pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next()

pwrseq_debugfs_seq_next() declares 'next' with __free(put_device),
which causes put_device() to be called on the returned pointer when
the variable goes out of scope.  This results in a use-after-free
since the seq_file framework receives a pointer whose reference has
already been dropped.

Simply removing __free(put_device) would fix the UAF but would leak
the reference acquired by bus_find_next_device(), as stop() only
calls up_read(&pwrseq_sem) and never releases the device reference.

Fix this by making the reference counting consistent across all
seq_file callbacks, matching the standard pattern used by PCI and
SCSI:

- start(): use get_device() so it returns a referenced pointer.
- next(): explicitly put_device(curr) to release the previous
  device's reference (no NULL check needed - the seq_file framework
  only calls next() while the previous return was non-NULL).
- stop(): put_device(data) to release the last iterated device's
  reference, with a NULL guard since stop() may be called with NULL
  when start() returned NULL or next() reached end-of-sequence.

Cc: stable@vger.kernel.org
Fixes: 249ebf3f65f8 ("power: sequencing: implement the pwrseq core")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260616151049.1705503-1-vulab@iscas.ac.cn
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>

diff --git a/drivers/power/sequencing/core.c b/drivers/power/sequencing/core.c
index 89694092981f76d750ca399d59a65c7e89d52051..c1c2265160a33352ef86216347e1d175824d9d5f 100644 (file)
--- a/drivers/power/sequencing/core.c
+++ b/drivers/power/sequencing/core.c
@@ -1012,8 +1012,9 @@ static void *pwrseq_debugfs_seq_start(struct seq_file *seq, loff_t *pos)
        ctx.index = *pos;
 
        /*
-        * We're holding the lock for the entire printout so no need to fiddle
-        * with device reference count.
+        * Hold the lock for the entire printout to prevent device removal.
+        * Reference counts are managed by start()/next()/stop() as required
+        * by the seq_file contract.
         */
        down_read(&pwrseq_sem);
 
@@ -1021,7 +1022,7 @@ static void *pwrseq_debugfs_seq_start(struct seq_file *seq, loff_t *pos)
        if (!ctx.index)
                return NULL;
 
-       return ctx.dev;
+       return get_device(ctx.dev);
 }
 
 static void *pwrseq_debugfs_seq_next(struct seq_file *seq, void *data,
@@ -1031,8 +1032,9 @@ static void *pwrseq_debugfs_seq_next(struct seq_file *seq, void *data,
 
        ++*pos;
 
-       struct device *next __free(put_device) =
-                       bus_find_next_device(&pwrseq_bus, curr);
+       struct device *next = bus_find_next_device(&pwrseq_bus, curr);
+
+       put_device(curr);
        return next;
 }
 
@@ -1081,6 +1083,8 @@ static int pwrseq_debugfs_seq_show(struct seq_file *seq, void *data)
 
 static void pwrseq_debugfs_seq_stop(struct seq_file *seq, void *data)
 {
+       if (data)
+               put_device(data);
        up_read(&pwrseq_sem);
 }