CVE-2024-40975

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/x86: x86-android-tablets: Unregister devices in reverse order<br /> <br /> Not all subsystems support a device getting removed while there are<br /> still consumers of the device with a reference to the device.<br /> <br /> One example of this is the regulator subsystem. If a regulator gets<br /> unregistered while there are still drivers holding a reference<br /> a WARN() at drivers/regulator/core.c:5829 triggers, e.g.:<br /> <br /> WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister<br /> Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015<br /> RIP: 0010:regulator_unregister<br /> Call Trace:<br /> <br /> regulator_unregister<br /> devres_release_group<br /> i2c_device_remove<br /> device_release_driver_internal<br /> bus_remove_device<br /> device_del<br /> device_unregister<br /> x86_android_tablet_remove<br /> <br /> On the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides<br /> a 5V boost converter output for powering USB devices connected to the micro<br /> USB port, the bq24190-charger driver exports this as a Vbus regulator.<br /> <br /> On the 830 (8") and 1050 ("10") models this regulator is controlled by<br /> a platform_device and x86_android_tablet_remove() removes platform_device-s<br /> before i2c_clients so the consumer gets removed first.<br /> <br /> But on the 1380 (13") model there is a lc824206xa micro-USB switch<br /> connected over I2C and the extcon driver for that controls the regulator.<br /> The bq24190 i2c-client *must* be registered first, because that creates<br /> the regulator with the lc824206xa listed as its consumer. If the regulator<br /> has not been registered yet the lc824206xa driver will end up getting<br /> a dummy regulator.<br /> <br /> Since in this case both the regulator provider and consumer are I2C<br /> devices, the only way to ensure that the consumer is unregistered first<br /> is to unregister the I2C devices in reverse order of in which they were<br /> created.<br /> <br /> For consistency and to avoid similar problems in the future change<br /> x86_android_tablet_remove() to unregister all device types in reverse<br /> order.