ieee802154: ca8210: Fix a potential UAF in ca8210_probe (85c2857e) · Commits · e / devices / android_kernel_fairphone_FP5

[ Upstream commit f990874b1c98fe8e57ee9385669f501822979258 ] If of_clk_add_provider() fails in ca8210_register_ext_clock(), it calls clk_unregister() to release priv->clk and returns an error. However, the caller ca8210_probe() then calls ca8210_remove(), where priv->clk is freed again in ca8210_unregister_ext_clock(). In this case, a use-after-free may happen in the second time we call clk_unregister(). Fix this by removing the first clk_unregister(). Also, priv->clk could be an error code on failure of clk_register_fixed_rate(). Use IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock(). Fixes: ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") Signed-off-by:

Dinghao Liu <dinghao.liu@zju.edu.cn> Message-ID: <20231007033049.22353-1-dinghao.liu@zju.edu.cn> Signed-off-by:

Stefan Schmidt <stefan@datenfreihafen.org> Signed-off-by:

Sasha Levin <sashal@kernel.org>

drivers/net/ieee802154/ca8210.c

+3 −14

Original line number	Diff line number	Diff line
		@@ -2782,7 +2782,6 @@ static int ca8210_register_ext_clock(struct spi_device *spi)
		struct device_node *np = spi->dev.of_node;
		struct ca8210_priv *priv = spi_get_drvdata(spi);
		struct ca8210_platform_data *pdata = spi->dev.platform_data;
		int ret = 0;

		if (!np)
		return -EFAULT;
		@@ -2799,18 +2798,8 @@ static int ca8210_register_ext_clock(struct spi_device *spi)
		dev_crit(&spi->dev, "Failed to register external clk\n");
		return PTR_ERR(priv->clk);
		}
		ret = of_clk_add_provider(np, of_clk_src_simple_get, priv->clk);
		if (ret) {
		clk_unregister(priv->clk);
		dev_crit(
		&spi->dev,
		"Failed to register external clock as clock provider\n"
		);
		} else {
		dev_info(&spi->dev, "External clock set as clock provider\n");
		}

		return ret;
		return of_clk_add_provider(np, of_clk_src_simple_get, priv->clk);
		}

		/**
		@@ -2822,8 +2811,8 @@ static void ca8210_unregister_ext_clock(struct spi_device *spi)
		{
		struct ca8210_priv *priv = spi_get_drvdata(spi);

		if (!priv->clk)
		return
		if (IS_ERR_OR_NULL(priv->clk))
		return;

		of_clk_del_provider(spi->dev.of_node);
		clk_unregister(priv->clk);