On Fri, Dec 13, 2024 at 04:15:09PM +0530, Harshit Mogalapalli wrote:
> Hi Guocai,
>
> On 13/12/24 16:01, guocai.he.cn@xxxxxxxxxxxxx wrote:
> > From: Ian Ray <ian.ray@xxxxxxxxxxxxxxxx>
> >
> > [ Upstream commit bfc6444b57dc7186b6acc964705d7516cbaf3904 ]
> >
> > Ensure that `i2c_lock' is held when setting interrupt latch and mask in
> > pca953x_irq_bus_sync_unlock() in order to avoid races.
> >
> > The other (non-probe) call site pca953x_gpio_set_multiple() ensures the
> > lock is held before calling pca953x_write_regs().
> >
> > The problem occurred when a request raced against irq_bus_sync_unlock()
> > approximately once per thousand reboots on an i.MX8MP based system.
> >
> > * Normal case
> >
> > 0-0022: write register AI|3a {03,02,00,00,01} Input latch P0
> > 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0
> > 0-0022: write register AI|08 {ff,00,00,00,00} Output P3
> > 0-0022: write register AI|12 {fc,00,00,00,00} Config P3
> >
> > * Race case
> >
> > 0-0022: write register AI|08 {ff,00,00,00,00} Output P3
> > 0-0022: write register AI|08 {03,02,00,00,01} *** Wrong register ***
> > 0-0022: write register AI|12 {fc,00,00,00,00} Config P3
> > 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0
> >
> > Signed-off-by: Ian Ray <ian.ray@xxxxxxxxxxxxxxxx>
> > Link: https://lore.kernel.org/r/20240620042915.2173-1-ian.ray@xxxxxxxxxxxxxxxx
> > Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@xxxxxxxxxx>
> > Signed-off-by: Guocai He <guocai.he.cn@xxxxxxxxxxxxx>
> > ---
> > This commit is to solve the CVE-2024-42253. Please merge this commit to linux-5.15.y.
> >
> > drivers/gpio/gpio-pca953x.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
> > index 4860bf3b7e00..4e97b6ae4f72 100644
> > --- a/drivers/gpio/gpio-pca953x.c
> > +++ b/drivers/gpio/gpio-pca953x.c
> > @@ -672,6 +672,8 @@ static void pca953x_irq_bus_sync_unlock(struct irq_data *d)
> > int level;
> > if (chip->driver_data & PCA_PCAL) {
> > + guard(mutex)(&chip->i2c_lock);
>
> This wouldn't compile on 5.15.y
Which means that no one is actually testing these backports.
Ok, I'm frustrated enough. No more windriver backports for stable trees
will now be accepted until you all get your act together and figure out
how to do this properly.
As to "how" you prove that you all know what you are doing, I will
leave that up to you to come up with a proper proposal and proof.
ugh.
greg k-h
