4.9-stable patches

added patches:
	pci-fix-pci_slot_release-null-pointer-dereference.patch

diff --git a/queue-4.9/pci-fix-pci_slot_release-null-pointer-dereference.patch b/queue-4.9/pci-fix-pci_slot_release-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..d8f4ced
--- /dev/null
+++ b/queue-4.9/pci-fix-pci_slot_release-null-pointer-dereference.patch
@@ -0,0 +1,65 @@
+From 4684709bf81a2d98152ed6b610e3d5c403f9bced Mon Sep 17 00:00:00 2001
+From: Jubin Zhong <zhongjubin@huawei.com>
+Date: Wed, 2 Dec 2020 10:33:42 +0800
+Subject: PCI: Fix pci_slot_release() NULL pointer dereference
+
+From: Jubin Zhong <zhongjubin@huawei.com>
+
+commit 4684709bf81a2d98152ed6b610e3d5c403f9bced upstream.
+
+If kobject_init_and_add() fails, pci_slot_release() is called to delete
+slot->list from parent->slots.  But slot->list hasn't been initialized
+yet, so we dereference a NULL pointer:
+
+  Unable to handle kernel NULL pointer dereference at virtual address
+00000000
+  ...
+  CPU: 10 PID: 1 Comm: swapper/0 Not tainted 4.4.240 #197
+  task: ffffeb398a45ef10 task.stack: ffffeb398a470000
+  PC is at __list_del_entry_valid+0x5c/0xb0
+  LR is at pci_slot_release+0x84/0xe4
+  ...
+  __list_del_entry_valid+0x5c/0xb0
+  pci_slot_release+0x84/0xe4
+  kobject_put+0x184/0x1c4
+  pci_create_slot+0x17c/0x1b4
+  __pci_hp_initialize+0x68/0xa4
+  pciehp_probe+0x1a4/0x2fc
+  pcie_port_probe_service+0x58/0x84
+  driver_probe_device+0x320/0x470
+
+Initialize slot->list before calling kobject_init_and_add() to avoid this.
+
+Fixes: 8a94644b440e ("PCI: Fix pci_create_slot() reference count leak")
+Link: https://lore.kernel.org/r/1606876422-117457-1-git-send-email-zhongjubin@huawei.com
+Signed-off-by: Jubin Zhong <zhongjubin@huawei.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org     # v5.9+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/slot.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/slot.c
++++ b/drivers/pci/slot.c
+@@ -307,6 +307,9 @@ placeholder:
+               goto err;
+       }
+ 
++      INIT_LIST_HEAD(&slot->list);
++      list_add(&slot->list, &parent->slots);
++
+       err = kobject_init_and_add(&slot->kobj, &pci_slot_ktype, NULL,
+                                  "%s", slot_name);
+       if (err) {
+@@ -314,9 +317,6 @@ placeholder:
+               goto err;
+       }
+ 
+-      INIT_LIST_HEAD(&slot->list);
+-      list_add(&slot->list, &parent->slots);
+-
+       down_read(&pci_bus_sem);
+       list_for_each_entry(dev, &parent->devices, bus_list)
+               if (PCI_SLOT(dev->devfn) == slot_nr)

diff --git a/queue-4.9/series b/queue-4.9/series
index ec06a4c75e51333fe1338a1e0c5965891f951c1c..7a65e5502e6d65e59b69119c7e888ad44aeeddd0 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -173,3 +173,4 @@ iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_s
 iio-pressure-mpl3115-force-alignment-of-buffer.patch
 clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch
 xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch
+pci-fix-pci_slot_release-null-pointer-dereference.patch