Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3850109pxb; Tue, 17 Nov 2020 05:21:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJxPZMn8ei74CIVhGMbKrjM4fbSW5iPiIsoUK52rOA239N8f3OEHhy+Ao83RxSJ7BxBUaJAg X-Received: by 2002:a17:906:4e41:: with SMTP id g1mr20066236ejw.47.1605619299390; Tue, 17 Nov 2020 05:21:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605619299; cv=none; d=google.com; s=arc-20160816; b=Bgf5FbkvAwOKwSmwFsNpFJuiOem6+V3ymVReFbq8IRQoFdayvrZQJqifJgoBEC9VQ9 moh4YQietEoWrNto6OIS+c+Oi3aP8arVcvKBZ5Q86xBLyfE7pH6keJ0LxtoeRjuIeOZh Juj6G2MjrIM6bww+URxU7aT/HLmDq9IE5fVjaMULLQlVYAxVxlsB280lTP50eUOKAE0b FYn2E4wvAc4Ew5CbRiQIpUnRUDd9w5ONefPL2bTn9coMQF7w9xrWWOaRZJ09PqnjRmeY N4qe4AKVS2eEdC49SRDiJyeBMXhY+tuRiU2yaj9NSJ+AP/uGbVQt5cgUhnY8n7qcuW+I ZtHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZjT74ctnHoSuRvTZb51ZnWSx31woccR8v1e0S22gDr0=; b=yPI1RyI5gCQY0OZSntNJPpCIHSQtmjoTXr5XaIfJIFvZU97UnmSOf/Zp6/qmipZ2PH 3IsU2ILk9AQ/5cgfMlNgl3d/kfNj0GaetmKMcBJJWfCMF4aDjkcusOZmJ4OIPM6rt6DB p+Ixf4/m0f6+YUKQ2qdzQOSOQ+0ECwb+ORvn+toLLxo13pR4rLyM+zAqMEFxK9QqdVw7 8a3pTKO5AKGJzf//gtsl+lcjEMQ8+Zi1VcFS9ltviTELtDyEYeU2oaUID35Di7IrMgSL JaW76XsxEHhv2tYoqDIEdlCsmFKL+HjdVkqFIgHopK3VlfGVo78/mcQo+AlE3Oy4fI4f xvyw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WssjvUZK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r23si14090832eds.96.2020.11.17.05.21.15; Tue, 17 Nov 2020 05:21:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WssjvUZK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729521AbgKQNTB (ORCPT + 99 others); Tue, 17 Nov 2020 08:19:01 -0500 Received: from mail.kernel.org ([198.145.29.99]:51130 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730685AbgKQNS3 (ORCPT ); Tue, 17 Nov 2020 08:18:29 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B9B52206D5; Tue, 17 Nov 2020 13:18:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1605619108; bh=nu/fqrzXW8Y6fnHt6NEplWxuDJnS8wfMgJbxvGOqIlo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WssjvUZKGeP7tRbq4ljJPm/JUWDHlPSUOL/ko6qExOXoSbj7fC61geVp76ALNTedI YXopj5d/qe5RWNu9IfeMPVvzOXypGOzyhqNc1meKc71K+rY4BxoTH6tnFAe9zNljo8 BnEjXCNfIhPUZSYC5scUY73r3myW4jZuU4ttYXzg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Andrianov , Evgeny Novikov , Felipe Balbi , Sasha Levin Subject: [PATCH 4.19 030/101] usb: gadget: goku_udc: fix potential crashes in probe Date: Tue, 17 Nov 2020 14:04:57 +0100 Message-Id: <20201117122114.557605715@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201117122113.128215851@linuxfoundation.org> References: <20201117122113.128215851@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Evgeny Novikov [ Upstream commit 0d66e04875c5aae876cf3d4f4be7978fa2b00523 ] goku_probe() goes to error label "err" and invokes goku_remove() in case of failures of pci_enable_device(), pci_resource_start() and ioremap(). goku_remove() gets a device from pci_get_drvdata(pdev) and works with it without any checks, in particular it dereferences a corresponding pointer. But goku_probe() did not set this device yet. So, one can expect various crashes. The patch moves setting the device just after allocation of memory for it. Found by Linux Driver Verification project (linuxtesting.org). Reported-by: Pavel Andrianov Signed-off-by: Evgeny Novikov Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin --- drivers/usb/gadget/udc/goku_udc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/gadget/udc/goku_udc.c b/drivers/usb/gadget/udc/goku_udc.c index c3721225b61ed..b706ad3034bc1 100644 --- a/drivers/usb/gadget/udc/goku_udc.c +++ b/drivers/usb/gadget/udc/goku_udc.c @@ -1757,6 +1757,7 @@ static int goku_probe(struct pci_dev *pdev, const struct pci_device_id *id) goto err; } + pci_set_drvdata(pdev, dev); spin_lock_init(&dev->lock); dev->pdev = pdev; dev->gadget.ops = &goku_ops; @@ -1790,7 +1791,6 @@ static int goku_probe(struct pci_dev *pdev, const struct pci_device_id *id) } dev->regs = (struct goku_udc_regs __iomem *) base; - pci_set_drvdata(pdev, dev); INFO(dev, "%s\n", driver_desc); INFO(dev, "version: " DRIVER_VERSION " %s\n", dmastr()); INFO(dev, "irq %d, pci mem %p\n", pdev->irq, base); -- 2.27.0