bq24190_write_mask(bdi, info->reg, info->mask, info->shift, v); if (ret) @@ -506,10 +502,9 @@ static int bq24190_set_charge_mode(struct regulator_dev *dev, u8 val) struct bq24190_dev_info *bdi = rdev_get_drvdata(dev); int ret;
- ret = pm_runtime_get_sync(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); if (ret < 0) { dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", ret); - pm_runtime_put_noidle(bdi->dev); return ret; }
@@ -539,10 +534,9 @@ static int bq24190_vbus_is_enabled(struct regulator_dev *dev) int ret; u8 val;
- ret = pm_runtime_get_sync(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); if (ret < 0) { dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", ret); - pm_runtime_put_noidle(bdi->dev); return ret; }
@@ -1083,11 +1077,9 @@ static int bq24190_charger_get_property(struct power_supply *psy,
dev_dbg(bdi->dev, "prop: %d\n", psp);
- ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) { - pm_runtime_put_noidle(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) return ret; - }
switch (psp) { case POWER_SUPPLY_PROP_CHARGE_TYPE: @@ -1157,11 +1149,9 @@ static int bq24190_charger_set_property(struct power_supply *psy,
dev_dbg(bdi->dev, "prop: %d\n", psp);
- ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) { - pm_runtime_put_noidle(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) return ret; - }
switch (psp) { case POWER_SUPPLY_PROP_ONLINE: @@ -1431,11 +1421,9 @@ static int bq24190_battery_get_property(struct power_supply *psy, dev_warn(bdi->dev, "warning: /sys/class/power_supply/bq24190-battery is deprecated\n"); dev_dbg(bdi->dev, "prop: %d\n", psp);
- ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) { - pm_runtime_put_noidle(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) return ret; - }
switch (psp) { case POWER_SUPPLY_PROP_STATUS: @@ -1479,11 +1467,9 @@ static int bq24190_battery_set_property(struct power_supply *psy, dev_warn(bdi->dev, "warning: /sys/class/power_supply/bq24190-battery is deprecated\n"); dev_dbg(bdi->dev, "prop: %d\n", psp);
- ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) { - pm_runtime_put_noidle(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) return ret; - }
switch (psp) { case POWER_SUPPLY_PROP_ONLINE: @@ -1637,10 +1623,9 @@ static irqreturn_t bq24190_irq_handler_thread(int irq, void *data) int error;
bdi->irq_event = true; - error = pm_runtime_get_sync(bdi->dev); + error = pm_runtime_resume_and_get(bdi->dev); if (error < 0) { dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); - pm_runtime_put_noidle(bdi->dev); return IRQ_NONE; } bq24190_check_status(bdi); @@ -1860,11 +1845,9 @@ static int bq24190_remove(struct i2c_client *client) struct bq24190_dev_info *bdi = i2c_get_clientdata(client); int error;
- error = pm_runtime_get_sync(bdi->dev); - if (error < 0) { + error = pm_runtime_resume_and_get(bdi->dev); + if (error < 0) dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); - pm_runtime_put_noidle(bdi->dev); - }
bq24190_register_reset(bdi); if (bdi->battery) @@ -1913,11 +1896,9 @@ static __maybe_unused int bq24190_pm_suspend(struct device *dev) struct bq24190_dev_info *bdi = i2c_get_clientdata(client); int error;
- error = pm_runtime_get_sync(bdi->dev); - if (error < 0) { + error = pm_runtime_resume_and_get(bdi->dev); + if (error < 0) dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); - pm_runtime_put_noidle(bdi->dev); - }
bq24190_register_reset(bdi);
@@ -1938,11 +1919,9 @@ static __maybe_unused int bq24190_pm_resume(struct device *dev) bdi->f_reg = 0; bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */
- error = pm_runtime_get_sync(bdi->dev); - if (error < 0) { + error = pm_runtime_resume_and_get(bdi->dev); + if (error < 0) dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); - pm_runtime_put_noidle(bdi->dev); - }
bq24190_register_reset(bdi); bq24190_set_config(bdi);
[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected. No action required from the submitter.
The upstream commit SHA1 provided is correct: d96a89407e5f682d1cb22569d91784506c784863
WARNING: Author mismatch between patch and upstream commit: Backport author: skulkarni@mvista.com Commit author: Minghao Chi chi.minghao@zte.com.cn
Status in newer kernel trees: 6.15.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Present (exact SHA1) 6.1.y | Present (exact SHA1) 5.15.y | Present (different SHA1: 10ce6db6253d) 5.10.y | Present (different SHA1: 18359b8e30c4)
Note: Could not generate a diff with upstream commit: --- Note: Could not generate diff - patch failed to apply for comparison ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | 5.4 | Success | Success |
From: Zheng Wang zyytlz.wz@163.com
[ Upstream commit 47c29d69212911f50bdcdd0564b5999a559010d4 ]
In bq24190_probe, &bdi->input_current_limit_work is bound with bq24190_input_current_limit_work. When external power changed, it will call bq24190_charger_external_power_changed to start the work.
If we remove the module which will call bq24190_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows:
CPU0 CPUc1
|bq24190_input_current_limit_work bq24190_remove | power_supply_unregister | device_unregister | power_supply_dev_release| kfree(psy) | | | power_supply_get_property_from_supplier | //use
Fix it by finishing the work before cleanup in the bq24190_remove
Fixes: 97774672573a ("power_supply: Initialize changed_work before calling device_add") Signed-off-by: Zheng Wang zyytlz.wz@163.com Signed-off-by: Sebastian Reichel sebastian.reichel@collabora.com Signed-off-by: Shubham Kulkarni skulkarni@mvista.com --- drivers/power/supply/bq24190_charger.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c index 0107b43ff554..34f570ccbe47 100644 --- a/drivers/power/supply/bq24190_charger.c +++ b/drivers/power/supply/bq24190_charger.c @@ -1845,6 +1845,7 @@ static int bq24190_remove(struct i2c_client *client) struct bq24190_dev_info *bdi = i2c_get_clientdata(client); int error;
+ cancel_delayed_work_sync(&bdi->input_current_limit_work); error = pm_runtime_resume_and_get(bdi->dev); if (error < 0) dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);
[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected. No action required from the submitter.
The upstream commit SHA1 provided is correct: 47c29d69212911f50bdcdd0564b5999a559010d4
WARNING: Author mismatch between patch and upstream commit: Backport author: skulkarni@mvista.com Commit author: Zheng Wang zyytlz.wz@163.com
Status in newer kernel trees: 6.15.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Present (exact SHA1) 6.1.y | Present (different SHA1: 84bdb3b76b07) 5.15.y | Present (different SHA1: 4ca3fd39c72e) 5.10.y | Present (different SHA1: 2b346876b931)
Note: Could not generate a diff with upstream commit: --- Note: Could not generate diff - patch failed to apply for comparison ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | 5.4 | Success | Success |
linux-stable-mirror@lists.linaro.org
-
Sasha Levin -
skulkarni@mvista.com