Commit e2344aa9 authored by Daniel Okazaki's avatar Daniel Okazaki Committed by Wenyu Huang
Browse files

eeprom: at24: fix memory corruption race condition 

stable inclusion
from stable-v5.10.217
commit c850f71fca09ea41800ed55905980063d17e01da
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9F4
CVE: CVE-2024-35848

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=c850f71fca09ea41800ed55905980063d17e01da



--------------------------------

[ Upstream commit f42c97027fb75776e2e9358d16bf4a99aeb04cf2 ]

If the eeprom is not accessible, an nvmem device will be registered, the
read will fail, and the device will be torn down. If another driver
accesses the nvmem device after the teardown, it will reference
invalid memory.

Move the failure point before registering the nvmem device.

Signed-off-by: default avatarDaniel Okazaki <dtokazaki@google.com>
Fixes: b20eb4c1 ("eeprom: at24: drop unnecessary label")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240422174337.2487142-1-dtokazaki@google.com


Signed-off-by: default avatarBartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarWenyu Huang <huangwenyu5@huawei.com>
parent db8faa59

drivers/misc/eeprom/at24.c

+8 −8
Original line number Diff line number Diff line
@@ -757,14 +757,6 @@ static int at24_probe(struct i2c_client *client) 
	pm_runtime_set_active(dev);

	pm_runtime_enable(dev);



	at24->nvmem = devm_nvmem_register(dev, &nvmem_config);

	if (IS_ERR(at24->nvmem)) {

		pm_runtime_disable(dev);

		if (!pm_runtime_status_suspended(dev))

			regulator_disable(at24->vcc_reg);

		return PTR_ERR(at24->nvmem);

	}



	/*

	 * Perform a one-byte test read to verify that the

	 * chip is functional.
@@ -777,6 +769,14 @@ static int at24_probe(struct i2c_client *client) 
		return -ENODEV;

	}



	at24->nvmem = devm_nvmem_register(dev, &nvmem_config);

	if (IS_ERR(at24->nvmem)) {

		pm_runtime_disable(dev);

		if (!pm_runtime_status_suspended(dev))

			regulator_disable(at24->vcc_reg);

		return PTR_ERR(at24->nvmem);

	}



	pm_runtime_idle(dev);



	if (writable)