Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp3085292rwl; Thu, 13 Apr 2023 15:44:08 -0700 (PDT) X-Google-Smtp-Source: AKy350ZoiCe51hV4ABQZhQxAl2zea+UCA+YYXE7/QZ1welPKlLqQjPg7RNaDmBnVMd6rXVE/6nEH X-Received: by 2002:a05:6a00:21c3:b0:625:fe95:f120 with SMTP id t3-20020a056a0021c300b00625fe95f120mr5458080pfj.8.1681425848618; Thu, 13 Apr 2023 15:44:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681425848; cv=none; d=google.com; s=arc-20160816; b=ucfs3kBnuCMb/D0EeZ/fSkjr+MkesLWLnuLCVP72hDXfLwWARqjyYO/n/5LSlyyJyH 80q1hX88fLHdx1j/U23XASBseKjLJaBMp4y6q19op0I6B1KGFvWV7sM7A732ZERatAVK m62qhaZV7gXZakcqje3qrv3Z+cFD14nh0Nn42AgXIY98dgGjEkVk0ilxCXEFZ3AJ10H2 zhrbMdNQsy42CIQifYBRCXsvj04lcoi8rtQkX0pq1IfnLikykgMzZPdDV0YpjlJtBLg3 5Uzzga7ygC0hbj1TfvM6W/Qulo9GLeWzGdZD1Sm3spFoBu6z4UsAWLKEe/0SC7lPNPCT C64w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:date:to:cc:from:subject:references :in-reply-to:content-transfer-encoding:mime-version:message-id :dkim-signature; bh=MYkqVonKvDFOQP8GDOdu5yaz94D6JHfiMpL3GBFKLOY=; b=ee3jf610oJzCE4SgGd/b9e/CesaV1yMqsTGkxgJaQ/lDKipqfZMS5fW6N15Z4FL6hm zRL+gUUpGKR4SAcFqwiVixNz8L4C/ky7q4KaGG7d440smBRm01lFDl+qfjUhGwpeDsXK cflceDohSQA5LCJ3PW/JYfc8DASm+iCSUy/KSd/VIkm5LCNysO/RSyiwev5l9JCGurb+ H0OUSWtf6BKak7OBox9wmTrFiVTS04Z28ov9Dci9mr6taWZ/33vmeXJLSVg5Kg2uZfBV 2w7A6dIlq2RzLOdrz7evVG/rX21UlskPaqJu9LU0ETseF+NeNQbssWYonE8va//q7E7S FYQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Q3cxOEAy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v7-20020a655687000000b005139874b88bsi3015501pgs.87.2023.04.13.15.43.57; Thu, 13 Apr 2023 15:44:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Q3cxOEAy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229791AbjDMWnv (ORCPT + 99 others); Thu, 13 Apr 2023 18:43:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60024 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229567AbjDMWnu (ORCPT ); Thu, 13 Apr 2023 18:43:50 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8099A18B; Thu, 13 Apr 2023 15:43:49 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1456A60F0C; Thu, 13 Apr 2023 22:43:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3638BC433EF; Thu, 13 Apr 2023 22:43:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1681425828; bh=MYkqVonKvDFOQP8GDOdu5yaz94D6JHfiMpL3GBFKLOY=; h=In-Reply-To:References:Subject:From:Cc:To:Date:From; b=Q3cxOEAyehfmM8fYpA0nmae+5w4p6y47VjFokF0BALuO51fwHu52wxSgbzSmVMFQe 4T+9uldwJK6FRoJp3bcBKFphsPB/Zf7p5/tMceW+czJvkBwtvgdfo6u6Z1mFqze4ye 5bBHQYAbrMrlItmVT/YZrwk6ZRcDwcKbPnXK4C/Y7M4jba6jGrXHxhS0NVVpQ+eptL hLtzDMRg3f/hNuKgo3hWkWKvFxWREqAjwEszVFU5MbAaf97tXdagO7lgXYFuvRfeHO sY14swGGUmdZxhllTF2KG55ZyczNXaQ3cQiFugbaowww2gvanq/Is/WCodoytt0woW k6OPYdc0s1hAg== Message-ID: <8b602852596974df384b2d7088cadd64.sboyd@kernel.org> Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable In-Reply-To: <20230413-critter-synopsis-dac070a86cb4@spud> References: <20230413-critter-synopsis-dac070a86cb4@spud> Subject: Re: [PATCH v1] clk: microchip: fix potential UAF in auxdev release callback From: Stephen Boyd Cc: conor@kernel.org, Conor Dooley , stable@vger.kernel.org, Daire McNamara , Michael Turquette , Claudiu Beznea , linux-clk@vger.kernel.org, linux-kernel@vger.kernel.org To: Conor Dooley Date: Thu, 13 Apr 2023 15:43:45 -0700 User-Agent: alot/0.10 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Conor Dooley (2023-04-13 15:20:45) > From: Conor Dooley >=20 > Similar to commit 1c11289b34ab ("peci: cpu: Fix use-after-free in > adev_release()"), the auxiliary device is not torn down in the correct > order. If auxiliary_device_add() fails, the release callback will be > called twice, resulting in a UAF. Due to timing, the auxdev code in this > driver "took inspiration" from the aforementioned commit, and thus its > bugs too! >=20 > Moving auxiliary_device_uninit() to the unregister callback instead > avoids the issue. >=20 > CC: stable@vger.kernel.org > Fixes: b56bae2dd6fd ("clk: microchip: mpfs: add reset controller") > Signed-off-by: Conor Dooley > --- Applied to clk-next