From: Alessandro Carminati <acarmina@redhat.com>
Date: Thu, 26 Jun 2025 08:38:09 +0000 (+0000)
Subject: regulator: core: fix NULL dereference on unbind due to stale coupling data
X-Git-Tag: v6.1.148~252
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=800a2cfb2df7f96b3fb48910fc595e0215f6b019;p=thirdparty%2Fkernel%2Fstable.git

regulator: core: fix NULL dereference on unbind due to stale coupling data

[ Upstream commit ca46946a482238b0cdea459fb82fc837fb36260e ]

Failing to reset coupling_desc.n_coupled after freeing coupled_rdevs can
lead to NULL pointer dereference when regulators are accessed post-unbind.

This can happen during runtime PM or other regulator operations that rely
on coupling metadata.

For example, on ridesx4, unbinding the 'reg-dummy' platform device triggers
a panic in regulator_lock_recursive() due to stale coupling state.

Ensure n_coupled is set to 0 to prevent access to invalid pointers.

Signed-off-by: Alessandro Carminati <acarmina@redhat.com>
Link: https://patch.msgid.link/20250626083809.314842-1-acarmina@redhat.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 29c9171e923a2..7e6ff7e72784b 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -5423,6 +5423,7 @@ static void regulator_remove_coupling(struct regulator_dev *rdev)
 				 ERR_PTR(err));
 	}
 
+	rdev->coupling_desc.n_coupled = 0;
 	kfree(rdev->coupling_desc.coupled_rdevs);
 	rdev->coupling_desc.coupled_rdevs = NULL;
 }