Re: [PATCH] spi: bitbang: Fix NULL pointer dereference in spi_unregister_master

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mukesh Ojha <mojha@codeaurora.org>
To: YueHaibing <yuehaibing@huawei.com>,
	broonie@kernel.org, axel.lin@ingics.com
Cc: linux-kernel@vger.kernel.org, linux-spi@vger.kernel.org,
	albeu@free.fr, lorenzo.bianconi@redhat.com
Subject: Re: [PATCH] spi: bitbang: Fix NULL pointer dereference in spi_unregister_master
Date: Thu, 16 May 2019 15:13:03 +0530	[thread overview]
Message-ID: <e2a15e35-3faf-58be-7b76-5550ddcd49de@codeaurora.org> (raw)
In-Reply-To: <20190516075656.25880-1-yuehaibing@huawei.com>


On 5/16/2019 1:26 PM, YueHaibing wrote:
> If spi_register_master fails in spi_bitbang_start
> because device_add failure, We should return the
> error code other than 0, otherwise calling
> spi_bitbang_stop may trigger NULL pointer dereference
> like this:
>
> BUG: KASAN: null-ptr-deref in __list_del_entry_valid+0x45/0xd0
> Read of size 8 at addr 0000000000000000 by task syz-executor.0/3661
>
> CPU: 0 PID: 3661 Comm: syz-executor.0 Not tainted 5.1.0+ #28
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> Call Trace:
>   dump_stack+0xa9/0x10e
>   ? __list_del_entry_valid+0x45/0xd0
>   ? __list_del_entry_valid+0x45/0xd0
>   __kasan_report+0x171/0x18d
>   ? __list_del_entry_valid+0x45/0xd0
>   kasan_report+0xe/0x20
>   __list_del_entry_valid+0x45/0xd0
>   spi_unregister_controller+0x99/0x1b0
>   spi_lm70llp_attach+0x3ae/0x4b0 [spi_lm70llp]
>   ? 0xffffffffc1128000
>   ? klist_next+0x131/0x1e0
>   ? driver_detach+0x40/0x40 [parport]
>   port_check+0x3b/0x50 [parport]
>   bus_for_each_dev+0x115/0x180
>   ? subsys_dev_iter_exit+0x20/0x20
>   __parport_register_driver+0x1f0/0x210 [parport]
>   ? 0xffffffffc1150000
>   do_one_initcall+0xb9/0x3b5
>   ? perf_trace_initcall_level+0x270/0x270
>   ? kasan_unpoison_shadow+0x30/0x40
>   ? kasan_unpoison_shadow+0x30/0x40
>   do_init_module+0xe0/0x330
>   load_module+0x38eb/0x4270
>   ? module_frob_arch_sections+0x20/0x20
>   ? kernel_read_file+0x188/0x3f0
>   ? find_held_lock+0x6d/0xd0
>   ? fput_many+0x1a/0xe0
>   ? __do_sys_finit_module+0x162/0x190
>   __do_sys_finit_module+0x162/0x190
>   ? __ia32_sys_init_module+0x40/0x40
>   ? __mutex_unlock_slowpath+0xb4/0x3f0
>   ? wait_for_completion+0x240/0x240
>   ? vfs_write+0x160/0x2a0
>   ? lockdep_hardirqs_off+0xb5/0x100
>   ? mark_held_locks+0x1a/0x90
>   ? do_syscall_64+0x14/0x2a0
>   do_syscall_64+0x72/0x2a0
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Fixes: 702a4879ec33 ("spi: bitbang: Let spi_bitbang_start() take a reference to master")
> Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>

Cheers,
-Mukesh

> ---
>   drivers/spi/spi-bitbang.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/spi/spi-bitbang.c b/drivers/spi/spi-bitbang.c
> index dd9a8c54..be95be4 100644
> --- a/drivers/spi/spi-bitbang.c
> +++ b/drivers/spi/spi-bitbang.c
> @@ -403,7 +403,7 @@ int spi_bitbang_start(struct spi_bitbang *bitbang)
>   	if (ret)
>   		spi_master_put(master);
>   
> -	return 0;
> +	return ret;
>   }
>   EXPORT_SYMBOL_GPL(spi_bitbang_start);
>

next prev parent reply	other threads:[~2019-05-16  9:43 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-16  7:56 [PATCH] spi: bitbang: Fix NULL pointer dereference in spi_unregister_master YueHaibing
2019-05-16  8:25 ` Geert Uytterhoeven
2019-05-16  8:36 ` Axel Lin
2019-05-16  9:43 ` Mukesh Ojha [this message]
2019-05-16  9:51 ` Mark Brown
2019-05-16 13:27   ` YueHaibing
2019-05-16 10:17 ` Applied "spi: bitbang: Fix NULL pointer dereference in spi_unregister_master" to the spi tree Mark Brown
2019-05-16 10:17   ` Mark Brown

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e2a15e35-3faf-58be-7b76-5550ddcd49de@codeaurora.org \
    --to=mojha@codeaurora.org \
    --cc=albeu@free.fr \
    --cc=axel.lin@ingics.com \
    --cc=broonie@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-spi@vger.kernel.org \
    --cc=lorenzo.bianconi@redhat.com \
    --cc=yuehaibing@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.