[SRU][F][PATCH 2/3] misc: eeprom: at24: register nvmem only after eeprom is ready to use

Hui Wang hui.wang at canonical.com
Mon Sep 9 01:10:39 UTC 2024 

From: Vadym Kochan <vadym.kochan at plvision.eu>

During nvmem_register() the nvmem core sends notifications when:

    - cell added
    - nvmem added

and during these notifications some callback func may access the nvmem
device, which will fail in case of at24 eeprom because regulator and pm
are enabled after nvmem_register().

Fixes: cd5676db0574 ("misc: eeprom: at24: support pm_runtime control")
Fixes: b20eb4c1f026 ("eeprom: at24: drop unnecessary label")
Cc: stable at vger.kernel.org
Signed-off-by: Vadym Kochan <vadym.kochan at plvision.eu>
Signed-off-by: Bartosz Golaszewski <bgolaszewski at baylibre.com>
(backported from commit 45df80d7605c25055a85fbc5a8446c81c6c0ca24)
[hui: To fix this CVE issue, we need to backport the commit
f42c97027fb7 and the commit needs devm_nvmem_register() to be moved
immediate ahead of one-byte reading test. This backporting drops
regulator_disable(at24->vcc_reg) since the regulator is introduced
by commit cd5676db0574 and the commit is not in focal kernel yet.]
CVE-2024-35848
Signed-off-by: Hui Wang <hui.wang at canonical.com>
---
 drivers/misc/eeprom/at24.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/misc/eeprom/at24.c b/drivers/misc/eeprom/at24.c
index b1c17a058215..96cd8630838f 100644
--- a/drivers/misc/eeprom/at24.c
+++ b/drivers/misc/eeprom/at24.c
@@ -695,16 +695,18 @@ static int at24_probe(struct i2c_client *client)
 	nvmem_config.word_size = 1;
 	nvmem_config.size = byte_len;
 
-	at24->nvmem = devm_nvmem_register(dev, &nvmem_config);
-	if (IS_ERR(at24->nvmem))
-		return PTR_ERR(at24->nvmem);
-
 	i2c_set_clientdata(client, at24);
 
 	/* enable runtime pm */
 	pm_runtime_set_active(dev);
 	pm_runtime_enable(dev);
 
+	at24->nvmem = devm_nvmem_register(dev, &nvmem_config);
+	if (IS_ERR(at24->nvmem)) {
+		pm_runtime_disable(dev);
+		return PTR_ERR(at24->nvmem);
+	}
+
 	/*
 	 * Perform a one-byte test read to verify that the
 	 * chip is functional.
-- 
2.34.1

More information about the kernel-team mailing list