Acknowledged
Created: Jun 19, 2025
Updated: Jun 20, 2025
Found In Version: 10.23.30.1
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]regulator: max20086: fix invalid memory access[EOL][EOL]max20086_parse_regulators_dt() calls of_regulator_match() using an[EOL]array of struct of_regulator_match allocated on the stack for the[EOL]matches argument.[EOL][EOL]of_regulator_match() calls devm_of_regulator_put_matches(), which calls[EOL]devres_alloc() to allocate a struct devm_of_regulator_matches which will[EOL]be de-allocated using devm_of_regulator_put_matches().[EOL][EOL]struct devm_of_regulator_matches is populated with the stack allocated[EOL]matches array.[EOL][EOL]If the device fails to probe, devm_of_regulator_put_matches() will be[EOL]called and will try to call of_node_put() on that stack pointer,[EOL]generating the following dmesg entries:[EOL][EOL]max20086 6-0028: Failed to read DEVICE_ID reg: -121[EOL]kobject: 'À$¥\x03' (000000002cebcb7a): is not initialized, yet[EOL]kobject_put() is being called.[EOL][EOL]Followed by a stack trace matching the call flow described above.[EOL][EOL]Switch to allocating the matches array using devm_kcalloc() to[EOL]avoid accessing the stack pointer long after it's out of scope.[EOL][EOL]This also has the advantage of allowing multiple max20086 to probe[EOL]without overriding the data stored inside the global of_regulator_match.
CREATE(Triage):(User=lchen-cn) [CVE-2025-38027 (https://nvd.nist.gov/vuln/detail/CVE-2025-38027)
