Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp87757imm;
        Tue, 22 May 2018 14:31:16 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZorFkQRHnStOln2bW0+H4s77siv0sO3utaXZEEeP5O5dk+oZ7oAwlPINn19BGcGd7wzA0rP
X-Received: by 2002:a63:4d2:: with SMTP id 201-v6mr110445pge.129.1527024676509;
        Tue, 22 May 2018 14:31:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527024676; cv=none;
        d=google.com; s=arc-20160816;
        b=l3H6aKxbHHdhVY3sdyi0ChKk2H0jEvkgoYZ9TljK14jhGE7Z2xPGWixr+QPMwdlZWJ
         CoFIQUYZVsZ6L4Ndth8eEjXO7J2lXFwgo9k/Q6edAhix6VgDi/hP0/aKJn1lOv6DUUwT
         5UyTtYKZNTiPTF7mw+2gNQ0djHgiTJwj0IcOtiMqglok7oUJFfe4GHh+8CZRrR6CzIA6
         kzA8A1xTxVDsvO6AhjHfVKvAICLRUz090TSKgJfcBouk78mntA0NpiBK3TnvkZ6xKzIj
         RBljsfBpiKUUH7zeZruxqftVekuNqEvth96gz6EF+BVhBJwATe0wk3QNzZM+Jz3yCBH5
         +U6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=qZ+HFQsCaNIAKYF7lXGcV8gJDSF2zJteOOAv59yyMUQ=;
        b=r8H4FgkP0VWXR83gKppFkabXZ+TWZRGIq7YgcYO3Iy24uOzbgXheJF50ObJddqelYl
         hXjftEo5zTDLQUFLDE/hvHTvgTsnnVdy2xbFUTmetpXIO8IrSqwhDcISbJc6YtbAXYDz
         /oDcanZv1Z55SMYM7SkIiSlSK+6eVzYeUYXCQ3OAWIDOm32O612wr2lS2cKVAKx/5KaI
         sVPIIzAKKOqNF51ya/6ir7BTJEVbckX760VeCd5mcwMKcd+PTMs0WbUlyy/7l/PFiHy6
         WcVEaMXKLmwndJL5wh0S8PqZsIZlqvfH25TtWOI/UEpm41FtIWU5eDgfKHNb+UdJEWst
         XfhA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=quDgiB50;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q15-v6si13121102pgt.266.2018.05.22.14.31.01;
        Tue, 22 May 2018 14:31:16 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=quDgiB50;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753201AbeEVVaW (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Tue, 22 May 2018 17:30:22 -0400
Received: from mail-pl0-f65.google.com ([209.85.160.65]:35877 "EHLO
        mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752785AbeEVVaT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 22 May 2018 17:30:19 -0400
Received: by mail-pl0-f65.google.com with SMTP id v24-v6so11658421plo.3;
        Tue, 22 May 2018 14:30:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=qZ+HFQsCaNIAKYF7lXGcV8gJDSF2zJteOOAv59yyMUQ=;
        b=quDgiB50nOcowFcZvV9JGd+fB6ckmQZj3k549PPsIxuqTOBvPnbqWKZKSXJCg4MnC5
         MPgicw09nggzRKcWWd1Kc/fK2xRXFWnAcq51JXi7/YkC4Dannp691NEiHtNTGByGkNPm
         WpxfYe30krprsSVDrtpp/BbPWUpizLOoFcKFa1Bt16LtPBEUdcKoknsEkvI5ty4dwAKH
         lCarKHdJVS62Q1BaiYYegtfyuFcg7lFfSAU5J+Iny9PSsotgqv5BpzWItrocAPe6wOTI
         SQA5FLLpFSBxcqL6rgc0ORHwAOK6O6D7eVSDumujpJULKJOXIkstj1agvVYlgkh4ekEf
         2Pqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=qZ+HFQsCaNIAKYF7lXGcV8gJDSF2zJteOOAv59yyMUQ=;
        b=BTs6Mby5k0xd3auNRLVUns1pYyBuP+uJzCvr+4T+07XwB2Uo7G7Azcj43b6/t40NA1
         6QrCWfgUuybyd4ckzyNHZpED69bxen8D/l0tqvFGHIKLG2p7FlTES+NpE0kasfqY/bFD
         tiFEMjowJdfuxxApTqFPhAKPy/VBpRaYIYOaY2QsL1OkHac3IFE0tmT5yXHM6bD9VVba
         n6ipfx9Z3+vGoaVJcp68D7b7W7w9U5NKiFvx48iPWsaXh5YLH2q+8cZKBh1ZZwSFMENb
         odCFq3xxvlbgVFcZ9l1P46+YwWPpw+9Fy52T0/+b/hI5+AqMvXfTgCYhE2/Z1KHDa8Ew
         8qVw==
X-Gm-Message-State: ALKqPweRKqjP/XCWChObIDP040k5lzSUf3s/S0013mSgg+LTqcB6h2tT
        jcN9qs35yja9HuS4X7dHWkA=
X-Received: by 2002:a17:902:6b8b:: with SMTP id p11-v6mr159556plk.212.1527024618684;
        Tue, 22 May 2018 14:30:18 -0700 (PDT)
Received: from kiddo.hsd1.wa.comcast.net (c-73-169-152-248.hsd1.wa.comcast.net. [73.169.152.248])
        by smtp.gmail.com with ESMTPSA id a77-v6sm30763840pfe.70.2018.05.22.14.30.17
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 22 May 2018 14:30:18 -0700 (PDT)
From:   "=?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?=" <jprvita@gmail.com>
X-Google-Original-From: =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= <jprvita@endlessm.com>
To:     Corentin Chary <corentin.chary@gmail.com>,
        Darren Hart <dvhart@infradead.org>,
        Andy Shevchenko <andy@infradead.org>
Cc:     linux@endlessm.com, red.f0xyz@gmail.com,
        =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= <jprvita@endlessm.com>,
        acpi4asus-user@lists.sourceforge.net,
        platform-driver-x86@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] platform/x86: asus-wmi: Fix NULL pointer dereference
Date:   Tue, 22 May 2018 14:30:15 -0700
Message-Id: <20180522213016.5496-1-jprvita@endlessm.com>
X-Mailer: git-send-email 2.17.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Do not perform the rfkill cleanup routine when
(asus->driver->wlan_ctrl_by_user && ashs_present()) is true, since
nothing is registered with the rfkill subsystem in that case. Doing so
leads to the following kernel NULL pointer dereference:

  BUG: unable to handle kernel NULL pointer dereference at           (null)
  IP: [<ffffffff816c7348>] __mutex_lock_slowpath+0x98/0x120
  PGD 1a3aa8067
  PUD 1a3b3d067
  PMD 0

  Oops: 0002 [#1] PREEMPT SMP
  Modules linked in: bnep ccm binfmt_misc uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core hid_a4tech videodev x86_pkg_temp_thermal intel_powerclamp coretemp ath3k btusb btrtl btintel bluetooth kvm_intel snd_hda_codec_hdmi kvm snd_hda_codec_realtek snd_hda_codec_generic irqbypass crc32c_intel arc4 i915 snd_hda_intel snd_hda_codec ath9k ath9k_common ath9k_hw ath i2c_algo_bit snd_hwdep mac80211 ghash_clmulni_intel snd_hda_core snd_pcm snd_timer cfg80211 ehci_pci xhci_pci drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm xhci_hcd ehci_hcd asus_nb_wmi(-) asus_wmi sparse_keymap r8169 rfkill mxm_wmi serio_raw snd mii mei_me lpc_ich i2c_i801 video soundcore mei i2c_smbus wmi i2c_core mfd_core
  CPU: 3 PID: 3275 Comm: modprobe Not tainted 4.9.34-gentoo #34
  Hardware name: ASUSTeK COMPUTER INC. K56CM/K56CM, BIOS K56CM.206 08/21/2012
  task: ffff8801a639ba00 task.stack: ffffc900014cc000
  RIP: 0010:[<ffffffff816c7348>]  [<ffffffff816c7348>] __mutex_lock_slowpath+0x98/0x120
  RSP: 0018:ffffc900014cfce0  EFLAGS: 00010282
  RAX: 0000000000000000 RBX: ffff8801a54315b0 RCX: 00000000c0000100
  RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8801a54315b4
  RBP: ffffc900014cfd30 R08: 0000000000000000 R09: 0000000000000002
  R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801a54315b4
  R13: ffff8801a639ba00 R14: 00000000ffffffff R15: ffff8801a54315b8
  FS:  00007faa254fb700(0000) GS:ffff8801aef80000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000000 CR3: 00000001a3b1b000 CR4: 00000000001406e0
  Stack:
   ffff8801a54315b8 0000000000000000 ffffffff814733ae ffffc900014cfd28
   ffffffff8146a28c ffff8801a54315b0 0000000000000000 ffff8801a54315b0
   ffff8801a66f3820 0000000000000000 ffffc900014cfd48 ffffffff816c73e7
  Call Trace:
   [<ffffffff814733ae>] ? acpi_ut_release_mutex+0x5d/0x61
   [<ffffffff8146a28c>] ? acpi_ns_get_node+0x49/0x52
   [<ffffffff816c73e7>] mutex_lock+0x17/0x30
   [<ffffffffa00a3bb4>] asus_rfkill_hotplug+0x24/0x1a0 [asus_wmi]
   [<ffffffffa00a4421>] asus_wmi_rfkill_exit+0x61/0x150 [asus_wmi]
   [<ffffffffa00a49f1>] asus_wmi_remove+0x61/0xb0 [asus_wmi]
   [<ffffffff814a5128>] platform_drv_remove+0x28/0x40
   [<ffffffff814a2901>] __device_release_driver+0xa1/0x160
   [<ffffffff814a29e3>] device_release_driver+0x23/0x30
   [<ffffffff814a1ffd>] bus_remove_device+0xfd/0x170
   [<ffffffff8149e5a9>] device_del+0x139/0x270
   [<ffffffff814a5028>] platform_device_del+0x28/0x90
   [<ffffffff814a50a2>] platform_device_unregister+0x12/0x30
   [<ffffffffa00a4209>] asus_wmi_unregister_driver+0x19/0x30 [asus_wmi]
   [<ffffffffa00da0ea>] asus_nb_wmi_exit+0x10/0xf26 [asus_nb_wmi]
   [<ffffffff8110c692>] SyS_delete_module+0x192/0x270
   [<ffffffff810022b2>] ? exit_to_usermode_loop+0x92/0xa0
   [<ffffffff816ca560>] entry_SYSCALL_64_fastpath+0x13/0x94
  Code: e8 5e 30 00 00 8b 03 83 f8 01 0f 84 93 00 00 00 48 8b 43 10 4c 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48> 89 20 4c 89 6c 24 10 eb 1d 4c 89 e7 49 c7 45 08 02 00 00 00
  RIP  [<ffffffff816c7348>] __mutex_lock_slowpath+0x98/0x120
   RSP <ffffc900014cfce0>
  CR2: 0000000000000000
  ---[ end trace 8d484233fa7cb512 ]---
  note: modprobe[3275] exited with preempt_count 2

https://bugzilla.kernel.org/show_bug.cgi?id=196467

Reported-by: red.f0xyz@gmail.com
Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
---
 drivers/platform/x86/asus-wmi.c | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
index ef87e78ca772..3d523ca64694 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -163,6 +163,16 @@ MODULE_LICENSE("GPL");
 
 static const char * const ashs_ids[] = { "ATK4001", "ATK4002", NULL };
 
+static bool ashs_present(void)
+{
+	int i = 0;
+	while (ashs_ids[i]) {
+		if (acpi_dev_found(ashs_ids[i++]))
+			return true;
+	}
+	return false;
+}
+
 struct bios_args {
 	u32 arg0;
 	u32 arg1;
@@ -1025,6 +1035,9 @@ static int asus_new_rfkill(struct asus_wmi *asus,
 
 static void asus_wmi_rfkill_exit(struct asus_wmi *asus)
 {
+	if (asus->driver->wlan_ctrl_by_user && ashs_present())
+		return;
+
 	asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P5");
 	asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P6");
 	asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P7");
@@ -2120,16 +2133,6 @@ static int asus_wmi_fan_init(struct asus_wmi *asus)
 	return 0;
 }
 
-static bool ashs_present(void)
-{
-	int i = 0;
-	while (ashs_ids[i]) {
-		if (acpi_dev_found(ashs_ids[i++]))
-			return true;
-	}
-	return false;
-}
-
 /*
  * WMI Driver
  */
-- 
2.17.0