* [PATCH 5.4.y 0/3] Backport CVE-2023-33288 fix to stable kernel v5.4.y
@ 2025-07-21 11:48 skulkarni
2025-07-21 11:48 ` [PATCH 5.4.y 1/3] power: supply: bq24190_charger: Fix runtime PM imbalance on error skulkarni
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: skulkarni @ 2025-07-21 11:48 UTC (permalink / raw)
To: stable; +Cc: Shubham Kulkarni
From: Shubham Kulkarni <skulkarni@mvista.com>
Hi Greg/All,
This patch series backports the fix for CVE-2023-33288 along with its 2 dependency commits to 5.4 stable kernel.
These patches are already part of stable kernel v5.10.y and I have referred to those commits to generate
this series for v5.4.
[CVE-2023-33288 - kernel: use-after-free in bq24190_remove in drivers/power/supply/bq24190_charger.c]
Patch 1: Dependency Patch #1 - mainline commit 1a37a0397116 (v5.9-rc1)
Patch 2: Dependency Patch #2 - v5.10.y commit 18359b8e30c4 (v5.10.177)
Patch 3: CVE-2023-33288 fix - v5.10.y commit 2b346876b931 (v5.10.177)
---
Dinghao Liu (1):
power: supply: bq24190_charger: Fix runtime PM imbalance on error
Minghao Chi (1):
power: supply: bq24190_charger: using pm_runtime_resume_and_get
instead of pm_runtime_get_sync
Zheng Wang (1):
power: supply: bq24190: Fix use after free bug in bq24190_remove due
to race condition
drivers/power/supply/bq24190_charger.c | 60 +++++++++-----------------
1 file changed, 21 insertions(+), 39 deletions(-)
--
2.25.1
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH 5.4.y 1/3] power: supply: bq24190_charger: Fix runtime PM imbalance on error 2025-07-21 11:48 [PATCH 5.4.y 0/3] Backport CVE-2023-33288 fix to stable kernel v5.4.y skulkarni @ 2025-07-21 11:48 ` skulkarni 2025-07-21 13:59 ` Sasha Levin 2025-07-21 11:48 ` [PATCH 5.4.y 2/3] power: supply: bq24190_charger: using pm_runtime_resume_and_get instead of pm_runtime_get_sync skulkarni 2025-07-21 11:48 ` [PATCH 5.4.y 3/3] power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition skulkarni 2 siblings, 1 reply; 7+ messages in thread From: skulkarni @ 2025-07-21 11:48 UTC (permalink / raw) To: stable; +Cc: Dinghao Liu, Rafael J . Wysocki, Sebastian Reichel, Shubham Kulkarni From: Dinghao Liu <dinghao.liu@zju.edu.cn> [ Upstream commit 1a37a039711610dd53ec03d8cab9e81875338225 ] pm_runtime_get_sync() increments the runtime PM usage counter even it returns an error code. Thus a pairing decrement is needed on the error handling path to keep the counter balanced. Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com> Stable-dep-of: 47c29d692129 ("power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition") Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> --- drivers/power/supply/bq24190_charger.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c index f912284b2e55..446b6f13dc8a 100644 --- a/drivers/power/supply/bq24190_charger.c +++ b/drivers/power/supply/bq24190_charger.c @@ -484,8 +484,10 @@ static ssize_t bq24190_sysfs_store(struct device *dev, return ret; ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) + if (ret < 0) { + pm_runtime_put_noidle(bdi->dev); return ret; + } ret = bq24190_write_mask(bdi, info->reg, info->mask, info->shift, v); if (ret) -- 2.25.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 5.4.y 1/3] power: supply: bq24190_charger: Fix runtime PM imbalance on error 2025-07-21 11:48 ` [PATCH 5.4.y 1/3] power: supply: bq24190_charger: Fix runtime PM imbalance on error skulkarni @ 2025-07-21 13:59 ` Sasha Levin 0 siblings, 0 replies; 7+ messages in thread From: Sasha Levin @ 2025-07-21 13:59 UTC (permalink / raw) To: stable; +Cc: Sasha Levin [ Sasha's backport helper bot ] Hi, ✅ All tests passed successfully. No issues detected. No action required from the submitter. The upstream commit SHA1 provided is correct: 1a37a039711610dd53ec03d8cab9e81875338225 WARNING: Author mismatch between patch and upstream commit: Backport author: <skulkarni@mvista.com> Commit author: Dinghao Liu <dinghao.liu@zju.edu.cn> Status in newer kernel trees: 6.15.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Present (exact SHA1) 6.1.y | Present (exact SHA1) 5.15.y | Present (exact SHA1) 5.10.y | Present (exact SHA1) Note: The patch differs from the upstream commit: --- 1: 1a37a0397116 ! 1: 8755abaf563f power: supply: bq24190_charger: Fix runtime PM imbalance on error @@ Metadata ## Commit message ## power: supply: bq24190_charger: Fix runtime PM imbalance on error + [ Upstream commit 1a37a039711610dd53ec03d8cab9e81875338225 ] + pm_runtime_get_sync() increments the runtime PM usage counter even it returns an error code. Thus a pairing decrement is needed on the error handling path to keep the counter balanced. @@ Commit message Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com> + Stable-dep-of: 47c29d692129 ("power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition") + Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> ## drivers/power/supply/bq24190_charger.c ## @@ drivers/power/supply/bq24190_charger.c: static ssize_t bq24190_sysfs_store(struct device *dev, --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | 5.4 | Success | Success | ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 5.4.y 2/3] power: supply: bq24190_charger: using pm_runtime_resume_and_get instead of pm_runtime_get_sync 2025-07-21 11:48 [PATCH 5.4.y 0/3] Backport CVE-2023-33288 fix to stable kernel v5.4.y skulkarni 2025-07-21 11:48 ` [PATCH 5.4.y 1/3] power: supply: bq24190_charger: Fix runtime PM imbalance on error skulkarni @ 2025-07-21 11:48 ` skulkarni 2025-07-21 13:59 ` Sasha Levin 2025-07-21 11:48 ` [PATCH 5.4.y 3/3] power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition skulkarni 2 siblings, 1 reply; 7+ messages in thread From: skulkarni @ 2025-07-21 11:48 UTC (permalink / raw) To: stable; +Cc: Minghao Chi, Zeal Robot, Sebastian Reichel, Shubham Kulkarni From: Minghao Chi <chi.minghao@zte.com.cn> [ Upstream commit d96a89407e5f682d1cb22569d91784506c784863 ] Using pm_runtime_resume_and_get is more appropriate for simplifing code Reported-by: Zeal Robot <zealci@zte.com.cn> Signed-off-by: Minghao Chi <chi.minghao@zte.com.cn> Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com> [ skulkarni: Minor changes in hunk #3/12 wrt the mainline commit ] Stable-dep-of: 47c29d692129 ("power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition") Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> --- drivers/power/supply/bq24190_charger.c | 63 +++++++++----------------- 1 file changed, 21 insertions(+), 42 deletions(-) diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c index 446b6f13dc8a..0107b43ff554 100644 --- a/drivers/power/supply/bq24190_charger.c +++ b/drivers/power/supply/bq24190_charger.c @@ -448,11 +448,9 @@ static ssize_t bq24190_sysfs_show(struct device *dev, if (!info) return -EINVAL; - ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) { - pm_runtime_put_noidle(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) return ret; - } ret = bq24190_read_mask(bdi, info->reg, info->mask, info->shift, &v); if (ret) @@ -483,11 +481,9 @@ static ssize_t bq24190_sysfs_store(struct device *dev, if (ret < 0) return ret; - ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) { - pm_runtime_put_noidle(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) return ret; - } ret = bq24190_write_mask(bdi, info->reg, info->mask, info->shift, v); if (ret) @@ -506,10 +502,9 @@ static int bq24190_set_charge_mode(struct regulator_dev *dev, u8 val) struct bq24190_dev_info *bdi = rdev_get_drvdata(dev); int ret; - ret = pm_runtime_get_sync(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); if (ret < 0) { dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", ret); - pm_runtime_put_noidle(bdi->dev); return ret; } @@ -539,10 +534,9 @@ static int bq24190_vbus_is_enabled(struct regulator_dev *dev) int ret; u8 val; - ret = pm_runtime_get_sync(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); if (ret < 0) { dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", ret); - pm_runtime_put_noidle(bdi->dev); return ret; } @@ -1083,11 +1077,9 @@ static int bq24190_charger_get_property(struct power_supply *psy, dev_dbg(bdi->dev, "prop: %d\n", psp); - ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) { - pm_runtime_put_noidle(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) return ret; - } switch (psp) { case POWER_SUPPLY_PROP_CHARGE_TYPE: @@ -1157,11 +1149,9 @@ static int bq24190_charger_set_property(struct power_supply *psy, dev_dbg(bdi->dev, "prop: %d\n", psp); - ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) { - pm_runtime_put_noidle(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) return ret; - } switch (psp) { case POWER_SUPPLY_PROP_ONLINE: @@ -1431,11 +1421,9 @@ static int bq24190_battery_get_property(struct power_supply *psy, dev_warn(bdi->dev, "warning: /sys/class/power_supply/bq24190-battery is deprecated\n"); dev_dbg(bdi->dev, "prop: %d\n", psp); - ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) { - pm_runtime_put_noidle(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) return ret; - } switch (psp) { case POWER_SUPPLY_PROP_STATUS: @@ -1479,11 +1467,9 @@ static int bq24190_battery_set_property(struct power_supply *psy, dev_warn(bdi->dev, "warning: /sys/class/power_supply/bq24190-battery is deprecated\n"); dev_dbg(bdi->dev, "prop: %d\n", psp); - ret = pm_runtime_get_sync(bdi->dev); - if (ret < 0) { - pm_runtime_put_noidle(bdi->dev); + ret = pm_runtime_resume_and_get(bdi->dev); + if (ret < 0) return ret; - } switch (psp) { case POWER_SUPPLY_PROP_ONLINE: @@ -1637,10 +1623,9 @@ static irqreturn_t bq24190_irq_handler_thread(int irq, void *data) int error; bdi->irq_event = true; - error = pm_runtime_get_sync(bdi->dev); + error = pm_runtime_resume_and_get(bdi->dev); if (error < 0) { dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); - pm_runtime_put_noidle(bdi->dev); return IRQ_NONE; } bq24190_check_status(bdi); @@ -1860,11 +1845,9 @@ static int bq24190_remove(struct i2c_client *client) struct bq24190_dev_info *bdi = i2c_get_clientdata(client); int error; - error = pm_runtime_get_sync(bdi->dev); - if (error < 0) { + error = pm_runtime_resume_and_get(bdi->dev); + if (error < 0) dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); - pm_runtime_put_noidle(bdi->dev); - } bq24190_register_reset(bdi); if (bdi->battery) @@ -1913,11 +1896,9 @@ static __maybe_unused int bq24190_pm_suspend(struct device *dev) struct bq24190_dev_info *bdi = i2c_get_clientdata(client); int error; - error = pm_runtime_get_sync(bdi->dev); - if (error < 0) { + error = pm_runtime_resume_and_get(bdi->dev); + if (error < 0) dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); - pm_runtime_put_noidle(bdi->dev); - } bq24190_register_reset(bdi); @@ -1938,11 +1919,9 @@ static __maybe_unused int bq24190_pm_resume(struct device *dev) bdi->f_reg = 0; bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */ - error = pm_runtime_get_sync(bdi->dev); - if (error < 0) { + error = pm_runtime_resume_and_get(bdi->dev); + if (error < 0) dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); - pm_runtime_put_noidle(bdi->dev); - } bq24190_register_reset(bdi); bq24190_set_config(bdi); -- 2.25.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 5.4.y 2/3] power: supply: bq24190_charger: using pm_runtime_resume_and_get instead of pm_runtime_get_sync 2025-07-21 11:48 ` [PATCH 5.4.y 2/3] power: supply: bq24190_charger: using pm_runtime_resume_and_get instead of pm_runtime_get_sync skulkarni @ 2025-07-21 13:59 ` Sasha Levin 0 siblings, 0 replies; 7+ messages in thread From: Sasha Levin @ 2025-07-21 13:59 UTC (permalink / raw) To: stable; +Cc: Sasha Levin [ Sasha's backport helper bot ] Hi, ✅ All tests passed successfully. No issues detected. No action required from the submitter. The upstream commit SHA1 provided is correct: d96a89407e5f682d1cb22569d91784506c784863 WARNING: Author mismatch between patch and upstream commit: Backport author: <skulkarni@mvista.com> Commit author: Minghao Chi <chi.minghao@zte.com.cn> Status in newer kernel trees: 6.15.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Present (exact SHA1) 6.1.y | Present (exact SHA1) 5.15.y | Present (different SHA1: 10ce6db6253d) 5.10.y | Present (different SHA1: 18359b8e30c4) Note: Could not generate a diff with upstream commit: --- Note: Could not generate diff - patch failed to apply for comparison --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | 5.4 | Success | Success | ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 5.4.y 3/3] power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition 2025-07-21 11:48 [PATCH 5.4.y 0/3] Backport CVE-2023-33288 fix to stable kernel v5.4.y skulkarni 2025-07-21 11:48 ` [PATCH 5.4.y 1/3] power: supply: bq24190_charger: Fix runtime PM imbalance on error skulkarni 2025-07-21 11:48 ` [PATCH 5.4.y 2/3] power: supply: bq24190_charger: using pm_runtime_resume_and_get instead of pm_runtime_get_sync skulkarni @ 2025-07-21 11:48 ` skulkarni 2025-07-21 13:59 ` Sasha Levin 2 siblings, 1 reply; 7+ messages in thread From: skulkarni @ 2025-07-21 11:48 UTC (permalink / raw) To: stable; +Cc: Zheng Wang, Sebastian Reichel, Shubham Kulkarni From: Zheng Wang <zyytlz.wz@163.com> [ Upstream commit 47c29d69212911f50bdcdd0564b5999a559010d4 ] In bq24190_probe, &bdi->input_current_limit_work is bound with bq24190_input_current_limit_work. When external power changed, it will call bq24190_charger_external_power_changed to start the work. If we remove the module which will call bq24190_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows: CPU0 CPUc1 |bq24190_input_current_limit_work bq24190_remove | power_supply_unregister | device_unregister | power_supply_dev_release| kfree(psy) | | | power_supply_get_property_from_supplier | //use Fix it by finishing the work before cleanup in the bq24190_remove Fixes: 97774672573a ("power_supply: Initialize changed_work before calling device_add") Signed-off-by: Zheng Wang <zyytlz.wz@163.com> Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com> Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> --- drivers/power/supply/bq24190_charger.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c index 0107b43ff554..34f570ccbe47 100644 --- a/drivers/power/supply/bq24190_charger.c +++ b/drivers/power/supply/bq24190_charger.c @@ -1845,6 +1845,7 @@ static int bq24190_remove(struct i2c_client *client) struct bq24190_dev_info *bdi = i2c_get_clientdata(client); int error; + cancel_delayed_work_sync(&bdi->input_current_limit_work); error = pm_runtime_resume_and_get(bdi->dev); if (error < 0) dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error); -- 2.25.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 5.4.y 3/3] power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition 2025-07-21 11:48 ` [PATCH 5.4.y 3/3] power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition skulkarni @ 2025-07-21 13:59 ` Sasha Levin 0 siblings, 0 replies; 7+ messages in thread From: Sasha Levin @ 2025-07-21 13:59 UTC (permalink / raw) To: stable; +Cc: Sasha Levin [ Sasha's backport helper bot ] Hi, ✅ All tests passed successfully. No issues detected. No action required from the submitter. The upstream commit SHA1 provided is correct: 47c29d69212911f50bdcdd0564b5999a559010d4 WARNING: Author mismatch between patch and upstream commit: Backport author: <skulkarni@mvista.com> Commit author: Zheng Wang <zyytlz.wz@163.com> Status in newer kernel trees: 6.15.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Present (exact SHA1) 6.1.y | Present (different SHA1: 84bdb3b76b07) 5.15.y | Present (different SHA1: 4ca3fd39c72e) 5.10.y | Present (different SHA1: 2b346876b931) Note: Could not generate a diff with upstream commit: --- Note: Could not generate diff - patch failed to apply for comparison --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | 5.4 | Success | Success | ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-07-21 13:59 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-07-21 11:48 [PATCH 5.4.y 0/3] Backport CVE-2023-33288 fix to stable kernel v5.4.y skulkarni 2025-07-21 11:48 ` [PATCH 5.4.y 1/3] power: supply: bq24190_charger: Fix runtime PM imbalance on error skulkarni 2025-07-21 13:59 ` Sasha Levin 2025-07-21 11:48 ` [PATCH 5.4.y 2/3] power: supply: bq24190_charger: using pm_runtime_resume_and_get instead of pm_runtime_get_sync skulkarni 2025-07-21 13:59 ` Sasha Levin 2025-07-21 11:48 ` [PATCH 5.4.y 3/3] power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition skulkarni 2025-07-21 13:59 ` Sasha Levin
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox