2023-06-16 15:02:16

by Martin Fuzzey

[permalink] [raw]
Subject: [PATCH] regulator: da9063: fix null pointer deref with partial DT config

When some of the da9063 regulators do not have corresponding DT nodes
a null pointer dereference occurs on boot:

[ 1.559034] 8<--- cut here ---
[ 1.564014] Unable to handle kernel NULL pointer dereference at virtual address 00000098 when read
[ 1.578055] [00000098] *pgd=00000000
[ 1.593575] Internal error: Oops: 5 [#1] SMP ARM
[ 1.634870] PC is at da9063_regulator_probe+0x35c/0x788
[ 1.647934] LR is at da9063_regulator_probe+0x2e8/0x788
[ 2.073626] da9063_regulator_probe from platform_probe+0x58/0xb8
[ 2.079759] platform_probe from really_probe+0xd8/0x3c0
[ 2.085092] really_probe from __driver_probe_device+0x94/0x1e8
[ 2.091026] __driver_probe_device from driver_probe_device+0x2c/0xd0
[ 2.097479] driver_probe_device from __device_attach_driver+0xa4/0x11c
[ 2.104107] __device_attach_driver from bus_for_each_drv+0x84/0xdc
[ 2.110402] bus_for_each_drv from __device_attach_async_helper+0xb0/0x110
[ 2.117295] __device_attach_async_helper from async_run_entry_fn+0x3c/0x158
[ 2.124369] async_run_entry_fn from process_one_work+0x1d4/0x3e4
[ 2.130485] process_one_work from worker_thread+0x30/0x520
[ 2.136070] worker_thread from kthread+0xdc/0xfc

This is because such regulators have no init_data causing the pointers
calculated in da9063_check_xvp_constraints() to be invalid.

Do not dereference them in this case.

Fixes: b8717a80e6ee ("regulator: da9063: implement setter for voltage monitoring")
Signed-off-by: Martin Fuzzey <[email protected]>
---
drivers/regulator/da9063-regulator.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/regulator/da9063-regulator.c b/drivers/regulator/da9063-regulator.c
index c5dd77be558b..dfd5ec9f75c9 100644
--- a/drivers/regulator/da9063-regulator.c
+++ b/drivers/regulator/da9063-regulator.c
@@ -778,6 +778,9 @@ static int da9063_check_xvp_constraints(struct regulator_config *config)
const struct notification_limit *uv_l = &constr->under_voltage_limits;
const struct notification_limit *ov_l = &constr->over_voltage_limits;

+ if (!config->init_data) /* No config in DT, pointers will be invalid */
+ return 0;
+
/* make sure that only one severity is used to clarify if unchanged, enabled or disabled */
if ((!!uv_l->prot + !!uv_l->err + !!uv_l->warn) > 1) {
dev_err(config->dev, "%s: at most one voltage monitoring severity allowed!\n",
--
2.25.1



2023-06-16 15:17:10

by Mark Brown

[permalink] [raw]
Subject: Re: [PATCH] regulator: da9063: fix null pointer deref with partial DT config

On Fri, Jun 16, 2023 at 04:36:28PM +0200, Martin Fuzzey wrote:

> const struct notification_limit *uv_l = &constr->under_voltage_limits;
> const struct notification_limit *ov_l = &constr->over_voltage_limits;
>
> + if (!config->init_data) /* No config in DT, pointers will be invalid */
> + return 0;
> +

We already dereferenced above when we were initialising the variables,
the compiler might still generate dereferences before it does the checks
here.

> /* make sure that only one severity is used to clarify if unchanged, enabled or disabled */
> if ((!!uv_l->prot + !!uv_l->err + !!uv_l->warn) > 1) {
> dev_err(config->dev, "%s: at most one voltage monitoring severity allowed!\n",
> --
> 2.25.1
>


Attachments:
(No filename) (740.00 B)
signature.asc (499.00 B)
Download all attachments

2023-07-17 22:43:23

by Mark Brown

[permalink] [raw]
Subject: Re: [PATCH] regulator: da9063: fix null pointer deref with partial DT config

On Fri, 16 Jun 2023 16:36:28 +0200, Martin Fuzzey wrote:
> When some of the da9063 regulators do not have corresponding DT nodes
> a null pointer dereference occurs on boot:
>
> [ 1.559034] 8<--- cut here ---
> [ 1.564014] Unable to handle kernel NULL pointer dereference at virtual address 00000098 when read
> [ 1.578055] [00000098] *pgd=00000000
> [ 1.593575] Internal error: Oops: 5 [#1] SMP ARM
> [ 1.634870] PC is at da9063_regulator_probe+0x35c/0x788
> [ 1.647934] LR is at da9063_regulator_probe+0x2e8/0x788
> [ 2.073626] da9063_regulator_probe from platform_probe+0x58/0xb8
> [ 2.079759] platform_probe from really_probe+0xd8/0x3c0
> [ 2.085092] really_probe from __driver_probe_device+0x94/0x1e8
> [ 2.091026] __driver_probe_device from driver_probe_device+0x2c/0xd0
> [ 2.097479] driver_probe_device from __device_attach_driver+0xa4/0x11c
> [ 2.104107] __device_attach_driver from bus_for_each_drv+0x84/0xdc
> [ 2.110402] bus_for_each_drv from __device_attach_async_helper+0xb0/0x110
> [ 2.117295] __device_attach_async_helper from async_run_entry_fn+0x3c/0x158
> [ 2.124369] async_run_entry_fn from process_one_work+0x1d4/0x3e4
> [ 2.130485] process_one_work from worker_thread+0x30/0x520
> [ 2.136070] worker_thread from kthread+0xdc/0xfc
>
> [...]

Applied to

https://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator.git for-next

Thanks!

[1/1] regulator: da9063: fix null pointer deref with partial DT config
commit: 98e2dd5f7a8be5cb2501a897e96910393a49f0ff

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark