Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3410583pxf; Mon, 29 Mar 2021 01:12:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzY+nUHCIPmPux9ACxl7TKyfzrXFMLBMuuGBweuMLG/E7k6yrhlgiCo4H2xLS6cfOlF9hhO X-Received: by 2002:a05:6402:704:: with SMTP id w4mr28335883edx.175.1617005539821; Mon, 29 Mar 2021 01:12:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617005539; cv=none; d=google.com; s=arc-20160816; b=qnsjyzAwZolOYH8WZo38z2u5gPld/WUiJaYckav108v9+a4R9D19AzDwFNKGkDlBXj AxzGiHXkAp1E5sXR9VEGOV/ePKctAaEDH/PEwRCvt135XnFWHcOTwFMYLUkEwUTcKAzg QFklbNmx5fpppRHhW8CpiShXMeC7yRFym4WkuCAKpX+332zAoKjdpsmn6/pFPdswitQL KbS1IB9W+hFL43ZPpcQ5WC1hvaYEn7Z+gko+vOPzqtREHZ/Ziqv2gqBesgVKiv/UZ54M Vh08G6+TYoMfocQJtrAeQQI9ylFcjiKsGgSCzGFAhF83n0pH5oB/dvZT3Y8jEgKG6gIR Rpzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=9vHl9/TsfqUDeOVOIo87GVc4byFpjemh5DX1o9DbO0Y=; b=0TUS1oDWiFTmVirZEUPFHeCfAHeCHmI9TlScm3DNR2pDJFfZvweCN6DfiDR8hWR4tf fAzwxZcF1gEmk6Hpi15kWoEVehbQUK7Dy8RTULnqToGAhEo6JcAzDgBxSEkNGPQm4Oj4 tKA1rz7KsLAo/VnZj1DIeGBIx2sMGMwZPHVrHrzgYyrjq0O2+ZRZuXH64bQNXkdrgmkX u7/qBaEdRtow2f07bjP5glMGXVHI/qz8+EX2l/cmB2LKJ2rSfNhcYTGWWkgGxUwtp2D0 LLe0pczr3tb4VbgHAkLCLqOd1omQchH/wWUp9DCiQOmbe9p+8WTsnBGXsfM0fAJIeq16 Z5Zw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YXQB6u8p; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l27si12854366edc.394.2021.03.29.01.11.57; Mon, 29 Mar 2021 01:12:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YXQB6u8p; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232253AbhC2II7 (ORCPT + 99 others); Mon, 29 Mar 2021 04:08:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:48490 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232155AbhC2IFT (ORCPT ); Mon, 29 Mar 2021 04:05:19 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 237416196B; Mon, 29 Mar 2021 08:05:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617005118; bh=r+cp0j1PWqS7ns0g/NpTFtXGBvc0ejC0LNjvLkonyig=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YXQB6u8pZ1kf5z5iwQsZrTzxH+uSHRW3eiVd2L9cwuWdL9cY9KhWNVS9EsnOCio5V TgeMXH4Ds7plH+ENg3g9yI2GJFz3TzyBZA6d4F8s90p/diXS+322TvKrzZufd+LwA1 AsCr+pqg1OJWnyLVpSPvuXqct75dq6TEc5K+vDMo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tong Zhang , "David S. Miller" , Sasha Levin Subject: [PATCH 4.14 03/59] atm: eni: dont release is never initialized Date: Mon, 29 Mar 2021 09:57:43 +0200 Message-Id: <20210329075609.007930560@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210329075608.898173317@linuxfoundation.org> References: <20210329075608.898173317@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tong Zhang [ Upstream commit 4deb550bc3b698a1f03d0332cde3df154d1b6c1e ] label err_eni_release is reachable when eni_start() fail. In eni_start() it calls dev->phy->start() in the last step, if start() fail we don't need to call phy->stop(), if start() is never called, we neither need to call phy->stop(), otherwise null-ptr-deref will happen. In order to fix this issue, don't call phy->stop() in label err_eni_release [ 4.875714] ================================================================== [ 4.876091] BUG: KASAN: null-ptr-deref in suni_stop+0x47/0x100 [suni] [ 4.876433] Read of size 8 at addr 0000000000000030 by task modprobe/95 [ 4.876778] [ 4.876862] CPU: 0 PID: 95 Comm: modprobe Not tainted 5.11.0-rc7-00090-gdcc0b49040c7 #2 [ 4.877290] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd94 [ 4.877876] Call Trace: [ 4.878009] dump_stack+0x7d/0xa3 [ 4.878191] kasan_report.cold+0x10c/0x10e [ 4.878410] ? __slab_free+0x2f0/0x340 [ 4.878612] ? suni_stop+0x47/0x100 [suni] [ 4.878832] suni_stop+0x47/0x100 [suni] [ 4.879043] eni_do_release+0x3b/0x70 [eni] [ 4.879269] eni_init_one.cold+0x1152/0x1747 [eni] [ 4.879528] ? _raw_spin_lock_irqsave+0x7b/0xd0 [ 4.879768] ? eni_ioctl+0x270/0x270 [eni] [ 4.879990] ? __mutex_lock_slowpath+0x10/0x10 [ 4.880226] ? eni_ioctl+0x270/0x270 [eni] [ 4.880448] local_pci_probe+0x6f/0xb0 [ 4.880650] pci_device_probe+0x171/0x240 [ 4.880864] ? pci_device_remove+0xe0/0xe0 [ 4.881086] ? kernfs_create_link+0xb6/0x110 [ 4.881315] ? sysfs_do_create_link_sd.isra.0+0x76/0xe0 [ 4.881594] really_probe+0x161/0x420 [ 4.881791] driver_probe_device+0x6d/0xd0 [ 4.882010] device_driver_attach+0x82/0x90 [ 4.882233] ? device_driver_attach+0x90/0x90 [ 4.882465] __driver_attach+0x60/0x100 [ 4.882671] ? device_driver_attach+0x90/0x90 [ 4.882903] bus_for_each_dev+0xe1/0x140 [ 4.883114] ? subsys_dev_iter_exit+0x10/0x10 [ 4.883346] ? klist_node_init+0x61/0x80 [ 4.883557] bus_add_driver+0x254/0x2a0 [ 4.883764] driver_register+0xd3/0x150 [ 4.883971] ? 0xffffffffc0038000 [ 4.884149] do_one_initcall+0x84/0x250 [ 4.884355] ? trace_event_raw_event_initcall_finish+0x150/0x150 [ 4.884674] ? unpoison_range+0xf/0x30 [ 4.884875] ? ____kasan_kmalloc.constprop.0+0x84/0xa0 [ 4.885150] ? unpoison_range+0xf/0x30 [ 4.885352] ? unpoison_range+0xf/0x30 [ 4.885557] do_init_module+0xf8/0x350 [ 4.885760] load_module+0x3fe6/0x4340 [ 4.885960] ? vm_unmap_ram+0x1d0/0x1d0 [ 4.886166] ? ____kasan_kmalloc.constprop.0+0x84/0xa0 [ 4.886441] ? module_frob_arch_sections+0x20/0x20 [ 4.886697] ? __do_sys_finit_module+0x108/0x170 [ 4.886941] __do_sys_finit_module+0x108/0x170 [ 4.887178] ? __ia32_sys_init_module+0x40/0x40 [ 4.887419] ? file_open_root+0x200/0x200 [ 4.887634] ? do_sys_open+0x85/0xe0 [ 4.887826] ? filp_open+0x50/0x50 [ 4.888009] ? fpregs_assert_state_consistent+0x4d/0x60 [ 4.888287] ? exit_to_user_mode_prepare+0x2f/0x130 [ 4.888547] do_syscall_64+0x33/0x40 [ 4.888739] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 4.889010] RIP: 0033:0x7ff62fcf1cf7 [ 4.889202] Code: 48 89 57 30 48 8b 04 24 48 89 47 38 e9 1d a0 02 00 48 89 f8 48 89 f71 [ 4.890172] RSP: 002b:00007ffe6644ade8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 4.890570] RAX: ffffffffffffffda RBX: 0000000000f2ca70 RCX: 00007ff62fcf1cf7 [ 4.890944] RDX: 0000000000000000 RSI: 0000000000f2b9e0 RDI: 0000000000000003 [ 4.891318] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000001 [ 4.891691] R10: 00007ff62fd55300 R11: 0000000000000246 R12: 0000000000f2b9e0 [ 4.892064] R13: 0000000000000000 R14: 0000000000f2bdd0 R15: 0000000000000001 [ 4.892439] ================================================================== Signed-off-by: Tong Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/atm/eni.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c index ba549d945479..ffe519663687 100644 --- a/drivers/atm/eni.c +++ b/drivers/atm/eni.c @@ -2279,7 +2279,8 @@ static int eni_init_one(struct pci_dev *pci_dev, return rc; err_eni_release: - eni_do_release(dev); + dev->phy = NULL; + iounmap(ENI_DEV(dev)->ioaddr); err_unregister: atm_dev_deregister(dev); err_free_consistent: -- 2.30.1