From patchwork Thu Jun  8 06:29:43 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Po-Hsu Lin <po-hsu.lin@canonical.com>
X-Patchwork-Id: 772819
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3wjwX043p6z9s8H;
	Thu,  8 Jun 2017 16:30:08 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=canonical-com.20150623.gappssmtp.com
	header.i=@canonical-com.20150623.gappssmtp.com
	header.b="ZZybuXq/"; dkim-atps=neutral
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1dIqxI-0001hh-Vg; Thu, 08 Jun 2017 06:30:04 +0000
Received: from mail-pf0-f180.google.com ([209.85.192.180])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <po-hsu.lin@canonical.com>)
	id 1dIqx8-0001gZ-W4
	for kernel-team@lists.ubuntu.com; Thu, 08 Jun 2017 06:29:55 +0000
Received: by mail-pf0-f180.google.com with SMTP id 9so13688911pfj.1
	for <kernel-team@lists.ubuntu.com>;
	Wed, 07 Jun 2017 23:29:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:subject:date:message-id:in-reply-to:references;
	bh=5QD7jCr882FWrvEe6u/EVtv7CYnXyQGHAuHB7/NGcQw=;
	b=ZZybuXq/tKkbSjjTmt6nH2e5HnsCQBr5dDP9sCAlDaeVPClwEBE0/Ef+vJdSNWPJyS
	efJAsfnjc7wP8UIT0JHgDuLVXUP6LUOXzuxZkyrRk19xobgGgh6v49PpZdAlzwyfNq7N
	whBCGbmzzusec/nrePZU1UE8ITvbHs9Cyx/m/x/gDK/CnX/DrASmEMzN1FQ03OTw86aS
	fQ4DlQ2KPHtQecEQkNGCfuxFO+rlIGeWTvcORMi9yNqgRYQV/rbMpffajDoe5oIhh3OE
	v//p6EPnIx6+ICf6T3HXcmFiCqPlhFW3YivGlS2KhdPIOOwxmvrtmQzLkwmQJsYsYtfP
	bWfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=5QD7jCr882FWrvEe6u/EVtv7CYnXyQGHAuHB7/NGcQw=;
	b=mVBPFSgNE2cdagceV2UCKoLVaguYUPLW09ukh/wLy/En2uNhBvvsuocQIIMkNbPWJW
	0OJKZxtoTr5kWP+rL51/tWwNZBTyX+ZaSrexVUUimw7W+RqMJx7AB6FEQ7OGUCjEqtl5
	JAt5G/rLOoGl7ZMqpB+0C3BdQ4K7FCxo7CXp7zHLAGT8mhTMS+KTUGQaLMSE7Qj6k5jk
	5luDjP77Txf9StH5jN8+IwvuOpi0ZMlarm/pMWVDisYXb7WZyh5PBzXLh6j+45gvBvCB
	GoUwFZq/OwSAfXym0hed1JA4o1An1sTlC2nUSjU39OQEfqGl4MUHs3wpobo6Z0TDhaRj
	3Reg==
X-Gm-Message-State: AODbwcBeINOWE+11STpmuIZaGtCwcWKeIJlkhrFkJ16BBXoyHHPRnyKl
	WvJn5ckVkgapHY4eaz8=
X-Received: by 10.99.96.9 with SMTP id u9mr36445390pgb.97.1496903393005;
	Wed, 07 Jun 2017 23:29:53 -0700 (PDT)
Received: from localhost.localdomain ([175.41.48.77])
	by smtp.gmail.com with ESMTPSA id
	d19sm8478801pfd.35.2017.06.07.23.29.52
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 07 Jun 2017 23:29:52 -0700 (PDT)
From: Po-Hsu Lin <po-hsu.lin@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [CVE-2014-9940][PATCH Trusty] regulator: core: Fix
	regualtor_ena_gpio_free not to access pin after freeing
Date: Thu,  8 Jun 2017 14:29:43 +0800
Message-Id: <1496903383-10129-2-git-send-email-po-hsu.lin@canonical.com>
X-Mailer: git-send-email 1.7.9.5
In-Reply-To: <1496903383-10129-1-git-send-email-po-hsu.lin@canonical.com>
References: <1496903383-10129-1-git-send-email-po-hsu.lin@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

From: Seung-Woo Kim <sw0312.kim@samsung.com>

CVE-2014-9940

After freeing pin from regulator_ena_gpio_free, loop can access
the pin. So this patch fixes not to access pin after freeing.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
(cherry picked from commit 60a2362f769cf549dc466134efe71c8bf9fbaaba)

Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/regulator/core.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index d1db4fb..2d396dc 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -1702,6 +1702,8 @@ static void regulator_ena_gpio_free(struct regulator_dev *rdev)
 				gpio_free(pin->gpio);
 				list_del(&pin->list);
 				kfree(pin);
+				rdev->ena_pin = NULL;
+				return;
 			} else {
 				pin->request_count--;
 			}