Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3861127pxb; Tue, 17 Nov 2020 05:37:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJwBYGW/nHWC6pqYWlLApl41snmxq7DhZ03Ory7K/+85tfBxWTMW5Et3ocftbiY8V40HlFgu X-Received: by 2002:a17:906:1186:: with SMTP id n6mr21173806eja.89.1605620259846; Tue, 17 Nov 2020 05:37:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605620259; cv=none; d=google.com; s=arc-20160816; b=ASxqexr2XHPDgKoWtoOrdwTddYbPBtlPUbjWYWiAQXGQdZdAYCrFY93mB+aPqxud3j 3DbOKvR0nhyFsMM6XiyXCjWcWzhYCvlyMZGo7wYLSa21m9TrfuptJy3oDWwxrs1H1chD dCyOxJS1IjLfWWzOSgGDSpY+nkQYcBqKTEMgiltJDRinx7/MHT3MJbjE+UbzschDvf8o +S98fy9Rk2ZCwQjylefCwPxMdDeZlE4duJ10+nESJ6cMCjNEhorXfnNAtC1iqeA32wvW ygTXn9uZpjWfeuK5Hj+g7gPZcB2uLxaqtjVodz/x1hFaqM6DBGckmTFZwOJnr4vh5XA/ t7Tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ado7sHY0RACZ7DaE+toQcKxnfFmRZbxLt41WrD9hU44=; b=y6WmALssluWPOYAGNQn0YwBhENUmnAE7ytWBbsX6gjkXuaiPMsGmCkHUpSJ5so2ZVF SpMFgO8rjsI4KkPWIWt0nzDzNwJ/xbgMlb6rB6rbe19D/Y0m8Fh6O8w6ZAyB0jsBHB0I qoKsWixo/Zi1tV43wTT2dd9hKiBQZVALwuiXerC9nRYSy5hkhuxK2h1IV8lUGcnmgIVk 6jccQtLy40pGYXEWzPrKAOl8aqJJE3vu1bNvy8WRz9+PQRyKNs573aagPy8hgAZ6iMrg 7obI0vf27dvLwUeuAeAkpi3JweV2o2zg6b3gzcK+K+4g6TdM77Ll6GKgQEqwwjPdm/JW qIcw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YqDvzLMu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a42si3579700edf.129.2020.11.17.05.37.17; Tue, 17 Nov 2020 05:37:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YqDvzLMu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731721AbgKQNdy (ORCPT + 99 others); Tue, 17 Nov 2020 08:33:54 -0500 Received: from mail.kernel.org ([198.145.29.99]:43982 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732102AbgKQNdo (ORCPT ); Tue, 17 Nov 2020 08:33:44 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8016621534; Tue, 17 Nov 2020 13:33:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1605620024; bh=m6KQATt8CWBhh1TON2YkRGTy8sd/B8BG6qA702T1i10=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YqDvzLMumrS8KOOgmWOEjfqj0Mn3BnvlxKXe+BPvle4wQA5sIQoLp3pVqLdrOHKly Yr6f68gI/ejnByv778rLMeY+j3DiXks5MyD68Q77ULEIiQuh7F8Nq4x7VKvDrbXxQN 1janpmEB//PAaQYxeM6YKYsocBMTocggvS2dCwcE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Andrianov , Evgeny Novikov , Felipe Balbi , Sasha Levin Subject: [PATCH 5.9 082/255] usb: gadget: goku_udc: fix potential crashes in probe Date: Tue, 17 Nov 2020 14:03:42 +0100 Message-Id: <20201117122142.947295240@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201117122138.925150709@linuxfoundation.org> References: <20201117122138.925150709@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Evgeny Novikov [ Upstream commit 0d66e04875c5aae876cf3d4f4be7978fa2b00523 ] goku_probe() goes to error label "err" and invokes goku_remove() in case of failures of pci_enable_device(), pci_resource_start() and ioremap(). goku_remove() gets a device from pci_get_drvdata(pdev) and works with it without any checks, in particular it dereferences a corresponding pointer. But goku_probe() did not set this device yet. So, one can expect various crashes. The patch moves setting the device just after allocation of memory for it. Found by Linux Driver Verification project (linuxtesting.org). Reported-by: Pavel Andrianov Signed-off-by: Evgeny Novikov Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin --- drivers/usb/gadget/udc/goku_udc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/gadget/udc/goku_udc.c b/drivers/usb/gadget/udc/goku_udc.c index 25c1d6ab5adb4..3e1267d38774f 100644 --- a/drivers/usb/gadget/udc/goku_udc.c +++ b/drivers/usb/gadget/udc/goku_udc.c @@ -1760,6 +1760,7 @@ static int goku_probe(struct pci_dev *pdev, const struct pci_device_id *id) goto err; } + pci_set_drvdata(pdev, dev); spin_lock_init(&dev->lock); dev->pdev = pdev; dev->gadget.ops = &goku_ops; @@ -1793,7 +1794,6 @@ static int goku_probe(struct pci_dev *pdev, const struct pci_device_id *id) } dev->regs = (struct goku_udc_regs __iomem *) base; - pci_set_drvdata(pdev, dev); INFO(dev, "%s\n", driver_desc); INFO(dev, "version: " DRIVER_VERSION " %s\n", dmastr()); INFO(dev, "irq %d, pci mem %p\n", pdev->irq, base); -- 2.27.0