kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   4dd5f9fd4c92b8ed670da852f738a830a5ca61bf
  2.   patches.suse
  3.   spi-cadence-qspi-fix-pointer-reference-in-runtime-PM-hooks.patch
Blob Blame History Raw 
From: =?utf-8?q?Th=C3=A9o_Lebrun_=3Ctheo=2Elebrun=40bootlin=2Ecom=3E?=
Date: Thu, 22 Feb 2024 11:12:29 +0100
Subject: spi: cadence-qspi: fix pointer reference in runtime PM hooks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 32ce3bb57b6b402de2aec1012511e7ac4e7449dc
Patch-mainline: v6.8-rc7
References: CVE-2024-26807 bsc#1222801

dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI
controller. Neither embed the other; this lead to memory corruption.

On a given platform (Mobileye EyeQ5) the memory corruption is hidden
inside cqspi->f_pdata. Also, this uninitialised memory is used as a
mutex (ctlr->bus_lock_mutex) by spi_controller_suspend().

Fixes: 2087e85bb66e ("spi: cadence-quadspi: fix suspend-resume implementations")
Reviewed-by: Dhruva Gole <d-gole@ti.com>
Signed-off-by: Théo Lebrun <theo.lebrun@bootlin.com>
Link: https://msgid.link/r/20240222-cdns-qspi-pm-fix-v4-1-6b6af8bcbf59@bootlin.com
Signed-off-by: Mark Brown <broonie@kernel.org>
[iivanov: Adapt the fix for SLE15-SP5 without kABI breakage"
Acked-by: Ivan T. Ivanov <iivanov@suse.de>
---
 drivers/spi/spi-cadence-quadspi.c |   19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -1446,6 +1446,13 @@ static int cqspi_probe(struct platform_d
 	master->mem_ops = &cqspi_mem_ops;
 	master->dev.of_node = pdev->dev.of_node;
 
+	/*
+	 * hack: Fix bsc#1222801 CVE-2024-26807
+	 * Upstream commit 32ce3bb57b6b402de2aec1012511e7ac4e7449dc
+	 * Reuse this unused member to keep SPI host reference
+	 */
+	pdev->mfd_cell = (struct mfd_cell *) master;
+
 	cqspi = spi_master_get_devdata(master);
 
 	cqspi->pdev = pdev;
@@ -1592,6 +1599,9 @@ static int cqspi_remove(struct platform_
 {
 	struct cqspi_st *cqspi = platform_get_drvdata(pdev);
 
+	/* hack: Fix bsc#1222801 CVE-2024-26807 */
+	cqspi->pdev->mfd_cell = NULL;
+
 	cqspi_controller_enable(cqspi, 0);
 
 	if (cqspi->rx_chan)
@@ -1609,9 +1619,11 @@ static int cqspi_remove(struct platform_
 static int cqspi_suspend(struct device *dev)
 {
 	struct cqspi_st *cqspi = dev_get_drvdata(dev);
-	struct spi_master *master = dev_get_drvdata(dev);
+	struct spi_master *master;
 	int ret;
 
+	/* hack: Fix bsc#1222801 CVE-2024-26807 */
+	master = (struct spi_master *) cqspi->pdev->mfd_cell;
 	ret = spi_master_suspend(master);
 	cqspi_controller_enable(cqspi, 0);
 
@@ -1623,7 +1635,10 @@ static int cqspi_suspend(struct device *
 static int cqspi_resume(struct device *dev)
 {
 	struct cqspi_st *cqspi = dev_get_drvdata(dev);
-	struct spi_master *master = dev_get_drvdata(dev);
+	struct spi_master *master;
+
+	/* hack: Fix bsc#1222801 CVE-2024-26807 */
+	master = (struct spi_master *) cqspi->pdev->mfd_cell;
 
 	clk_prepare_enable(cqspi->clk);
 	cqspi_wait_idle(cqspi);
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.