From 49c7dc9457c0d1b1ba9b7fbd09464105657b87f0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 28 Dec 2020 12:50:22 +0100 Subject: [PATCH] 4.4-stable patches added patches: pci-fix-pci_slot_release-null-pointer-dereference.patch --- ...lot_release-null-pointer-dereference.patch | 65 +++++++++++++++++++ queue-4.4/series | 1 + 2 files changed, 66 insertions(+) create mode 100644 queue-4.4/pci-fix-pci_slot_release-null-pointer-dereference.patch diff --git a/queue-4.4/pci-fix-pci_slot_release-null-pointer-dereference.patch b/queue-4.4/pci-fix-pci_slot_release-null-pointer-dereference.patch new file mode 100644 index 00000000000..d8f4cedf1e5 --- /dev/null +++ b/queue-4.4/pci-fix-pci_slot_release-null-pointer-dereference.patch @@ -0,0 +1,65 @@ +From 4684709bf81a2d98152ed6b610e3d5c403f9bced Mon Sep 17 00:00:00 2001 +From: Jubin Zhong +Date: Wed, 2 Dec 2020 10:33:42 +0800 +Subject: PCI: Fix pci_slot_release() NULL pointer dereference + +From: Jubin Zhong + +commit 4684709bf81a2d98152ed6b610e3d5c403f9bced upstream. + +If kobject_init_and_add() fails, pci_slot_release() is called to delete +slot->list from parent->slots. But slot->list hasn't been initialized +yet, so we dereference a NULL pointer: + + Unable to handle kernel NULL pointer dereference at virtual address +00000000 + ... + CPU: 10 PID: 1 Comm: swapper/0 Not tainted 4.4.240 #197 + task: ffffeb398a45ef10 task.stack: ffffeb398a470000 + PC is at __list_del_entry_valid+0x5c/0xb0 + LR is at pci_slot_release+0x84/0xe4 + ... + __list_del_entry_valid+0x5c/0xb0 + pci_slot_release+0x84/0xe4 + kobject_put+0x184/0x1c4 + pci_create_slot+0x17c/0x1b4 + __pci_hp_initialize+0x68/0xa4 + pciehp_probe+0x1a4/0x2fc + pcie_port_probe_service+0x58/0x84 + driver_probe_device+0x320/0x470 + +Initialize slot->list before calling kobject_init_and_add() to avoid this. + +Fixes: 8a94644b440e ("PCI: Fix pci_create_slot() reference count leak") +Link: https://lore.kernel.org/r/1606876422-117457-1-git-send-email-zhongjubin@huawei.com +Signed-off-by: Jubin Zhong +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v5.9+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/slot.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pci/slot.c ++++ b/drivers/pci/slot.c +@@ -307,6 +307,9 @@ placeholder: + goto err; + } + ++ INIT_LIST_HEAD(&slot->list); ++ list_add(&slot->list, &parent->slots); ++ + err = kobject_init_and_add(&slot->kobj, &pci_slot_ktype, NULL, + "%s", slot_name); + if (err) { +@@ -314,9 +317,6 @@ placeholder: + goto err; + } + +- INIT_LIST_HEAD(&slot->list); +- list_add(&slot->list, &parent->slots); +- + down_read(&pci_bus_sem); + list_for_each_entry(dev, &parent->devices, bus_list) + if (PCI_SLOT(dev->devfn) == slot_nr) diff --git a/queue-4.4/series b/queue-4.4/series index 669fa476d5a..7f984696b37 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -129,3 +129,4 @@ xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch xen-xenbus-count-pending-messages-for-each-watch.patch xenbus-xenbus_backend-disallow-pending-watch-messages.patch +pci-fix-pci_slot_release-null-pointer-dereference.patch -- 2.47.3