lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251025160905.3857885-108-sashal@kernel.org>
Date: Sat, 25 Oct 2025 11:55:39 -0400
From: Sasha Levin <sashal@...nel.org>
To: patches@...ts.linux.dev,
	stable@...r.kernel.org
Cc: Alice Chao <alice.chao@...iatek.com>,
	Peter Wang <peter.wang@...iatek.com>,
	"Martin K. Petersen" <martin.petersen@...cle.com>,
	Sasha Levin <sashal@...nel.org>,
	matthias.bgg@...il.com,
	angelogioacchino.delregno@...labora.com,
	linux-scsi@...r.kernel.org,
	linux-mediatek@...ts.infradead.org,
	linux-kernel@...r.kernel.org,
	linux-arm-kernel@...ts.infradead.org
Subject: [PATCH AUTOSEL 6.17-6.1] scsi: ufs: host: mediatek: Fix invalid access in vccqx handling

From: Alice Chao <alice.chao@...iatek.com>

[ Upstream commit 5863638598f5e4f64d2f85b03f376383ca1f2ab7 ]

Add a NULL check before accessing the 'vccqx' pointer to prevent invalid
memory access. This ensures that the function safely handles cases where
'vccq' and 'vccq2' are not initialized, improving the robustness of the
power management code.

Signed-off-by: Alice Chao <alice.chao@...iatek.com>
Reviewed-by: Peter Wang <peter.wang@...iatek.com>
Signed-off-by: Peter Wang <peter.wang@...iatek.com>
Link: https://lore.kernel.org/r/20250811131423.3444014-11-peter.wang@mediatek.com
Signed-off-by: Martin K. Petersen <martin.petersen@...cle.com>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---

LLM Generated explanations, may be completely bogus:

YES

Rationale
- The patch adds a defensive NULL guard in `ufs_mtk_vccqx_set_lpm()` so
  it immediately returns if both `vccq` and `vccq2` are absent. This
  prevents a NULL dereference on `vccqx->reg` when neither rail is
  defined in DT or has been released earlier.
- Specifically, the change adds: `if (!hba->vreg_info.vccq &&
  !hba->vreg_info.vccq2) return;` before dereferencing `vccqx` in
  `drivers/ufs/host/ufs-mediatek.c:1506`.
- Without this guard, the function selects `vccqx` from
  `hba->vreg_info.vccq` or `...vccq2` and unconditionally does
  `regulator_set_mode(vccqx->reg, ...)` (drivers/ufs/host/ufs-
  mediatek.c:1515), which is unsafe if both are NULL.
- The UFS core explicitly allows these supplies to be optional, meaning
  NULL is a valid state when a supply is not provided in DT: parsing
  populates `vccq`/`vccq2` optionally (drivers/ufs/host/ufshcd-
  pltfrm.c:168).
- The Mediatek driver also clears the pointer to NULL when it
  deliberately disables a VCCQx rail (e.g., after freeing the vreg in
  `ufs_mtk_vreg_fix_vccqx()`, drivers/ufs/host/ufs-mediatek.c:1072).
  That makes the calleeā€™s NULL-robustness important.

Why this matters despite caller checks
- Today, `ufs_mtk_dev_vreg_set_lpm()` computes `skip_vccqx` and only
  calls `ufs_mtk_vccqx_set_lpm()` when appropriate
  (drivers/ufs/host/ufs-mediatek.c:1537, 1555, 1560). However, this is a
  single call site and relies on all future call paths being equally
  careful.
- The new guard makes `ufs_mtk_vccqx_set_lpm()` itself robust,
  eliminating a class of NULL deref crashes if it is ever called without
  prior checks, or if future refactors change the call sites.

Stable backport criteria
- Bug fix that prevents kernel NULL deref (user-visible reliability
  issue).
- Change is minimal, localized, and has no architectural impact.
- No functional side effects when supplies exist; when both are absent,
  early return is the correct behavior (nothing to configure).
- Touches a specific host driver (MediaTek UFS), keeping risk of
  regression low and scope confined.

Conclusion
- This is a safe, targeted fix to avoid invalid memory access in a power
  management path. It improves robustness with negligible risk and
  should be backported to stable.

 drivers/ufs/host/ufs-mediatek.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/ufs/host/ufs-mediatek.c b/drivers/ufs/host/ufs-mediatek.c
index 82160da8ec71b..bb0be6bed1bca 100644
--- a/drivers/ufs/host/ufs-mediatek.c
+++ b/drivers/ufs/host/ufs-mediatek.c
@@ -1589,6 +1589,9 @@ static void ufs_mtk_vccqx_set_lpm(struct ufs_hba *hba, bool lpm)
 {
 	struct ufs_vreg *vccqx = NULL;
 
+	if (!hba->vreg_info.vccq && !hba->vreg_info.vccq2)
+		return;
+
 	if (hba->vreg_info.vccq)
 		vccqx = hba->vreg_info.vccq;
 	else
-- 
2.51.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ