From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Dun Hum" <bitter.taste@gmx.com>,
"João Paulo Rechi Vita" <jprvita@endlessm.com>,
"Darren Hart (VMware)" <dvhart@infradead.org>
Subject: [PATCH 4.16 43/52] platform/x86: asus-wireless: Fix NULL pointer dereference
Date: Tue, 8 May 2018 10:10:41 +0200 [thread overview]
Message-ID: <20180508073934.181954156@linuxfoundation.org> (raw)
In-Reply-To: <20180508073928.058320984@linuxfoundation.org>
4.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: João Paulo Rechi Vita <jprvita@gmail.com>
commit 9f0a93de9139c2b0a59299cd36b61564522458f8 upstream.
When the module is removed the led workqueue is destroyed in the remove
callback, before the led device is unregistered from the led subsystem.
This leads to a NULL pointer derefence when the led device is
unregistered automatically later as part of the module removal cleanup.
Bellow is the backtrace showing the problem.
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: __queue_work+0x8c/0x410
PGD 0 P4D 0
Oops: 0000 [#1] SMP NOPTI
Modules linked in: ccm edac_mce_amd kvm_amd kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 joydev crypto_simd asus_nb_wmi glue_helper uvcvideo snd_hda_codec_conexant snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel asus_wmi snd_hda_codec cryptd snd_hda_core sparse_keymap videobuf2_vmalloc arc4 videobuf2_memops snd_hwdep input_leds videobuf2_v4l2 ath9k psmouse videobuf2_core videodev ath9k_common snd_pcm ath9k_hw media fam15h_power ath k10temp snd_timer mac80211 i2c_piix4 r8169 mii mac_hid cfg80211 asus_wireless(-) snd soundcore wmi shpchp 8250_dw ip_tables x_tables amdkfd amd_iommu_v2 amdgpu radeon chash i2c_algo_bit drm_kms_helper syscopyarea serio_raw sysfillrect sysimgblt fb_sys_fops ahci ttm libahci drm video
CPU: 3 PID: 2177 Comm: rmmod Not tainted 4.15.0-5-generic #6+dev94.b4287e5bem1-Endless
Hardware name: ASUSTeK COMPUTER INC. X555DG/X555DG, BIOS 5.011 05/05/2015
RIP: 0010:__queue_work+0x8c/0x410
RSP: 0018:ffffbe8cc249fcd8 EFLAGS: 00010086
RAX: ffff992ac6810800 RBX: 0000000000000000 RCX: 0000000000000008
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff992ac6400e18
RBP: ffffbe8cc249fd18 R08: ffff992ac6400db0 R09: 0000000000000000
R10: 0000000000000040 R11: ffff992ac6400dd8 R12: 0000000000002000
R13: ffff992abd762e00 R14: ffff992abd763e38 R15: 000000000001ebe0
FS: 00007f318203e700(0000) GS:ffff992aced80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001c720e000 CR4: 00000000001406e0
Call Trace:
queue_work_on+0x38/0x40
led_state_set+0x2c/0x40 [asus_wireless]
led_set_brightness_nopm+0x14/0x40
led_set_brightness+0x37/0x60
led_trigger_set+0xfc/0x1d0
led_classdev_unregister+0x32/0xd0
devm_led_classdev_release+0x11/0x20
release_nodes+0x109/0x1f0
devres_release_all+0x3c/0x50
device_release_driver_internal+0x16d/0x220
driver_detach+0x3f/0x80
bus_remove_driver+0x55/0xd0
driver_unregister+0x2c/0x40
acpi_bus_unregister_driver+0x15/0x20
asus_wireless_driver_exit+0x10/0xb7c [asus_wireless]
SyS_delete_module+0x1da/0x2b0
entry_SYSCALL_64_fastpath+0x24/0x87
RIP: 0033:0x7f3181b65fd7
RSP: 002b:00007ffe74bcbe18 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3181b65fd7
RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000555ea2559258
RBP: 0000555ea25591f0 R08: 00007ffe74bcad91 R09: 000000000000000a
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000003
R13: 00007ffe74bcae00 R14: 0000000000000000 R15: 0000555ea25591f0
Code: 01 00 00 02 0f 85 7d 01 00 00 48 63 45 d4 48 c7 c6 00 f4 fa 87 49 8b 9d 08 01 00 00 48 03 1c c6 4c 89 f7 e8 87 fb ff ff 48 85 c0 <48> 8b 3b 0f 84 c5 01 00 00 48 39 f8 0f 84 bc 01 00 00 48 89 c7
RIP: __queue_work+0x8c/0x410 RSP: ffffbe8cc249fcd8
CR2: 0000000000000000
---[ end trace 7aa4f4a232e9c39c ]---
Unregistering the led device on the remove callback before destroying the
workqueue avoids this problem.
https://bugzilla.kernel.org/show_bug.cgi?id=196097
Reported-by: Dun Hum <bitter.taste@gmx.com>
Cc: stable@vger.kernel.org
Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/asus-wireless.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/platform/x86/asus-wireless.c
+++ b/drivers/platform/x86/asus-wireless.c
@@ -178,8 +178,10 @@ static int asus_wireless_remove(struct a
{
struct asus_wireless_data *data = acpi_driver_data(adev);
- if (data->wq)
+ if (data->wq) {
+ devm_led_classdev_unregister(&adev->dev, &data->led);
destroy_workqueue(data->wq);
+ }
return 0;
}
next prev parent reply other threads:[~2018-05-08 8:10 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-08 8:09 [PATCH 4.16 00/52] 4.16.8-stable review Greg Kroah-Hartman
2018-05-08 8:09 ` [PATCH 4.16 01/52] ACPI / button: make module loadable when booted in non-ACPI mode Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 02/52] arm64: Add work around for Arm Cortex-A55 Erratum 1024718 Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 03/52] ALSA: hda - Fix incorrect usage of IS_REACHABLE() Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 04/52] ALSA: pcm: Check PCM state at xfern compat ioctl Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 05/52] ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 06/52] ALSA: dice: fix kernel NULL pointer dereference due to invalid calculation for array index Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 07/52] ALSA: aloop: Mark paused device as inactive Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 08/52] ALSA: aloop: Add missing cable lock to ctl API callbacks Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 09/52] errseq: Always report a writeback error once Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 10/52] tracepoint: Do not warn on ENOMEM Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 11/52] scsi: target: Fix fortify_panic kernel exception Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 12/52] Input: leds - fix out of bound access Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 13/52] Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 14/52] swiotlb: fix inversed DMA_ATTR_NO_WARN test Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 15/52] rtlwifi: cleanup 8723be ant_sel definition Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 16/52] xfs: prevent creating negative-sized file via INSERT_RANGE Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 17/52] tools: power/acpi, revert to LD = gcc Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 18/52] RDMA/cxgb4: release hw resources on device removal Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 19/52] RDMA/ucma: Allow resolving address w/o specifying source address Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 20/52] RDMA/mlx5: Fix multiple NULL-ptr deref errors in rereg_mr flow Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 21/52] RDMA/mlx4: Add missed RSS hash inner header flag Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 22/52] RDMA/mlx5: Protect from shift operand overflow Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 23/52] NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 24/52] IB/mlx5: Use unlimited rate when static rate is not supported Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 25/52] infiniband: mlx5: fix build errors when INFINIBAND_USER_ACCESS=m Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 26/52] IB/hfi1: Fix handling of FECN marked multicast packet Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 27/52] IB/hfi1: Fix loss of BECN with AHG Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 28/52] IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 29/52] iw_cxgb4: Atomically flush per QP HW CQEs Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 30/52] btrfs: Take trans lock before access running trans in check_delayed_ref Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 31/52] drm/vc4: Make sure vc4_bo_{inc,dec}_usecnt() calls are balanced Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 32/52] drm/vmwgfx: Fix a buffer object leak Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 33/52] drm/bridge: vga-dac: Fix edid memory leak Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 34/52] test_firmware: fix setting old custom fw path back on exit, second try Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 35/52] xhci: Fix use-after-free in xhci_free_virt_device Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 36/52] USB: serial: visor: handle potential invalid device configuration Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 37/52] usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 38/52] USB: Accept bulk endpoints with 1024-byte maxpacket Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 39/52] USB: serial: option: reimplement interface masking Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 40/52] USB: serial: option: adding support for ublox R410M Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 41/52] usb: musb: host: fix potential NULL pointer dereference Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 42/52] usb: musb: trace: fix NULL pointer dereference in musb_g_tx() Greg Kroah-Hartman
2018-05-08 8:10 ` Greg Kroah-Hartman [this message]
2018-05-08 8:10 ` [PATCH 4.16 44/52] platform/x86: Kconfig: Fix dell-laptop dependency chain Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 45/52] KVM: x86: remove APIC Timer periodic/oneshot spikes Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 46/52] x86/tsc: Always unregister clocksource_tsc_early Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 47/52] x86/tsc: Fix mark_tsc_unstable() Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 48/52] irqchip/qcom: Fix check for spurious interrupts Greg Kroah-Hartman
2018-05-08 8:10 ` Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 49/52] clocksource: Allow clocksource_mark_unstable() on unregistered clocksources Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 50/52] clocksource: Initialize cs->wd_list Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 51/52] clocksource: Consistent de-rate when marking unstable Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.16 52/52] tracing: Fix bad use of igrab in trace_uprobe.c Greg Kroah-Hartman
2018-05-08 15:45 ` [PATCH 4.16 00/52] 4.16.8-stable review kernelci.org bot
2018-05-08 16:22 ` Guenter Roeck
2018-05-08 17:52 ` Greg Kroah-Hartman
2018-05-08 17:56 ` Naresh Kamboju
2018-05-08 18:48 ` Greg Kroah-Hartman
2018-05-08 23:53 ` Shuah Khan
2018-05-09 7:32 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180508073934.181954156@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bitter.taste@gmx.com \
--cc=dvhart@infradead.org \
--cc=jprvita@endlessm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.