From nobody Mon Dec 1 22:05:42 2025 Received: from outboundhk.mxmail.xiaomi.com (outboundhk.mxmail.xiaomi.com [118.143.206.90]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2ADEE29ACFC for ; Thu, 27 Nov 2025 02:57:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=118.143.206.90 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764212249; cv=none; b=gh9+Yz0rLL33EVWE9Z3tMy0X1hTDkLKFc8oYjitVsirf/JsXf7t6Lf2Uafj+ZQJ7RP7181K13fWDLxlcowYJowCAY1B6tuhQjnlkabeBphRjJVDqbMmHKbpyWybKu/gWlMXXepQnf//eKrBvx/IwnvWJkxaFfFTeY2BKik9FyvE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764212249; c=relaxed/simple; bh=GhmxEQkAuCekcED8kGZoLwwC39TAjaBkyh1MOoEGmGM=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=nRE/WLLRATB3BbHG6uLmyxkRSzwyz6UojIi9Y0qIJzQn8oi1SbmKtva3jAAB5+7n1VTbU04BBw77YryjOnXxLmaPp1zpB9jL8MO7go01hOBn4BjUco1/tfNoI/lpj7srFjbrdCCPinkx269Qk7yMN0GN2dMAf8n5FUGrNIyHLOo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=xiaomi.com; spf=pass smtp.mailfrom=xiaomi.com; arc=none smtp.client-ip=118.143.206.90 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=xiaomi.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=xiaomi.com X-CSE-ConnectionGUID: JkuvfiiyQKyZ3mZMjmKUJA== X-CSE-MsgGUID: NJp8Za+pRi+9AJLwR6XAaQ== X-IronPort-AV: E=Sophos;i="6.20,230,1758556800"; d="scan'208";a="133764331" From: sparkhuang To: Liam Girdwood , Mark Brown , Charles Keepax , CC: , , , sparkhuang Subject: [PATCH v2] regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex Date: Thu, 27 Nov 2025 10:57:16 +0800 Message-ID: <20251127025716.5440-1-huangshaobo3@xiaomi.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <877bdd6a-0ab1-4d54-96ba-ca7073f882e7@sirena.org.uk> References: <877bdd6a-0ab1-4d54-96ba-ca7073f882e7@sirena.org.uk> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: BJ-MBX01.mioffice.cn (10.237.8.121) To BJ-MBX01.mioffice.cn (10.237.8.121) Content-Type: text/plain; charset="utf-8" regulator_supply_alias_list was accessed without any locking in regulator_supply_alias(), regulator_register_supply_alias(), and regulator_unregister_supply_alias(). Concurrent registration, unregistration and lookups can race, leading to: 1 use-after-free if an alias entry is removed while being read, 2 duplicate entries when two threads register the same alias, 3 inconsistent alias mappings observed by consumers. Protect all traversals, insertions and deletions on regulator_supply_alias_list with the existing regulator_list_mutex. Fixes: a06ccd9c3785f ("regulator: core: Add ability to create a lookup alia= s for supply") Signed-off-by: sparkhuang Reviewed-by: Charles Keepax --- v2: - after list_add, mutex_lock is changed to mutex_unlock. - the object in list_add has been changed from map to new_map https://lore.kernel.org/all/20251126061542.3849-1-huangshaobo3@xiaomi.com/ Thanks to Mark Brown and Charles for reviewing --- --- drivers/regulator/core.c | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c index dd7b10e768c0..994c3be96f8e 100644 --- a/drivers/regulator/core.c +++ b/drivers/regulator/core.c @@ -1942,6 +1942,7 @@ static void regulator_supply_alias(struct device **de= v, const char **supply) { struct regulator_supply_alias *map; =20 + mutex_lock(®ulator_list_mutex); map =3D regulator_find_supply_alias(*dev, *supply); if (map) { dev_dbg(*dev, "Mapping supply %s to %s,%s\n", @@ -1950,6 +1951,7 @@ static void regulator_supply_alias(struct device **de= v, const char **supply) *dev =3D map->alias_dev; *supply =3D map->alias_supply; } + mutex_unlock(®ulator_list_mutex); } =20 static int regulator_match(struct device *dev, const void *data) @@ -2492,22 +2494,26 @@ int regulator_register_supply_alias(struct device *= dev, const char *id, const char *alias_id) { struct regulator_supply_alias *map; + struct regulator_supply_alias *new_map; =20 - map =3D regulator_find_supply_alias(dev, id); - if (map) - return -EEXIST; - - map =3D kzalloc(sizeof(struct regulator_supply_alias), GFP_KERNEL); - if (!map) + new_map =3D kzalloc(sizeof(struct regulator_supply_alias), GFP_KERNEL); + if (!new_map) return -ENOMEM; =20 - map->src_dev =3D dev; - map->src_supply =3D id; - map->alias_dev =3D alias_dev; - map->alias_supply =3D alias_id; - - list_add(&map->list, ®ulator_supply_alias_list); + mutex_lock(®ulator_list_mutex); + map =3D regulator_find_supply_alias(dev, id); + if (map) { + mutex_unlock(®ulator_list_mutex); + kfree(new_map); + return -EEXIST; + } =20 + new_map->src_dev =3D dev; + new_map->src_supply =3D id; + new_map->alias_dev =3D alias_dev; + new_map->alias_supply =3D alias_id; + list_add(&new_map->list, ®ulator_supply_alias_list); + mutex_unlock(®ulator_list_mutex); pr_info("Adding alias for supply %s,%s -> %s,%s\n", id, dev_name(dev), alias_id, dev_name(alias_dev)); =20 @@ -2527,11 +2533,13 @@ void regulator_unregister_supply_alias(struct devic= e *dev, const char *id) { struct regulator_supply_alias *map; =20 + mutex_lock(®ulator_list_mutex); map =3D regulator_find_supply_alias(dev, id); if (map) { list_del(&map->list); kfree(map); } + mutex_unlock(®ulator_list_mutex); } EXPORT_SYMBOL_GPL(regulator_unregister_supply_alias); =20 --=20 2.34.1