4.14-stable patches

added patches:
	at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch
	batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch
	bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch
	fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch
	media-cpia2-fix-use-after-free-in-cpia2_exit.patch
	media-serial_ir-fix-use-after-free-in-serial_ir_init_module.patch
	media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch
	ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch

diff --git a/queue-4.14/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch b/queue-4.14/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch
new file mode 100644 (file)
index 0000000..013ace6
--- /dev/null
+++ b/queue-4.14/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch
@@ -0,0 +1,89 @@
+From 09ac2694b0475f96be895848687ebcbba97eeecf Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 8 Apr 2019 11:45:29 +0800
+Subject: at76c50x-usb: Don't register led_trigger if usb_register_driver failed
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 09ac2694b0475f96be895848687ebcbba97eeecf upstream.
+
+Syzkaller report this:
+
+[ 1213.468581] BUG: unable to handle kernel paging request at fffffbfff83bf338
+[ 1213.469530] #PF error: [normal kernel read fault]
+[ 1213.469530] PGD 237fe4067 P4D 237fe4067 PUD 237e60067 PMD 1c868b067 PTE 0
+[ 1213.473514] Oops: 0000 [#1] SMP KASAN PTI
+[ 1213.473514] CPU: 0 PID: 6321 Comm: syz-executor.0 Tainted: G         C        5.1.0-rc3+ #8
+[ 1213.473514] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+[ 1213.473514] RIP: 0010:strcmp+0x31/0xa0
+[ 1213.473514] Code: 00 00 00 00 fc ff df 55 53 48 83 ec 08 eb 0a 84 db 48 89 ef 74 5a 4c 89 e6 48 89 f8 48 89 fa 48 8d 6f 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 5d
+[ 1213.473514] RSP: 0018:ffff8881f2b7f950 EFLAGS: 00010246
+[ 1213.473514] RAX: 1ffffffff83bf338 RBX: ffff8881ea6f7240 RCX: ffffffff825350c6
+[ 1213.473514] RDX: 0000000000000000 RSI: ffffffffc1ee19c0 RDI: ffffffffc1df99c0
+[ 1213.473514] RBP: ffffffffc1df99c1 R08: 0000000000000001 R09: 0000000000000004
+[ 1213.473514] R10: 0000000000000000 R11: ffff8881de353f00 R12: ffff8881ee727900
+[ 1213.473514] R13: dffffc0000000000 R14: 0000000000000001 R15: ffffffffc1eeaaf0
+[ 1213.473514] FS:  00007fa66fa01700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
+[ 1213.473514] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1213.473514] CR2: fffffbfff83bf338 CR3: 00000001ebb9e005 CR4: 00000000007606f0
+[ 1213.473514] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 1213.473514] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 1213.473514] PKRU: 55555554
+[ 1213.473514] Call Trace:
+[ 1213.473514]  led_trigger_register+0x112/0x3f0
+[ 1213.473514]  led_trigger_register_simple+0x7a/0x110
+[ 1213.473514]  ? 0xffffffffc1c10000
+[ 1213.473514]  at76_mod_init+0x77/0x1000 [at76c50x_usb]
+[ 1213.473514]  do_one_initcall+0xbc/0x47d
+[ 1213.473514]  ? perf_trace_initcall_level+0x3a0/0x3a0
+[ 1213.473514]  ? kasan_unpoison_shadow+0x30/0x40
+[ 1213.473514]  ? kasan_unpoison_shadow+0x30/0x40
+[ 1213.473514]  do_init_module+0x1b5/0x547
+[ 1213.473514]  load_module+0x6405/0x8c10
+[ 1213.473514]  ? module_frob_arch_sections+0x20/0x20
+[ 1213.473514]  ? kernel_read_file+0x1e6/0x5d0
+[ 1213.473514]  ? find_held_lock+0x32/0x1c0
+[ 1213.473514]  ? cap_capable+0x1ae/0x210
+[ 1213.473514]  ? __do_sys_finit_module+0x162/0x190
+[ 1213.473514]  __do_sys_finit_module+0x162/0x190
+[ 1213.473514]  ? __ia32_sys_init_module+0xa0/0xa0
+[ 1213.473514]  ? __mutex_unlock_slowpath+0xdc/0x690
+[ 1213.473514]  ? wait_for_completion+0x370/0x370
+[ 1213.473514]  ? vfs_write+0x204/0x4a0
+[ 1213.473514]  ? do_syscall_64+0x18/0x450
+[ 1213.473514]  do_syscall_64+0x9f/0x450
+[ 1213.473514]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 1213.473514] RIP: 0033:0x462e99
+[ 1213.473514] Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+[ 1213.473514] RSP: 002b:00007fa66fa00c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[ 1213.473514] RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+[ 1213.473514] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003
+[ 1213.473514] RBP: 00007fa66fa00c70 R08: 0000000000000000 R09: 0000000000000000
+[ 1213.473514] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa66fa016bc
+[ 1213.473514] R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
+
+If usb_register failed, no need to call led_trigger_register_simple.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 1264b951463a ("at76c50x-usb: add driver")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/atmel/at76c50x-usb.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/atmel/at76c50x-usb.c
++++ b/drivers/net/wireless/atmel/at76c50x-usb.c
+@@ -2585,8 +2585,8 @@ static int __init at76_mod_init(void)
+       if (result < 0)
+               printk(KERN_ERR DRIVER_NAME
+                      ": usb_register failed (status %d)\n", result);
+-
+-      led_trigger_register_simple("at76_usb-tx", &ledtrig_tx);
++      else
++              led_trigger_register_simple("at76_usb-tx", &ledtrig_tx);
+       return result;
+ }
+ 

diff --git a/queue-4.14/batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch b/queue-4.14/batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch
new file mode 100644 (file)
index 0000000..c4a01a6
--- /dev/null
+++ b/queue-4.14/batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch
@@ -0,0 +1,115 @@
+From a3c7cd0cdf1107f891aff847ad481e34df727055 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Wed, 24 Apr 2019 03:19:14 +0200
+Subject: batman-adv: mcast: fix multicast tt/tvlv worker locking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+
+commit a3c7cd0cdf1107f891aff847ad481e34df727055 upstream.
+
+Syzbot has reported some issues with the locking assumptions made for
+the multicast tt/tvlv worker: It was able to trigger the WARN_ON() in
+batadv_mcast_mla_tt_retract() and batadv_mcast_mla_tt_add().
+While hard/not reproduceable for us so far it seems that the
+delayed_work_pending() we use might not be quite safe from reordering.
+
+Therefore this patch adds an explicit, new spinlock to protect the
+update of the mla_list and flags in bat_priv and then removes the
+WARN_ON(delayed_work_pending()).
+
+Reported-by: syzbot+83f2d54ec6b7e417e13f@syzkaller.appspotmail.com
+Reported-by: syzbot+050927a651272b145a5d@syzkaller.appspotmail.com
+Reported-by: syzbot+979ffc89b87309b1b94b@syzkaller.appspotmail.com
+Reported-by: syzbot+f9f3f388440283da2965@syzkaller.appspotmail.com
+Fixes: cbebd363b2e9 ("batman-adv: Use own timer for multicast TT and TVLV updates")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/main.c      |    1 +
+ net/batman-adv/multicast.c |   11 +++--------
+ net/batman-adv/types.h     |    2 ++
+ 3 files changed, 6 insertions(+), 8 deletions(-)
+
+--- a/net/batman-adv/main.c
++++ b/net/batman-adv/main.c
+@@ -153,6 +153,7 @@ int batadv_mesh_init(struct net_device *
+       spin_lock_init(&bat_priv->tt.commit_lock);
+       spin_lock_init(&bat_priv->gw.list_lock);
+ #ifdef CONFIG_BATMAN_ADV_MCAST
++      spin_lock_init(&bat_priv->mcast.mla_lock);
+       spin_lock_init(&bat_priv->mcast.want_lists_lock);
+ #endif
+       spin_lock_init(&bat_priv->tvlv.container_list_lock);
+--- a/net/batman-adv/multicast.c
++++ b/net/batman-adv/multicast.c
+@@ -269,8 +269,6 @@ static void batadv_mcast_mla_list_free(s
+  * translation table except the ones listed in the given mcast_list.
+  *
+  * If mcast_list is NULL then all are retracted.
+- *
+- * Do not call outside of the mcast worker! (or cancel mcast worker first)
+  */
+ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv,
+                                       struct hlist_head *mcast_list)
+@@ -278,8 +276,6 @@ static void batadv_mcast_mla_tt_retract(
+       struct batadv_hw_addr *mcast_entry;
+       struct hlist_node *tmp;
+ 
+-      WARN_ON(delayed_work_pending(&bat_priv->mcast.work));
+-
+       hlist_for_each_entry_safe(mcast_entry, tmp, &bat_priv->mcast.mla_list,
+                                 list) {
+               if (mcast_list &&
+@@ -303,8 +299,6 @@ static void batadv_mcast_mla_tt_retract(
+  *
+  * Adds multicast listener announcements from the given mcast_list to the
+  * translation table if they have not been added yet.
+- *
+- * Do not call outside of the mcast worker! (or cancel mcast worker first)
+  */
+ static void batadv_mcast_mla_tt_add(struct batadv_priv *bat_priv,
+                                   struct hlist_head *mcast_list)
+@@ -312,8 +306,6 @@ static void batadv_mcast_mla_tt_add(stru
+       struct batadv_hw_addr *mcast_entry;
+       struct hlist_node *tmp;
+ 
+-      WARN_ON(delayed_work_pending(&bat_priv->mcast.work));
+-
+       if (!mcast_list)
+               return;
+ 
+@@ -600,7 +592,10 @@ static void batadv_mcast_mla_update(stru
+       priv_mcast = container_of(delayed_work, struct batadv_priv_mcast, work);
+       bat_priv = container_of(priv_mcast, struct batadv_priv, mcast);
+ 
++      spin_lock(&bat_priv->mcast.mla_lock);
+       __batadv_mcast_mla_update(bat_priv);
++      spin_unlock(&bat_priv->mcast.mla_lock);
++
+       batadv_mcast_start_timer(bat_priv);
+ }
+ 
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -798,6 +798,7 @@ struct batadv_mcast_querier_state {
+  * @flags: the flags we have last sent in our mcast tvlv
+  * @enabled: whether the multicast tvlv is currently enabled
+  * @bridged: whether the soft interface has a bridge on top
++ * @mla_lock: a lock protecting mla_list and mla_flags
+  * @num_disabled: number of nodes that have no mcast tvlv
+  * @num_want_all_unsnoopables: number of nodes wanting unsnoopable IP traffic
+  * @num_want_all_ipv4: counter for items in want_all_ipv4_list
+@@ -816,6 +817,7 @@ struct batadv_priv_mcast {
+       u8 flags;
+       bool enabled;
+       bool bridged;
++      spinlock_t mla_lock;
+       atomic_t num_disabled;
+       atomic_t num_want_all_unsnoopables;
+       atomic_t num_want_all_ipv4;

diff --git a/queue-4.14/bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch b/queue-4.14/bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch
new file mode 100644 (file)
index 0000000..67d61ef
--- /dev/null
+++ b/queue-4.14/bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch
@@ -0,0 +1,123 @@
+From 2baae3545327632167c0180e9ca1d467416f1919 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 13 May 2019 09:59:16 -0700
+Subject: bpf: devmap: fix use-after-free Read in __dev_map_entry_free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 2baae3545327632167c0180e9ca1d467416f1919 upstream.
+
+synchronize_rcu() is fine when the rcu callbacks only need
+to free memory (kfree_rcu() or direct kfree() call rcu call backs)
+
+__dev_map_entry_free() is a bit more complex, so we need to make
+sure that call queued __dev_map_entry_free() callbacks have completed.
+
+sysbot report:
+
+BUG: KASAN: use-after-free in dev_map_flush_old kernel/bpf/devmap.c:365
+[inline]
+BUG: KASAN: use-after-free in __dev_map_entry_free+0x2a8/0x300
+kernel/bpf/devmap.c:379
+Read of size 8 at addr ffff8801b8da38c8 by task ksoftirqd/1/18
+
+CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.17.0+ #39
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+  __dump_stack lib/dump_stack.c:77 [inline]
+  dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+  print_address_description+0x6c/0x20b mm/kasan/report.c:256
+  kasan_report_error mm/kasan/report.c:354 [inline]
+  kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
+  dev_map_flush_old kernel/bpf/devmap.c:365 [inline]
+  __dev_map_entry_free+0x2a8/0x300 kernel/bpf/devmap.c:379
+  __rcu_reclaim kernel/rcu/rcu.h:178 [inline]
+  rcu_do_batch kernel/rcu/tree.c:2558 [inline]
+  invoke_rcu_callbacks kernel/rcu/tree.c:2818 [inline]
+  __rcu_process_callbacks kernel/rcu/tree.c:2785 [inline]
+  rcu_process_callbacks+0xe9d/0x1760 kernel/rcu/tree.c:2802
+  __do_softirq+0x2e0/0xaf5 kernel/softirq.c:284
+  run_ksoftirqd+0x86/0x100 kernel/softirq.c:645
+  smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164
+  kthread+0x345/0x410 kernel/kthread.c:240
+  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
+
+Allocated by task 6675:
+  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+  set_track mm/kasan/kasan.c:460 [inline]
+  kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
+  kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
+  kmalloc include/linux/slab.h:513 [inline]
+  kzalloc include/linux/slab.h:706 [inline]
+  dev_map_alloc+0x208/0x7f0 kernel/bpf/devmap.c:102
+  find_and_alloc_map kernel/bpf/syscall.c:129 [inline]
+  map_create+0x393/0x1010 kernel/bpf/syscall.c:453
+  __do_sys_bpf kernel/bpf/syscall.c:2351 [inline]
+  __se_sys_bpf kernel/bpf/syscall.c:2328 [inline]
+  __x64_sys_bpf+0x303/0x510 kernel/bpf/syscall.c:2328
+  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:290
+  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 26:
+  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+  set_track mm/kasan/kasan.c:460 [inline]
+  __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
+  kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
+  __cache_free mm/slab.c:3498 [inline]
+  kfree+0xd9/0x260 mm/slab.c:3813
+  dev_map_free+0x4fa/0x670 kernel/bpf/devmap.c:191
+  bpf_map_free_deferred+0xba/0xf0 kernel/bpf/syscall.c:262
+  process_one_work+0xc64/0x1b70 kernel/workqueue.c:2153
+  worker_thread+0x181/0x13a0 kernel/workqueue.c:2296
+  kthread+0x345/0x410 kernel/kthread.c:240
+  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
+
+The buggy address belongs to the object at ffff8801b8da37c0
+  which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 264 bytes inside of
+  512-byte region [ffff8801b8da37c0, ffff8801b8da39c0)
+The buggy address belongs to the page:
+page:ffffea0006e368c0 count:1 mapcount:0 mapping:ffff8801da800940
+index:0xffff8801b8da3540
+flags: 0x2fffc0000000100(slab)
+raw: 02fffc0000000100 ffffea0007217b88 ffffea0006e30cc8 ffff8801da800940
+raw: ffff8801b8da3540 ffff8801b8da3040 0000000100000004 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+  ffff8801b8da3780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+  ffff8801b8da3800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+> ffff8801b8da3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                                               ^
+  ffff8801b8da3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+  ffff8801b8da3980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+
+Fixes: 546ac1ffb70d ("bpf: add devmap, a map for storing net device references")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot+457d3e2ffbcf31aee5c0@syzkaller.appspotmail.com
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/devmap.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/bpf/devmap.c
++++ b/kernel/bpf/devmap.c
+@@ -156,6 +156,9 @@ static void dev_map_free(struct bpf_map
+ 
+       synchronize_rcu();
+ 
++      /* Make sure prior __dev_map_entry_free() have completed. */
++      rcu_barrier();
++
+       /* To ensure all pending flush operations have completed wait for flush
+        * bitmap to indicate all flush_needed bits to be zero on _all_ cpus.
+        * Because the above synchronize_rcu() ensures the map is disconnected

diff --git a/queue-4.14/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch b/queue-4.14/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch
new file mode 100644 (file)
index 0000000..b7f5e91
--- /dev/null
+++ b/queue-4.14/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch
@@ -0,0 +1,51 @@
+From 8c40292be9169a9cbe19aadd1a6fc60cbd1af82f Mon Sep 17 00:00:00 2001
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Date: Thu, 11 Apr 2019 19:25:12 +0200
+Subject: fbdev: fix WARNING in __alloc_pages_nodemask bug
+
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+
+commit 8c40292be9169a9cbe19aadd1a6fc60cbd1af82f upstream.
+
+Syzkaller hit 'WARNING in __alloc_pages_nodemask' bug.
+
+WARNING: CPU: 1 PID: 1473 at mm/page_alloc.c:4377
+__alloc_pages_nodemask+0x4da/0x2130
+Kernel panic - not syncing: panic_on_warn set ...
+
+Call Trace:
+ alloc_pages_current+0xb1/0x1e0
+ kmalloc_order+0x1f/0x60
+ kmalloc_order_trace+0x1d/0x120
+ fb_alloc_cmap_gfp+0x85/0x2b0
+ fb_set_user_cmap+0xff/0x370
+ do_fb_ioctl+0x949/0xa20
+ fb_ioctl+0xdd/0x120
+ do_vfs_ioctl+0x186/0x1070
+ ksys_ioctl+0x89/0xa0
+ __x64_sys_ioctl+0x74/0xb0
+ do_syscall_64+0xc8/0x550
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+This is a warning about order >= MAX_ORDER and the order is from
+userspace ioctl. Add flag __NOWARN to silence this warning.
+
+Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/core/fbcmap.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/video/fbdev/core/fbcmap.c
++++ b/drivers/video/fbdev/core/fbcmap.c
+@@ -94,6 +94,8 @@ int fb_alloc_cmap_gfp(struct fb_cmap *cm
+       int size = len * sizeof(u16);
+       int ret = -ENOMEM;
+ 
++      flags |= __GFP_NOWARN;
++
+       if (cmap->len != len) {
+               fb_dealloc_cmap(cmap);
+               if (!len)

diff --git a/queue-4.14/media-cpia2-fix-use-after-free-in-cpia2_exit.patch b/queue-4.14/media-cpia2-fix-use-after-free-in-cpia2_exit.patch
new file mode 100644 (file)
index 0000000..1ba330f
--- /dev/null
+++ b/queue-4.14/media-cpia2-fix-use-after-free-in-cpia2_exit.patch
@@ -0,0 +1,124 @@
+From dea37a97265588da604c6ba80160a287b72c7bfd Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 6 Mar 2019 07:45:08 -0500
+Subject: media: cpia2: Fix use-after-free in cpia2_exit
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit dea37a97265588da604c6ba80160a287b72c7bfd upstream.
+
+Syzkaller report this:
+
+BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
+Read of size 8 at addr ffff8881f59a6b70 by task syz-executor.0/8363
+
+CPU: 0 PID: 8363 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
+ sysfs_remove_file include/linux/sysfs.h:519 [inline]
+ driver_remove_file+0x40/0x50 drivers/base/driver.c:122
+ usb_remove_newid_files drivers/usb/core/driver.c:212 [inline]
+ usb_deregister+0x12a/0x3b0 drivers/usb/core/driver.c:1005
+ cpia2_exit+0xa/0x16 [cpia2]
+ __do_sys_delete_module kernel/module.c:1018 [inline]
+ __se_sys_delete_module kernel/module.c:961 [inline]
+ __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f86f3754c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300
+RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f86f37556bc
+R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff
+
+Allocated by task 8363:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495
+ kmalloc include/linux/slab.h:545 [inline]
+ kzalloc include/linux/slab.h:740 [inline]
+ bus_add_driver+0xc0/0x610 drivers/base/bus.c:651
+ driver_register+0x1bb/0x3f0 drivers/base/driver.c:170
+ usb_register_driver+0x267/0x520 drivers/usb/core/driver.c:965
+ 0xffffffffc1b4817c
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 8363:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457
+ slab_free_hook mm/slub.c:1430 [inline]
+ slab_free_freelist_hook mm/slub.c:1457 [inline]
+ slab_free mm/slub.c:3005 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3957
+ kobject_cleanup lib/kobject.c:662 [inline]
+ kobject_release lib/kobject.c:691 [inline]
+ kref_put include/linux/kref.h:67 [inline]
+ kobject_put+0x146/0x240 lib/kobject.c:708
+ bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732
+ driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
+ usb_register_driver+0x341/0x520 drivers/usb/core/driver.c:980
+ 0xffffffffc1b4817c
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881f59a6b40
+ which belongs to the cache kmalloc-256 of size 256
+The buggy address is located 48 bytes inside of
+ 256-byte region [ffff8881f59a6b40, ffff8881f59a6c40)
+The buggy address belongs to the page:
+page:ffffea0007d66980 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0
+flags: 0x2fffc0000000200(slab)
+raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6c02e00
+raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881f59a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8881f59a6a80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
+>ffff8881f59a6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+                                                             ^
+ ffff8881f59a6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8881f59a6c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+
+cpia2_init does not check return value of cpia2_init, if it failed
+in usb_register_driver, there is already cleanup using driver_unregister.
+No need call cpia2_usb_cleanup on module exit.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/cpia2/cpia2_v4l.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/media/usb/cpia2/cpia2_v4l.c
++++ b/drivers/media/usb/cpia2/cpia2_v4l.c
+@@ -1244,8 +1244,7 @@ static int __init cpia2_init(void)
+       LOG("%s v%s\n",
+           ABOUT, CPIA_VERSION);
+       check_parameters();
+-      cpia2_usb_init();
+-      return 0;
++      return cpia2_usb_init();
+ }
+ 
+ 

diff --git a/queue-4.14/media-serial_ir-fix-use-after-free-in-serial_ir_init_module.patch b/queue-4.14/media-serial_ir-fix-use-after-free-in-serial_ir_init_module.patch
new file mode 100644 (file)
index 0000000..539ffab
--- /dev/null
+++ b/queue-4.14/media-serial_ir-fix-use-after-free-in-serial_ir_init_module.patch
@@ -0,0 +1,140 @@
+From 56cd26b618855c9af48c8301aa6754ced8dd0beb Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 5 Mar 2019 00:40:26 -0500
+Subject: media: serial_ir: Fix use-after-free in serial_ir_init_module
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 56cd26b618855c9af48c8301aa6754ced8dd0beb upstream.
+
+Syzkaller report this:
+
+BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
+Read of size 8 at addr ffff8881dc7ae030 by task syz-executor.0/6249
+
+CPU: 1 PID: 6249 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ ? 0xffffffffc1728000
+ sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
+ sysfs_remove_file include/linux/sysfs.h:519 [inline]
+ driver_remove_file+0x40/0x50 drivers/base/driver.c:122
+ remove_bind_files drivers/base/bus.c:585 [inline]
+ bus_remove_driver+0x186/0x220 drivers/base/bus.c:725
+ driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
+ serial_ir_init_module+0x169/0x1000 [serial_ir]
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f9450132c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
+RBP: 00007f9450132c70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f94501336bc
+R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
+
+Allocated by task 6249:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495
+ kmalloc include/linux/slab.h:545 [inline]
+ kzalloc include/linux/slab.h:740 [inline]
+ bus_add_driver+0xc0/0x610 drivers/base/bus.c:651
+ driver_register+0x1bb/0x3f0 drivers/base/driver.c:170
+ serial_ir_init_module+0xe8/0x1000 [serial_ir]
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 6249:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457
+ slab_free_hook mm/slub.c:1430 [inline]
+ slab_free_freelist_hook mm/slub.c:1457 [inline]
+ slab_free mm/slub.c:3005 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3957
+ kobject_cleanup lib/kobject.c:662 [inline]
+ kobject_release lib/kobject.c:691 [inline]
+ kref_put include/linux/kref.h:67 [inline]
+ kobject_put+0x146/0x240 lib/kobject.c:708
+ bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732
+ driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
+ serial_ir_init_module+0x14c/0x1000 [serial_ir]
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881dc7ae000
+ which belongs to the cache kmalloc-256 of size 256
+The buggy address is located 48 bytes inside of
+ 256-byte region [ffff8881dc7ae000, ffff8881dc7ae100)
+The buggy address belongs to the page:
+page:ffffea000771eb80 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0
+flags: 0x2fffc0000000200(slab)
+raw: 02fffc0000000200 ffffea0007d14800 0000000400000002 ffff8881f6c02e00
+raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881dc7adf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8881dc7adf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff8881dc7ae000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                                     ^
+ ffff8881dc7ae080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8881dc7ae100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
+
+There are already cleanup handlings in serial_ir_init error path,
+no need to call serial_ir_exit do it again in serial_ir_init_module,
+otherwise will trigger a use-after-free issue.
+
+Fixes: fa5dc29c1fcc ("[media] lirc_serial: move out of staging and rename to serial_ir")
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/serial_ir.c |    9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/drivers/media/rc/serial_ir.c
++++ b/drivers/media/rc/serial_ir.c
+@@ -774,8 +774,6 @@ static void serial_ir_exit(void)
+ 
+ static int __init serial_ir_init_module(void)
+ {
+-      int result;
+-
+       switch (type) {
+       case IR_HOMEBREW:
+       case IR_IRDEO:
+@@ -803,12 +801,7 @@ static int __init serial_ir_init_module(
+       if (sense != -1)
+               sense = !!sense;
+ 
+-      result = serial_ir_init();
+-      if (!result)
+-              return 0;
+-
+-      serial_ir_exit();
+-      return result;
++      return serial_ir_init();
+ }
+ 
+ static void __exit serial_ir_exit_module(void)

diff --git a/queue-4.14/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch b/queue-4.14/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch
new file mode 100644 (file)
index 0000000..fd4dc1a
--- /dev/null
+++ b/queue-4.14/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch
@@ -0,0 +1,37 @@
+From dad7e270ba712ba1c99cd2d91018af6044447a06 Mon Sep 17 00:00:00 2001
+From: Alexander Potapenko <glider@google.com>
+Date: Thu, 4 Apr 2019 10:56:46 -0400
+Subject: media: vivid: use vfree() instead of kfree() for dev->bitmap_cap
+
+From: Alexander Potapenko <glider@google.com>
+
+commit dad7e270ba712ba1c99cd2d91018af6044447a06 upstream.
+
+syzkaller reported crashes on kfree() called from
+vivid_vid_cap_s_selection(). This looks like a simple typo, as
+dev->bitmap_cap is allocated with vzalloc() throughout the file.
+
+Fixes: ef834f7836ec0 ("[media] vivid: add the video capture and output
+parts")
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Reported-by: Syzbot <syzbot+6c0effb5877f6b0344e2@syzkaller.appspotmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/vivid/vivid-vid-cap.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/vivid/vivid-vid-cap.c
++++ b/drivers/media/platform/vivid/vivid-vid-cap.c
+@@ -1007,7 +1007,7 @@ int vivid_vid_cap_s_selection(struct fil
+               v4l2_rect_map_inside(&s->r, &dev->fmt_cap_rect);
+               if (dev->bitmap_cap && (compose->width != s->r.width ||
+                                       compose->height != s->r.height)) {
+-                      kfree(dev->bitmap_cap);
++                      vfree(dev->bitmap_cap);
+                       dev->bitmap_cap = NULL;
+               }
+               *compose = s->r;

diff --git a/queue-4.14/series b/queue-4.14/series
index c92eea6e4bc39c91a3531ff272591ff9b9e5d6b3..c42309606a58021fab86684b5f81fea83fbafeb6 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -23,3 +23,11 @@ hugetlb-use-same-fault-hash-key-for-shared-and-private-mappings.patch
 brcmfmac-assure-ssid-length-from-firmware-is-limited.patch
 brcmfmac-add-subtype-check-for-event-handling-in-data-path.patch
 btrfs-honor-path-skip_locking-in-backref-code.patch
+fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch
+media-cpia2-fix-use-after-free-in-cpia2_exit.patch
+media-serial_ir-fix-use-after-free-in-serial_ir_init_module.patch
+media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch
+ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch
+bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch
+batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch
+at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch

diff --git a/queue-4.14/ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch b/queue-4.14/ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch
new file mode 100644 (file)
index 0000000..d90828f
--- /dev/null
+++ b/queue-4.14/ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch
@@ -0,0 +1,94 @@
+From b2c01aab9646ed8ffb7c549afe55d5349c482425 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 6 Mar 2019 19:56:58 +0800
+Subject: ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit b2c01aab9646ed8ffb7c549afe55d5349c482425 upstream.
+
+Syzkaller report this:
+
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN PTI
+CPU: 0 PID: 4492 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+RIP: 0010:sysfs_remove_file_ns+0x27/0x70 fs/sysfs/file.c:468
+Code: 00 00 00 41 54 55 48 89 fd 53 49 89 d4 48 89 f3 e8 ee 76 9c ff 48 8d 7d 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 2d 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 8b 6d
+RSP: 0018:ffff8881e9d9fc00 EFLAGS: 00010206
+RAX: dffffc0000000000 RBX: ffffffff900367e0 RCX: ffffffff81a95952
+RDX: 0000000000000006 RSI: ffffc90001405000 RDI: 0000000000000030
+RBP: 0000000000000000 R08: fffffbfff1fa22ed R09: fffffbfff1fa22ed
+R10: 0000000000000001 R11: fffffbfff1fa22ec R12: 0000000000000000
+R13: ffffffffc1abdac0 R14: 1ffff1103d3b3f8b R15: 0000000000000000
+FS:  00007fe409dc1700(0000) GS:ffff8881f1200000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b2d721000 CR3: 00000001e98b6005 CR4: 00000000007606f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ sysfs_remove_file include/linux/sysfs.h:519 [inline]
+ driver_remove_file+0x40/0x50 drivers/base/driver.c:122
+ pcmcia_remove_newid_file drivers/pcmcia/ds.c:163 [inline]
+ pcmcia_unregister_driver+0x7d/0x2b0 drivers/pcmcia/ds.c:209
+ ssb_modexit+0xa/0x1b [ssb]
+ __do_sys_delete_module kernel/module.c:1018 [inline]
+ __se_sys_delete_module kernel/module.c:961 [inline]
+ __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fe409dc0c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
+RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe409dc16bc
+R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff
+Modules linked in: ssb(-) 3c59x nvme_core macvlan tap pata_hpt3x3 rt2x00pci null_blk tsc40 pm_notifier_error_inject notifier_error_inject mdio cdc_wdm nf_reject_ipv4 ath9k_common ath9k_hw ath pppox ppp_generic slhc ehci_platform wl12xx wlcore tps6507x_ts ioc4 nf_synproxy_core ide_gd_mod ax25 can_dev iwlwifi can_raw atm tm2_touchkey can_gw can sundance adp5588_keys rt2800mmio rt2800lib rt2x00mmio rt2x00lib eeprom_93cx6 pn533 lru_cache elants_i2c ip_set nfnetlink gameport tipc hampshire nhc_ipv6 nhc_hop nhc_udp nhc_fragment nhc_routing nhc_mobility nhc_dest 6lowpan silead brcmutil nfc mt76_usb mt76 mac80211 iptable_security iptable_raw iptable_mangle iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_gre sit hsr veth vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon vcan bridge stp llc ip6_gre ip6_tunnel tunnel6 tun joydev mousedev serio_raw ide_pci_generic piix floppy ide_core sch_fq_codel ip_tables x_tables ipv6
+ [last unloaded: 3c59x]
+Dumping ftrace buffer:
+   (ftrace buffer empty)
+---[ end trace 3913cbf8011e1c05 ]---
+
+In ssb_modinit, it does not fail SSB init when ssb_host_pcmcia_init failed,
+however in ssb_modexit, ssb_host_pcmcia_exit calls pcmcia_unregister_driver
+unconditionally, which may tigger a NULL pointer dereference issue as above.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 399500da18f7 ("ssb: pick PCMCIA host code support from b43 driver")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ssb/bridge_pcmcia_80211.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/ssb/bridge_pcmcia_80211.c
++++ b/drivers/ssb/bridge_pcmcia_80211.c
+@@ -113,16 +113,21 @@ static struct pcmcia_driver ssb_host_pcm
+       .resume         = ssb_host_pcmcia_resume,
+ };
+ 
++static int pcmcia_init_failed;
++
+ /*
+  * These are not module init/exit functions!
+  * The module_pcmcia_driver() helper cannot be used here.
+  */
+ int ssb_host_pcmcia_init(void)
+ {
+-      return pcmcia_register_driver(&ssb_host_pcmcia_driver);
++      pcmcia_init_failed = pcmcia_register_driver(&ssb_host_pcmcia_driver);
++
++      return pcmcia_init_failed;
+ }
+ 
+ void ssb_host_pcmcia_exit(void)
+ {
+-      pcmcia_unregister_driver(&ssb_host_pcmcia_driver);
++      if (!pcmcia_init_failed)
++              pcmcia_unregister_driver(&ssb_host_pcmcia_driver);
+ }