Received: by 10.192.165.156 with SMTP id m28csp756843imm; Thu, 19 Apr 2018 07:06:47 -0700 (PDT) X-Google-Smtp-Source: AIpwx49JCNo3+ka2dFbZxpyuRlQmb4hhiMXNMzzyySNOPK6tms+QxJ5tEguUCkWJeHgZHaGuB1DZ X-Received: by 10.99.171.72 with SMTP id k8mr5403053pgp.355.1524146807203; Thu, 19 Apr 2018 07:06:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524146807; cv=none; d=google.com; s=arc-20160816; b=wDkNkRVtp6oXb63pYx2EXK5UtoNOGPjoOUFeGwfltNK3zY+xWKXF5en//VC9AQX/2b DH2Y2CZ7sLp44ewvDROK6szMOqQAQenl2xCLCqCOXaqs9OA6WOCPLTI0tuRgqv5aIEbg Q7BQO9lvCfoFFumAk3Fww392rywq91xsmSoadtzQ1W4bYzfJMr0dDry78gEQKyqGRm8X HXOvyemI8h5F3rure9BW8lAvDFENlMBZ6iTlD90hxMYRLbyxtWvMlZOS2EkDgNMviGqa RvGSb0/sTFi0st+wHsf1v4rGCFghcT7KFJQ3D80B5+MjYcuJ35QMSV+MX8oND53mqjMb cJQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=pQ+isVs8/ZCiw1R7eMFmv1oZvE3xssUSU+237AgdpLE=; b=DmP52OdMkbHDDhgu9CWZY5tEoOhU9Rwn6jKltYLhDsbTSLuCBwabC+p9FYqa5ktIfe RM321BuPJjW6pF0dI75zp+N20pimQTor2u+wKhzZHU3YGwVSmcoYCrZtQQ4oAHbSKh/G /5xpkbNN9Oayh7ZuePAX6Sj41YzbidLwpde+zHU4McnE3xbpllfr9Bhk53TJnJoJprXO yvvDydYIXPvvM2IsOH5JTTQMFvvDddBv7psIozsgKi+jAUtsNCZ5WQzJhplOzVq+WGUX R8Uflief/pYLoWv+dEwsN4lWnJKrkx5VDKmTPZFpBijC3GqJOhElI3K4OlPqlbFf/s5Y ONZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=NoNxRsw2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p8-v6si3704427plr.311.2018.04.19.07.06.32; Thu, 19 Apr 2018 07:06:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=NoNxRsw2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752788AbeDSOFS (ORCPT + 99 others); Thu, 19 Apr 2018 10:05:18 -0400 Received: from mail-pf0-f195.google.com ([209.85.192.195]:33311 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750989AbeDSOFQ (ORCPT ); Thu, 19 Apr 2018 10:05:16 -0400 Received: by mail-pf0-f195.google.com with SMTP id f15so2695460pfn.0; Thu, 19 Apr 2018 07:05:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=pQ+isVs8/ZCiw1R7eMFmv1oZvE3xssUSU+237AgdpLE=; b=NoNxRsw2W20lz3idXcwiiR1NzMskXFdUKBv0Vv7B/kVICP0nH8ZEHZXTVUt4FHlmUD u4TwLY2TXrvVWZ+dPkFVFT/KbQGb3przJQNkDQGJxAP9pSu858NM6WWr3KZDW+pU6N1T cWIB1ZKTfWazWUvo7mRyF5TTXr5IS9nnsS2IDGhxmQ/8Yl0i2B6sp6NweuDSU3985bFn Scf27J/E2B2HJxApphY3QCDz1fAS1fBd+J2lYd8y8Ly7H8G+zvth0rfNnI5+UqKmO9MO YM52dxWdmXs9nTkKihaEK7f8Iz52m7Tk0TFspnIxSnZb2GGkP1tL5LIyXNDiE1rwH91t ogAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=pQ+isVs8/ZCiw1R7eMFmv1oZvE3xssUSU+237AgdpLE=; b=RyHpfGB6PY8UMexxWdgIDwTxufptzaGXeEAdoE7PNQDl499c7WxyBH0ovwvD3bT+Uf mWRtirtEpzpBWzR9DXYbNjPmJ1cItWwnNlz+tFaaM6/iQuCdeMEF9h+yLC4f0cGU5L63 1uhV2avFbQzw7j/sZN2aCsTRu8PJBH766QpE8JNTpMDutvaixiKIJY1EM9+wrX5WjPHR UL+v1fyiNLWumEFUZDc8EA9I5QiJOu860E29485sprPgSOQ8lSIWveoiwW2uv0PiMgf1 0y2z+r3SGZRls+CGkryDCfwk50W/Meth8RdujFy3y2aLmvDqSYPek4gxzDwYLEy8t4va AnEw== X-Gm-Message-State: ALQs6tC7udQGPlPburiEJeda81Bmz9a1v+uDD2N4JLbAFwpl76uCYcxT cCECdci3G2FnSE8Fw21zhBM= X-Received: by 10.99.55.68 with SMTP id g4mr5071312pgn.283.1524146715953; Thu, 19 Apr 2018 07:05:15 -0700 (PDT) Received: from kiddo.hsd1.wa.comcast.net (c-73-97-192-101.hsd1.wa.comcast.net. [73.97.192.101]) by smtp.gmail.com with ESMTPSA id z7sm6027442pgv.9.2018.04.19.07.05.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Apr 2018 07:05:14 -0700 (PDT) From: "=?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?=" X-Google-Original-From: =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= To: Corentin Chary , Darren Hart , Andy Shevchenko Cc: platform-driver-x86@vger.kernel.org, acpi4asus-user@lists.sourceforge.net, linux-kernel@vger.kernel.org, linux@endlessm.com, Dun Hum , =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= , stable@vger.kernel.org Subject: [PATCH v2] platform/x86: asus-wireless: Fix NULL pointer dereference Date: Thu, 19 Apr 2018 07:04:34 -0700 Message-Id: <20180419140434.15131-1-jprvita@endlessm.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When the module is removed the led workqueue is destroyed in the remove callback, before the led device is unregistered from the led subsystem. This leads to a NULL pointer derefence when the led device is unregistered automatically later as part of the module removal cleanup. Bellow is the backtrace showing the problem. BUG: unable to handle kernel NULL pointer dereference at (null) IP: __queue_work+0x8c/0x410 PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI Modules linked in: ccm edac_mce_amd kvm_amd kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 joydev crypto_simd asus_nb_wmi glue_helper uvcvideo snd_hda_codec_conexant snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel asus_wmi snd_hda_codec cryptd snd_hda_core sparse_keymap videobuf2_vmalloc arc4 videobuf2_memops snd_hwdep input_leds videobuf2_v4l2 ath9k psmouse videobuf2_core videodev ath9k_common snd_pcm ath9k_hw media fam15h_power ath k10temp snd_timer mac80211 i2c_piix4 r8169 mii mac_hid cfg80211 asus_wireless(-) snd soundcore wmi shpchp 8250_dw ip_tables x_tables amdkfd amd_iommu_v2 amdgpu radeon chash i2c_algo_bit drm_kms_helper syscopyarea serio_raw sysfillrect sysimgblt fb_sys_fops ahci ttm libahci drm video CPU: 3 PID: 2177 Comm: rmmod Not tainted 4.15.0-5-generic #6+dev94.b4287e5bem1-Endless Hardware name: ASUSTeK COMPUTER INC. X555DG/X555DG, BIOS 5.011 05/05/2015 RIP: 0010:__queue_work+0x8c/0x410 RSP: 0018:ffffbe8cc249fcd8 EFLAGS: 00010086 RAX: ffff992ac6810800 RBX: 0000000000000000 RCX: 0000000000000008 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff992ac6400e18 RBP: ffffbe8cc249fd18 R08: ffff992ac6400db0 R09: 0000000000000000 R10: 0000000000000040 R11: ffff992ac6400dd8 R12: 0000000000002000 R13: ffff992abd762e00 R14: ffff992abd763e38 R15: 000000000001ebe0 FS: 00007f318203e700(0000) GS:ffff992aced80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001c720e000 CR4: 00000000001406e0 Call Trace: queue_work_on+0x38/0x40 led_state_set+0x2c/0x40 [asus_wireless] led_set_brightness_nopm+0x14/0x40 led_set_brightness+0x37/0x60 led_trigger_set+0xfc/0x1d0 led_classdev_unregister+0x32/0xd0 devm_led_classdev_release+0x11/0x20 release_nodes+0x109/0x1f0 devres_release_all+0x3c/0x50 device_release_driver_internal+0x16d/0x220 driver_detach+0x3f/0x80 bus_remove_driver+0x55/0xd0 driver_unregister+0x2c/0x40 acpi_bus_unregister_driver+0x15/0x20 asus_wireless_driver_exit+0x10/0xb7c [asus_wireless] SyS_delete_module+0x1da/0x2b0 entry_SYSCALL_64_fastpath+0x24/0x87 RIP: 0033:0x7f3181b65fd7 RSP: 002b:00007ffe74bcbe18 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3181b65fd7 RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000555ea2559258 RBP: 0000555ea25591f0 R08: 00007ffe74bcad91 R09: 000000000000000a R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000003 R13: 00007ffe74bcae00 R14: 0000000000000000 R15: 0000555ea25591f0 Code: 01 00 00 02 0f 85 7d 01 00 00 48 63 45 d4 48 c7 c6 00 f4 fa 87 49 8b 9d 08 01 00 00 48 03 1c c6 4c 89 f7 e8 87 fb ff ff 48 85 c0 <48> 8b 3b 0f 84 c5 01 00 00 48 39 f8 0f 84 bc 01 00 00 48 89 c7 RIP: __queue_work+0x8c/0x410 RSP: ffffbe8cc249fcd8 CR2: 0000000000000000 ---[ end trace 7aa4f4a232e9c39c ]--- Unregistering the led device on the remove callback before destroying the workqueue avoids this problem. https://bugzilla.kernel.org/show_bug.cgi?id=196097 Reported-by: Dun Hum Cc: stable@vger.kernel.org Signed-off-by: João Paulo Rechi Vita --- drivers/platform/x86/asus-wireless.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/platform/x86/asus-wireless.c b/drivers/platform/x86/asus-wireless.c index 343e12547660..b8e35a8d65cf 100644 --- a/drivers/platform/x86/asus-wireless.c +++ b/drivers/platform/x86/asus-wireless.c @@ -181,8 +181,10 @@ static int asus_wireless_remove(struct acpi_device *adev) { struct asus_wireless_data *data = acpi_driver_data(adev); - if (data->wq) + if (data->wq) { + devm_led_classdev_unregister(&adev->dev, &data->led); destroy_workqueue(data->wq); + } return 0; } -- 2.17.0