Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1034125yba; Thu, 4 Apr 2019 02:55:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqwOzQlicdtDEvaVblPTB65kQ7nHpoPB76K4E7K4X9dK02lYCO5gJeFkInROiRGXyeIc0SLR X-Received: by 2002:aa7:8096:: with SMTP id v22mr4994899pff.94.1554371745221; Thu, 04 Apr 2019 02:55:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554371745; cv=none; d=google.com; s=arc-20160816; b=hjmrNePqMq3N9UsCsMQnnER3r+VX9d9s0he1s8eaWD/LZr+RNl7hbiJzNBOMY+vtyB rc7DXzH6envjGOoFXhAgtYkZtqpLbC31GA1fmQ2TtdRpGWZjHm4glqWzwTUiqWxXVSeN KQuPuv7njI8stE7cRepbECkqxqLO16QZjEKzqklSqHvAeiIgJZiyEWg/9k2vGO1skIbD +y9FgZToGIEFY/xLeb5z3pkpS88mBCDuVP44Vy3p2Bk92z+m7TkkkJGdTryiU4dHPQXy vo/Bzrv5jWG3/P1yPZWOKlgQZGDsmYnBpEEm88yVQeE0KTQe1qj8et6foxMQ/qEpRInD EGRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=hvnks6Bb1ya47ggx2nS3iuLwkNCkmQjvVflOvLhMOQ8=; b=uKtp3CMR6nbezlu7HioiFmXTVQhgpbAU1GxbAisv36yr8a7GZYHVpbdcoz6R6wEKG2 5iF4tp4/pbRRnr1vQQKvIGH/FCBuuwcWdn2RtEd6u6bX7bA4CGO+fFfeP2RRd53niL+I MiQzBCqIlMxTOO73PVhO3emetAEb5eyk0XCWVYzRFCDpwjD+EDFHsXKEO6iSOMKJJXYL 5FAZnDyHUy1l863dQ45OeMWmc4faF/6x13kqBuP155vc1uzXf5K3+7cCrzYaLNR2jqop C918l0K1M4crM8Zi8X0rlMmlITib9TxOKIla4Ik7uqiX+/2LY7a6VtEFCaD9/iLAqSzg /dDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=T0+L4OVq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n79si16167670pfb.133.2019.04.04.02.55.29; Thu, 04 Apr 2019 02:55:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=T0+L4OVq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729561AbfDDIwO (ORCPT + 99 others); Thu, 4 Apr 2019 04:52:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:54276 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728900AbfDDIwN (ORCPT ); Thu, 4 Apr 2019 04:52:13 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DA06A217D4; Thu, 4 Apr 2019 08:52:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554367932; bh=hTxlRQay0o8pTqipsvumf25bxZMHdHSZWo/IlNZSLX4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=T0+L4OVqE44i+x43V0OB4DbXNPRFdhBmlXV1wpzbNtEkBWJIjE+1uSoRi2ygKVRVz EMcvJVYHB6EvsQ4yOVoZzb+5sh4U1t8cGyPwRprOc33pqsCA8QVUvXGrzn/2SsY/xL T97pHye3GTl/cs56+a33IqxI4B75lHhCO2FsS3ZA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michal Kazior , Jacek Anaszewski , Sasha Levin Subject: [PATCH 4.9 51/91] leds: lp55xx: fix null deref on firmware load failure Date: Thu, 4 Apr 2019 10:47:35 +0200 Message-Id: <20190404084538.437563769@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190404084535.450029272@linuxfoundation.org> References: <20190404084535.450029272@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 5ddb0869bfc1bca6cfc592c74c64a026f936638c ] I've stumbled upon a kernel crash and the logs pointed me towards the lp5562 driver: > <4>[306013.841294] lp5562 0-0030: Direct firmware load for lp5562 failed with error -2 > <4>[306013.894990] lp5562 0-0030: Falling back to user helper > ... > <3>[306073.924886] lp5562 0-0030: firmware request failed > <1>[306073.939456] Unable to handle kernel NULL pointer dereference at virtual address 00000000 > <4>[306074.251011] PC is at _raw_spin_lock+0x1c/0x58 > <4>[306074.255539] LR is at release_firmware+0x6c/0x138 > ... After taking a look I noticed firmware_release() could be called with either NULL or a dangling pointer. Fixes: 10c06d178df11 ("leds-lp55xx: support firmware interface") Signed-off-by: Michal Kazior Signed-off-by: Jacek Anaszewski Signed-off-by: Sasha Levin --- drivers/leds/leds-lp55xx-common.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/leds/leds-lp55xx-common.c b/drivers/leds/leds-lp55xx-common.c index 5377f22ff994..e2655953667c 100644 --- a/drivers/leds/leds-lp55xx-common.c +++ b/drivers/leds/leds-lp55xx-common.c @@ -201,7 +201,7 @@ static void lp55xx_firmware_loaded(const struct firmware *fw, void *context) if (!fw) { dev_err(dev, "firmware request failed\n"); - goto out; + return; } /* handling firmware data is chip dependent */ @@ -214,9 +214,9 @@ static void lp55xx_firmware_loaded(const struct firmware *fw, void *context) mutex_unlock(&chip->lock); -out: /* firmware should be released for other channel use */ release_firmware(chip->fw); + chip->fw = NULL; } static int lp55xx_request_firmware(struct lp55xx_chip *chip) -- 2.19.1