From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: YueHaibing <yuehaibing@huawei.com>,
Hulk Robot <hulkci@huawei.com>,
Geert Uytterhoeven <geert+renesas@glider.be>,
Axel Lin <axel.lin@ingics.com>,
Mukesh Ojha <mojha@codeaurora.org>,
Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>,
linux-spi@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 05/34] spi: bitbang: Fix NULL pointer dereference in spi_unregister_master
Date: Tue, 25 Jun 2019 23:43:06 -0400 [thread overview]
Message-ID: <20190626034335.23767-5-sashal@kernel.org> (raw)
In-Reply-To: <20190626034335.23767-1-sashal@kernel.org>
From: YueHaibing <yuehaibing@huawei.com>
[ Upstream commit 5caaf29af5ca82d5da8bc1d0ad07d9e664ccf1d8 ]
If spi_register_master fails in spi_bitbang_start
because device_add failure, We should return the
error code other than 0, otherwise calling
spi_bitbang_stop may trigger NULL pointer dereference
like this:
BUG: KASAN: null-ptr-deref in __list_del_entry_valid+0x45/0xd0
Read of size 8 at addr 0000000000000000 by task syz-executor.0/3661
CPU: 0 PID: 3661 Comm: syz-executor.0 Not tainted 5.1.0+ #28
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0xa9/0x10e
? __list_del_entry_valid+0x45/0xd0
? __list_del_entry_valid+0x45/0xd0
__kasan_report+0x171/0x18d
? __list_del_entry_valid+0x45/0xd0
kasan_report+0xe/0x20
__list_del_entry_valid+0x45/0xd0
spi_unregister_controller+0x99/0x1b0
spi_lm70llp_attach+0x3ae/0x4b0 [spi_lm70llp]
? 0xffffffffc1128000
? klist_next+0x131/0x1e0
? driver_detach+0x40/0x40 [parport]
port_check+0x3b/0x50 [parport]
bus_for_each_dev+0x115/0x180
? subsys_dev_iter_exit+0x20/0x20
__parport_register_driver+0x1f0/0x210 [parport]
? 0xffffffffc1150000
do_one_initcall+0xb9/0x3b5
? perf_trace_initcall_level+0x270/0x270
? kasan_unpoison_shadow+0x30/0x40
? kasan_unpoison_shadow+0x30/0x40
do_init_module+0xe0/0x330
load_module+0x38eb/0x4270
? module_frob_arch_sections+0x20/0x20
? kernel_read_file+0x188/0x3f0
? find_held_lock+0x6d/0xd0
? fput_many+0x1a/0xe0
? __do_sys_finit_module+0x162/0x190
__do_sys_finit_module+0x162/0x190
? __ia32_sys_init_module+0x40/0x40
? __mutex_unlock_slowpath+0xb4/0x3f0
? wait_for_completion+0x240/0x240
? vfs_write+0x160/0x2a0
? lockdep_hardirqs_off+0xb5/0x100
? mark_held_locks+0x1a/0x90
? do_syscall_64+0x14/0x2a0
do_syscall_64+0x72/0x2a0
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 702a4879ec33 ("spi: bitbang: Let spi_bitbang_start() take a reference to master")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Axel Lin <axel.lin@ingics.com>
Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-bitbang.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-bitbang.c b/drivers/spi/spi-bitbang.c
index f29176000b8d..06cf9388e74f 100644
--- a/drivers/spi/spi-bitbang.c
+++ b/drivers/spi/spi-bitbang.c
@@ -416,7 +416,7 @@ int spi_bitbang_start(struct spi_bitbang *bitbang)
if (ret)
spi_master_put(master);
- return 0;
+ return ret;
}
EXPORT_SYMBOL_GPL(spi_bitbang_start);
--
2.20.1
next prev parent reply other threads:[~2019-06-26 3:43 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-26 3:43 [PATCH AUTOSEL 4.19 01/34] ASoC : cs4265 : readable register too low Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 02/34] ASoC: ak4458: add return value for ak4458_probe Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 03/34] ASoC: soc-pcm: BE dai needs prepare when pause release after resume Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 04/34] ASoC: ak4458: rstn_control - return a non-zero on error only Sasha Levin
2019-06-26 3:43 ` Sasha Levin [this message]
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 06/34] ASoC: core: lock client_mutex while removing link components Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 07/34] ASoC: sun4i-codec: fix first delay on Speaker Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 08/34] drm/mediatek: fix unbind functions Sasha Levin
2019-06-26 3:43 ` Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 09/34] drm/mediatek: unbind components in mtk_drm_unbind() Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 10/34] drm/mediatek: call drm_atomic_helper_shutdown() when unbinding driver Sasha Levin
2019-06-26 3:43 ` Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 11/34] drm/mediatek: clear num_pipes when unbind driver Sasha Levin
2019-06-26 3:43 ` Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 12/34] drm/mediatek: call mtk_dsi_stop() after mtk_drm_crtc_atomic_disable() Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 13/34] ASoC: max98090: remove 24-bit format support if RJ is 0 Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 14/34] ASoC: sun4i-i2s: Fix sun8i tx channel offset mask Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 15/34] ASoC: sun4i-i2s: Add offset to RX channel select Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 16/34] x86/CPU: Add more Icelake model numbers Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 17/34] usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i] Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 18/34] usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 19/34] ALSA: hdac: fix memory release for SST and SOF drivers Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 20/34] SoC: rt274: Fix internal jack assignment in set_jack callback Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 21/34] scsi: hpsa: correct ioaccel2 chaining Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 22/34] drm: panel-orientation-quirks: Add quirk for GPD pocket2 Sasha Levin
2019-06-26 3:43 ` Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 23/34] drm: panel-orientation-quirks: Add quirk for GPD MicroPC Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 24/34] platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 25/34] platform/x86: intel-vbtn: Report switch events when event wakes device Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 26/34] platform/x86: mlx-platform: Fix parent device in i2c-mux-reg device registration Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 27/34] platform/mellanox: mlxreg-hotplug: Add devm_free_irq call to remove flow Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 28/34] i2c: pca-platform: Fix GPIO lookup code Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 29/34] cpuset: restore sanity to cpuset_cpus_allowed_fallback() Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 30/34] scripts/decode_stacktrace.sh: prefix addr2line with $CROSS_COMPILE Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 31/34] mm/mlock.c: change count_mm_mlocked_page_nr return type Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 32/34] tracing: avoid build warning with HAVE_NOP_MCOUNT Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 33/34] module: Fix livepatch/ftrace module text permissions race Sasha Levin
2019-06-26 3:43 ` [PATCH AUTOSEL 4.19 34/34] ftrace: Fix NULL pointer dereference in free_ftrace_func_mapper() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190626034335.23767-5-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=axel.lin@ingics.com \
--cc=broonie@kernel.org \
--cc=geert+renesas@glider.be \
--cc=hulkci@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-spi@vger.kernel.org \
--cc=mojha@codeaurora.org \
--cc=stable@vger.kernel.org \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.