firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails

PlaidCat · PlaidCat · commit 3136b9e9e859 · 2025-10-03T16:43:39.000-04:00
jira LE-4321 cve CVE-2022-50087 Rebuild_History Non-Buildable kernel-4.18.0-553.77.1.el8_10 commit-author Sudeep Holla <sudeep.holla@arm.com> commit 689640e Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.77.1.el8_10/689640ef.failed When scpi probe fails, at any point, we need to ensure that the scpi_info is not set and will remain NULL until the probe succeeds. If it is not taken care, then it could result use-after-free as the value is exported via get_scpi_ops() and could refer to a memory allocated via devm_kzalloc() but freed when the probe fails. Link: https://lore.kernel.org/r/20220701160310.148344-1-sudeep.holla@arm.com Cc: stable@vger.kernel.org # 4.19+ Reported-by: huhai <huhai@kylinos.cn> Reviewed-by: Jackie Liu <liuyun01@kylinos.cn> Signed-off-by: Sudeep Holla <sudeep.holla@arm.com> (cherry picked from commit 689640e) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/firmware/arm_scpi.c
diff --git a/ciq/ciq_backports/kernel-4.18.0-553.77.1.el8_10/689640ef.failed b/ciq/ciq_backports/kernel-4.18.0-553.77.1.el8_10/689640ef.failed
@@ -0,0 +1,70 @@
+firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails
+
+jira LE-4321
+cve CVE-2022-50087
+Rebuild_History Non-Buildable kernel-4.18.0-553.77.1.el8_10
+commit-author Sudeep Holla <sudeep.holla@arm.com>
+commit 689640efc0a2c4e07e6f88affe6d42cd40cc3f85
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.77.1.el8_10/689640ef.failed
+
+When scpi probe fails, at any point, we need to ensure that the scpi_info
+is not set and will remain NULL until the probe succeeds. If it is not
+taken care, then it could result use-after-free as the value is exported
+via get_scpi_ops() and could refer to a memory allocated via devm_kzalloc()
+but freed when the probe fails.
+
+Link: https://lore.kernel.org/r/20220701160310.148344-1-sudeep.holla@arm.com
+	Cc: stable@vger.kernel.org # 4.19+
+	Reported-by: huhai <huhai@kylinos.cn>
+	Reviewed-by: Jackie Liu <liuyun01@kylinos.cn>
+	Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+(cherry picked from commit 689640efc0a2c4e07e6f88affe6d42cd40cc3f85)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	drivers/firmware/arm_scpi.c
+diff --cc drivers/firmware/arm_scpi.c
+index c7d06a36b23a,435d0e2658a4..000000000000
+--- a/drivers/firmware/arm_scpi.c
++++ b/drivers/firmware/arm_scpi.c
+@@@ -1011,22 -1017,23 +1015,31 @@@ static int scpi_probe(struct platform_d
+  	else
+  		dev_info(dev, "SCP Protocol %lu.%lu Firmware %lu.%lu.%lu version\n",
+  			 FIELD_GET(PROTO_REV_MAJOR_MASK,
+- 				   scpi_info->protocol_version),
++ 				   scpi_drvinfo->protocol_version),
+  			 FIELD_GET(PROTO_REV_MINOR_MASK,
+- 				   scpi_info->protocol_version),
++ 				   scpi_drvinfo->protocol_version),
+  			 FIELD_GET(FW_REV_MAJOR_MASK,
+- 				   scpi_info->firmware_version),
++ 				   scpi_drvinfo->firmware_version),
+  			 FIELD_GET(FW_REV_MINOR_MASK,
+- 				   scpi_info->firmware_version),
++ 				   scpi_drvinfo->firmware_version),
+  			 FIELD_GET(FW_REV_PATCH_MASK,
+- 				   scpi_info->firmware_version));
+- 	scpi_info->scpi_ops = &scpi_ops;
++ 				   scpi_drvinfo->firmware_version));
+  
+++<<<<<<< HEAD
+ +	ret = devm_device_add_groups(dev, versions_groups);
+ +	if (ret)
+ +		dev_err(dev, "unable to create sysfs version group\n");
+ +
+ +	return devm_of_platform_populate(dev);
+++=======
++ 	scpi_drvinfo->scpi_ops = &scpi_ops;
++ 
++ 	ret = devm_of_platform_populate(dev);
++ 	if (ret)
++ 		scpi_info = NULL;
++ 
++ 	return ret;
+++>>>>>>> 689640efc0a2 (firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails)
+  }
+  
+  static const struct of_device_id scpi_of_match[] = {
+* Unmerged path drivers/firmware/arm_scpi.c
