From f58ca0ef9c2aed8bf9fdc221331ef71583eec886 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 28 May 2019 17:24:50 +0200 Subject: [PATCH] 4.9-stable patches added patches: at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch media-cpia2-fix-use-after-free-in-cpia2_exit.patch media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch --- ...rigger-if-usb_register_driver-failed.patch | 89 +++++++++++++ ...arning-in-__alloc_pages_nodemask-bug.patch | 51 +++++++ ...ia2-fix-use-after-free-in-cpia2_exit.patch | 124 ++++++++++++++++++ ...-instead-of-kfree-for-dev-bitmap_cap.patch | 37 ++++++ queue-4.9/series | 5 + ...-dereference-in-ssb_host_pcmcia_exit.patch | 94 +++++++++++++ 6 files changed, 400 insertions(+) create mode 100644 queue-4.9/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch create mode 100644 queue-4.9/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch create mode 100644 queue-4.9/media-cpia2-fix-use-after-free-in-cpia2_exit.patch create mode 100644 queue-4.9/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch create mode 100644 queue-4.9/ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch diff --git a/queue-4.9/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch b/queue-4.9/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch new file mode 100644 index 0000000000..1d74b74299 --- /dev/null +++ b/queue-4.9/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch @@ -0,0 +1,89 @@ +From 09ac2694b0475f96be895848687ebcbba97eeecf Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 8 Apr 2019 11:45:29 +0800 +Subject: at76c50x-usb: Don't register led_trigger if usb_register_driver failed + +From: YueHaibing + +commit 09ac2694b0475f96be895848687ebcbba97eeecf upstream. + +Syzkaller report this: + +[ 1213.468581] BUG: unable to handle kernel paging request at fffffbfff83bf338 +[ 1213.469530] #PF error: [normal kernel read fault] +[ 1213.469530] PGD 237fe4067 P4D 237fe4067 PUD 237e60067 PMD 1c868b067 PTE 0 +[ 1213.473514] Oops: 0000 [#1] SMP KASAN PTI +[ 1213.473514] CPU: 0 PID: 6321 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8 +[ 1213.473514] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +[ 1213.473514] RIP: 0010:strcmp+0x31/0xa0 +[ 1213.473514] Code: 00 00 00 00 fc ff df 55 53 48 83 ec 08 eb 0a 84 db 48 89 ef 74 5a 4c 89 e6 48 89 f8 48 89 fa 48 8d 6f 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 5d +[ 1213.473514] RSP: 0018:ffff8881f2b7f950 EFLAGS: 00010246 +[ 1213.473514] RAX: 1ffffffff83bf338 RBX: ffff8881ea6f7240 RCX: ffffffff825350c6 +[ 1213.473514] RDX: 0000000000000000 RSI: ffffffffc1ee19c0 RDI: ffffffffc1df99c0 +[ 1213.473514] RBP: ffffffffc1df99c1 R08: 0000000000000001 R09: 0000000000000004 +[ 1213.473514] R10: 0000000000000000 R11: ffff8881de353f00 R12: ffff8881ee727900 +[ 1213.473514] R13: dffffc0000000000 R14: 0000000000000001 R15: ffffffffc1eeaaf0 +[ 1213.473514] FS: 00007fa66fa01700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 +[ 1213.473514] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1213.473514] CR2: fffffbfff83bf338 CR3: 00000001ebb9e005 CR4: 00000000007606f0 +[ 1213.473514] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1213.473514] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 1213.473514] PKRU: 55555554 +[ 1213.473514] Call Trace: +[ 1213.473514] led_trigger_register+0x112/0x3f0 +[ 1213.473514] led_trigger_register_simple+0x7a/0x110 +[ 1213.473514] ? 0xffffffffc1c10000 +[ 1213.473514] at76_mod_init+0x77/0x1000 [at76c50x_usb] +[ 1213.473514] do_one_initcall+0xbc/0x47d +[ 1213.473514] ? perf_trace_initcall_level+0x3a0/0x3a0 +[ 1213.473514] ? kasan_unpoison_shadow+0x30/0x40 +[ 1213.473514] ? kasan_unpoison_shadow+0x30/0x40 +[ 1213.473514] do_init_module+0x1b5/0x547 +[ 1213.473514] load_module+0x6405/0x8c10 +[ 1213.473514] ? module_frob_arch_sections+0x20/0x20 +[ 1213.473514] ? kernel_read_file+0x1e6/0x5d0 +[ 1213.473514] ? find_held_lock+0x32/0x1c0 +[ 1213.473514] ? cap_capable+0x1ae/0x210 +[ 1213.473514] ? __do_sys_finit_module+0x162/0x190 +[ 1213.473514] __do_sys_finit_module+0x162/0x190 +[ 1213.473514] ? __ia32_sys_init_module+0xa0/0xa0 +[ 1213.473514] ? __mutex_unlock_slowpath+0xdc/0x690 +[ 1213.473514] ? wait_for_completion+0x370/0x370 +[ 1213.473514] ? vfs_write+0x204/0x4a0 +[ 1213.473514] ? do_syscall_64+0x18/0x450 +[ 1213.473514] do_syscall_64+0x9f/0x450 +[ 1213.473514] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 1213.473514] RIP: 0033:0x462e99 +[ 1213.473514] Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +[ 1213.473514] RSP: 002b:00007fa66fa00c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +[ 1213.473514] RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +[ 1213.473514] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 +[ 1213.473514] RBP: 00007fa66fa00c70 R08: 0000000000000000 R09: 0000000000000000 +[ 1213.473514] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa66fa016bc +[ 1213.473514] R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 + +If usb_register failed, no need to call led_trigger_register_simple. + +Reported-by: Hulk Robot +Fixes: 1264b951463a ("at76c50x-usb: add driver") +Signed-off-by: YueHaibing +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/atmel/at76c50x-usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/atmel/at76c50x-usb.c ++++ b/drivers/net/wireless/atmel/at76c50x-usb.c +@@ -2583,8 +2583,8 @@ static int __init at76_mod_init(void) + if (result < 0) + printk(KERN_ERR DRIVER_NAME + ": usb_register failed (status %d)\n", result); +- +- led_trigger_register_simple("at76_usb-tx", &ledtrig_tx); ++ else ++ led_trigger_register_simple("at76_usb-tx", &ledtrig_tx); + return result; + } + diff --git a/queue-4.9/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch b/queue-4.9/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch new file mode 100644 index 0000000000..b7f5e919f6 --- /dev/null +++ b/queue-4.9/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch @@ -0,0 +1,51 @@ +From 8c40292be9169a9cbe19aadd1a6fc60cbd1af82f Mon Sep 17 00:00:00 2001 +From: Jiufei Xue +Date: Thu, 11 Apr 2019 19:25:12 +0200 +Subject: fbdev: fix WARNING in __alloc_pages_nodemask bug + +From: Jiufei Xue + +commit 8c40292be9169a9cbe19aadd1a6fc60cbd1af82f upstream. + +Syzkaller hit 'WARNING in __alloc_pages_nodemask' bug. + +WARNING: CPU: 1 PID: 1473 at mm/page_alloc.c:4377 +__alloc_pages_nodemask+0x4da/0x2130 +Kernel panic - not syncing: panic_on_warn set ... + +Call Trace: + alloc_pages_current+0xb1/0x1e0 + kmalloc_order+0x1f/0x60 + kmalloc_order_trace+0x1d/0x120 + fb_alloc_cmap_gfp+0x85/0x2b0 + fb_set_user_cmap+0xff/0x370 + do_fb_ioctl+0x949/0xa20 + fb_ioctl+0xdd/0x120 + do_vfs_ioctl+0x186/0x1070 + ksys_ioctl+0x89/0xa0 + __x64_sys_ioctl+0x74/0xb0 + do_syscall_64+0xc8/0x550 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +This is a warning about order >= MAX_ORDER and the order is from +userspace ioctl. Add flag __NOWARN to silence this warning. + +Signed-off-by: Jiufei Xue +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/core/fbcmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/video/fbdev/core/fbcmap.c ++++ b/drivers/video/fbdev/core/fbcmap.c +@@ -94,6 +94,8 @@ int fb_alloc_cmap_gfp(struct fb_cmap *cm + int size = len * sizeof(u16); + int ret = -ENOMEM; + ++ flags |= __GFP_NOWARN; ++ + if (cmap->len != len) { + fb_dealloc_cmap(cmap); + if (!len) diff --git a/queue-4.9/media-cpia2-fix-use-after-free-in-cpia2_exit.patch b/queue-4.9/media-cpia2-fix-use-after-free-in-cpia2_exit.patch new file mode 100644 index 0000000000..500f425307 --- /dev/null +++ b/queue-4.9/media-cpia2-fix-use-after-free-in-cpia2_exit.patch @@ -0,0 +1,124 @@ +From dea37a97265588da604c6ba80160a287b72c7bfd Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 6 Mar 2019 07:45:08 -0500 +Subject: media: cpia2: Fix use-after-free in cpia2_exit + +From: YueHaibing + +commit dea37a97265588da604c6ba80160a287b72c7bfd upstream. + +Syzkaller report this: + +BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 +Read of size 8 at addr ffff8881f59a6b70 by task syz-executor.0/8363 + +CPU: 0 PID: 8363 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xfa/0x1ce lib/dump_stack.c:113 + print_address_description+0x65/0x270 mm/kasan/report.c:187 + kasan_report+0x149/0x18d mm/kasan/report.c:317 + sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 + sysfs_remove_file include/linux/sysfs.h:519 [inline] + driver_remove_file+0x40/0x50 drivers/base/driver.c:122 + usb_remove_newid_files drivers/usb/core/driver.c:212 [inline] + usb_deregister+0x12a/0x3b0 drivers/usb/core/driver.c:1005 + cpia2_exit+0xa/0x16 [cpia2] + __do_sys_delete_module kernel/module.c:1018 [inline] + __se_sys_delete_module kernel/module.c:961 [inline] + __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f86f3754c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300 +RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f86f37556bc +R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff + +Allocated by task 8363: + set_track mm/kasan/common.c:85 [inline] + __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495 + kmalloc include/linux/slab.h:545 [inline] + kzalloc include/linux/slab.h:740 [inline] + bus_add_driver+0xc0/0x610 drivers/base/bus.c:651 + driver_register+0x1bb/0x3f0 drivers/base/driver.c:170 + usb_register_driver+0x267/0x520 drivers/usb/core/driver.c:965 + 0xffffffffc1b4817c + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 8363: + set_track mm/kasan/common.c:85 [inline] + __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457 + slab_free_hook mm/slub.c:1430 [inline] + slab_free_freelist_hook mm/slub.c:1457 [inline] + slab_free mm/slub.c:3005 [inline] + kfree+0xe1/0x270 mm/slub.c:3957 + kobject_cleanup lib/kobject.c:662 [inline] + kobject_release lib/kobject.c:691 [inline] + kref_put include/linux/kref.h:67 [inline] + kobject_put+0x146/0x240 lib/kobject.c:708 + bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732 + driver_unregister+0x6c/0xa0 drivers/base/driver.c:197 + usb_register_driver+0x341/0x520 drivers/usb/core/driver.c:980 + 0xffffffffc1b4817c + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8881f59a6b40 + which belongs to the cache kmalloc-256 of size 256 +The buggy address is located 48 bytes inside of + 256-byte region [ffff8881f59a6b40, ffff8881f59a6c40) +The buggy address belongs to the page: +page:ffffea0007d66980 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0 +flags: 0x2fffc0000000200(slab) +raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6c02e00 +raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881f59a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8881f59a6a80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc +>ffff8881f59a6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ^ + ffff8881f59a6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8881f59a6c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + +cpia2_init does not check return value of cpia2_init, if it failed +in usb_register_driver, there is already cleanup using driver_unregister. +No need call cpia2_usb_cleanup on module exit. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cpia2/cpia2_v4l.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/usb/cpia2/cpia2_v4l.c ++++ b/drivers/media/usb/cpia2/cpia2_v4l.c +@@ -1248,8 +1248,7 @@ static int __init cpia2_init(void) + LOG("%s v%s\n", + ABOUT, CPIA_VERSION); + check_parameters(); +- cpia2_usb_init(); +- return 0; ++ return cpia2_usb_init(); + } + + diff --git a/queue-4.9/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch b/queue-4.9/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch new file mode 100644 index 0000000000..fd125df653 --- /dev/null +++ b/queue-4.9/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch @@ -0,0 +1,37 @@ +From dad7e270ba712ba1c99cd2d91018af6044447a06 Mon Sep 17 00:00:00 2001 +From: Alexander Potapenko +Date: Thu, 4 Apr 2019 10:56:46 -0400 +Subject: media: vivid: use vfree() instead of kfree() for dev->bitmap_cap + +From: Alexander Potapenko + +commit dad7e270ba712ba1c99cd2d91018af6044447a06 upstream. + +syzkaller reported crashes on kfree() called from +vivid_vid_cap_s_selection(). This looks like a simple typo, as +dev->bitmap_cap is allocated with vzalloc() throughout the file. + +Fixes: ef834f7836ec0 ("[media] vivid: add the video capture and output +parts") + +Signed-off-by: Alexander Potapenko +Reported-by: Syzbot +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vivid/vivid-vid-cap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/vivid/vivid-vid-cap.c ++++ b/drivers/media/platform/vivid/vivid-vid-cap.c +@@ -984,7 +984,7 @@ int vivid_vid_cap_s_selection(struct fil + v4l2_rect_map_inside(&s->r, &dev->fmt_cap_rect); + if (dev->bitmap_cap && (compose->width != s->r.width || + compose->height != s->r.height)) { +- kfree(dev->bitmap_cap); ++ vfree(dev->bitmap_cap); + dev->bitmap_cap = NULL; + } + *compose = s->r; diff --git a/queue-4.9/series b/queue-4.9/series index 98c0d92cc3..79da6252de 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -12,3 +12,8 @@ btrfs-fix-race-between-ranged-fsync-and-writeback-of-adjacent-ranges.patch btrfs-sysfs-don-t-leak-memory-when-failing-add-fsid.patch fbdev-fix-divide-error-in-fb_var_to_videomode.patch hugetlb-use-same-fault-hash-key-for-shared-and-private-mappings.patch +fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch +media-cpia2-fix-use-after-free-in-cpia2_exit.patch +media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch +ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch +at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch diff --git a/queue-4.9/ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch b/queue-4.9/ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch new file mode 100644 index 0000000000..d90828f4ac --- /dev/null +++ b/queue-4.9/ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch @@ -0,0 +1,94 @@ +From b2c01aab9646ed8ffb7c549afe55d5349c482425 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 6 Mar 2019 19:56:58 +0800 +Subject: ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit + +From: YueHaibing + +commit b2c01aab9646ed8ffb7c549afe55d5349c482425 upstream. + +Syzkaller report this: + +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN PTI +CPU: 0 PID: 4492 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +RIP: 0010:sysfs_remove_file_ns+0x27/0x70 fs/sysfs/file.c:468 +Code: 00 00 00 41 54 55 48 89 fd 53 49 89 d4 48 89 f3 e8 ee 76 9c ff 48 8d 7d 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 2d 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 8b 6d +RSP: 0018:ffff8881e9d9fc00 EFLAGS: 00010206 +RAX: dffffc0000000000 RBX: ffffffff900367e0 RCX: ffffffff81a95952 +RDX: 0000000000000006 RSI: ffffc90001405000 RDI: 0000000000000030 +RBP: 0000000000000000 R08: fffffbfff1fa22ed R09: fffffbfff1fa22ed +R10: 0000000000000001 R11: fffffbfff1fa22ec R12: 0000000000000000 +R13: ffffffffc1abdac0 R14: 1ffff1103d3b3f8b R15: 0000000000000000 +FS: 00007fe409dc1700(0000) GS:ffff8881f1200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b2d721000 CR3: 00000001e98b6005 CR4: 00000000007606f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + sysfs_remove_file include/linux/sysfs.h:519 [inline] + driver_remove_file+0x40/0x50 drivers/base/driver.c:122 + pcmcia_remove_newid_file drivers/pcmcia/ds.c:163 [inline] + pcmcia_unregister_driver+0x7d/0x2b0 drivers/pcmcia/ds.c:209 + ssb_modexit+0xa/0x1b [ssb] + __do_sys_delete_module kernel/module.c:1018 [inline] + __se_sys_delete_module kernel/module.c:961 [inline] + __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fe409dc0c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0 +RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe409dc16bc +R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff +Modules linked in: ssb(-) 3c59x nvme_core macvlan tap pata_hpt3x3 rt2x00pci null_blk tsc40 pm_notifier_error_inject notifier_error_inject mdio cdc_wdm nf_reject_ipv4 ath9k_common ath9k_hw ath pppox ppp_generic slhc ehci_platform wl12xx wlcore tps6507x_ts ioc4 nf_synproxy_core ide_gd_mod ax25 can_dev iwlwifi can_raw atm tm2_touchkey can_gw can sundance adp5588_keys rt2800mmio rt2800lib rt2x00mmio rt2x00lib eeprom_93cx6 pn533 lru_cache elants_i2c ip_set nfnetlink gameport tipc hampshire nhc_ipv6 nhc_hop nhc_udp nhc_fragment nhc_routing nhc_mobility nhc_dest 6lowpan silead brcmutil nfc mt76_usb mt76 mac80211 iptable_security iptable_raw iptable_mangle iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_gre sit hsr veth vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon vcan bridge stp llc ip6_gre ip6_tunnel tunnel6 tun joydev mousedev serio_raw ide_pci_generic piix floppy ide_core sch_fq_codel ip_tables x_tables ipv6 + [last unloaded: 3c59x] +Dumping ftrace buffer: + (ftrace buffer empty) +---[ end trace 3913cbf8011e1c05 ]--- + +In ssb_modinit, it does not fail SSB init when ssb_host_pcmcia_init failed, +however in ssb_modexit, ssb_host_pcmcia_exit calls pcmcia_unregister_driver +unconditionally, which may tigger a NULL pointer dereference issue as above. + +Reported-by: Hulk Robot +Fixes: 399500da18f7 ("ssb: pick PCMCIA host code support from b43 driver") +Signed-off-by: YueHaibing +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ssb/bridge_pcmcia_80211.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/ssb/bridge_pcmcia_80211.c ++++ b/drivers/ssb/bridge_pcmcia_80211.c +@@ -113,16 +113,21 @@ static struct pcmcia_driver ssb_host_pcm + .resume = ssb_host_pcmcia_resume, + }; + ++static int pcmcia_init_failed; ++ + /* + * These are not module init/exit functions! + * The module_pcmcia_driver() helper cannot be used here. + */ + int ssb_host_pcmcia_init(void) + { +- return pcmcia_register_driver(&ssb_host_pcmcia_driver); ++ pcmcia_init_failed = pcmcia_register_driver(&ssb_host_pcmcia_driver); ++ ++ return pcmcia_init_failed; + } + + void ssb_host_pcmcia_exit(void) + { +- pcmcia_unregister_driver(&ssb_host_pcmcia_driver); ++ if (!pcmcia_init_failed) ++ pcmcia_unregister_driver(&ssb_host_pcmcia_driver); + } -- 2.39.5