Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp397278pxb; Fri, 22 Apr 2022 03:28:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwnSSMuzCb36ympoAYfYRCH0oAwwWTBGeEJP8Pv2J7GJP8cr+nftycQslSOPQAzHeOfnDO+ X-Received: by 2002:a17:902:a712:b0:158:e577:f82 with SMTP id w18-20020a170902a71200b00158e5770f82mr3607869plq.146.1650623309400; Fri, 22 Apr 2022 03:28:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650623309; cv=none; d=google.com; s=arc-20160816; b=YTby/k+gaRuQzZD9H93zHtkqGFh1sM67r+vlc9Y9eAM+SPmVYjGLJUDXIgvN4iN0Wy zz6nAKWCImvwJnEeMXyXoFVrnV2QHMfghJ+arb4M5adE9KzlPKguBPAjPVfvqTF49f+F BFVNW3uyYPHJ5BuwsU+PF4ppLgdPhdAdIfoKhHC7O2C7JmoRfT4NUCyRCxh01AEqgcoH RLHK6c/lpyHs97Eg9s9tWG3HiePFpjSrcg+rS3jDwf2AMpIG0ANRIWIGAVYf574va6dE c1cYb/dFYZedDi80y2PDLw66UAuAXPk5By06ElhDtbxW+5m1Cz8cb3tM84uvFJqiIsQL fD+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:reply-to:message-id:subject:cc:to:from:date:sender :dkim-signature; bh=PT4LXQBfLiBOJRTfBJYUYM3WIFjfmxtBkNM0mqiYix8=; b=uVUK8bcttmqgYU+Zn/EGsBvzPlMBlXNAzNZqN9K12d5AYnxzmcMeAKpNJEFf4B46Oa cQg5FItfm9z7I4W2+/+yJaM5/YGWzuK/JF+ma9jnpiPPysFLAR/LIdASyot9IXOyWmDp 1Lcm3IiDYJeZorJTF6kjoHVPwHjfZcrzTolZd3Rndr8Goexy2598S7mghCtvg6AqB0NC EXG6IiEVlOtW4bGz29mQl8RXnsHKETgzoKP8vvVxsC6hj4EXDfYhYauqsdnWp9F90Osv oeZH5qoW680aT5mBQ9ZzTS0pNWAYu6CTDZGDHhneS65YPij25mYqlLfHebePmDp2Ltw7 uAHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=YzRMCim8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y23-20020a1709029b9700b001567f569926si6848770plp.186.2022.04.22.03.28.15; Fri, 22 Apr 2022 03:28:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=YzRMCim8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244230AbiDUL4c (ORCPT + 99 others); Thu, 21 Apr 2022 07:56:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41564 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232649AbiDUL42 (ORCPT ); Thu, 21 Apr 2022 07:56:28 -0400 Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 700152E690 for ; Thu, 21 Apr 2022 04:53:36 -0700 (PDT) Received: by mail-qt1-x833.google.com with SMTP id x12so3009544qtp.9 for ; Thu, 21 Apr 2022 04:53:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:date:from:to:cc:subject:message-id:reply-to:references :mime-version:content-disposition:in-reply-to; bh=PT4LXQBfLiBOJRTfBJYUYM3WIFjfmxtBkNM0mqiYix8=; b=YzRMCim8hi+BV5bLrRa6UuBuCUpXby6fe49piTZ/rxGtlpkUfvJ355BuHU/hHqBXLk FpuyFzc5G5cST+1cCxTyFWGqOkXkuO5w6V8MI/itLH1es3N0fsKi/hAs++h6lGPdC1HL 9i6BJJ5f9BGT7ZovIAjdIVbT1qORO6dM67dpEmUaSvOOi+c2NKQ8doUJ9sAyB+MKMWnS cgqUYMKYLy30WdsI+NbgW29mbNRY4YQrqW9gVL4uPoJRjMk/Xsg+H3x4mKbrIWb8wvBT xOH2+xs7SMOShskwzd3Ev1bIXou/gY7DK7CU3chZGp8BO/aQPzJEGJomE4sQUzrOAK/k mNFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :reply-to:references:mime-version:content-disposition:in-reply-to; bh=PT4LXQBfLiBOJRTfBJYUYM3WIFjfmxtBkNM0mqiYix8=; b=qUPfuxX0MfzhBdwuQSfT4gaCwwnb7ioOLIn/UFk57NqUAl2ZpZnaF+m9aXWtV95zU1 zy0sOEyhyF++0evPOIiPyWeSNOWO3XM7ez73+vpiHBDhX+rMwvKvPMLC6wVeUqU1VyvN pzeqcRem/LZecPVDG8iVPBRlDZujCuAKxU4YCUJfTzZxJMAo4WSNz1mBSoGPMFzuEC0m SWLrKUeuMVRY1OP4oENa8vXZq42pR1gV9CT8pGTpkXfpMzDWNgg618DMrwQQCzs+QUh9 LVaO2DpvvL/xvYOk4MrkvX9uoKsVRhwVgqsiplHA3NUGKq/XwgAlV3PSBH8y1mXQEuse JRWQ== X-Gm-Message-State: AOAM533lBB0vCTH3un2R09SZhvasHe1m2JLRNqrghIZXtKlT/Ibdta6F uuCWRTIhdopefj74j2XyJp4AuC2X2y5n X-Received: by 2002:ac8:7d90:0:b0:2f3:4446:303f with SMTP id c16-20020ac87d90000000b002f34446303fmr4027883qtd.218.1650542015460; Thu, 21 Apr 2022 04:53:35 -0700 (PDT) Received: from serve.minyard.net (serve.minyard.net. [2001:470:b8f6:1b::1]) by smtp.gmail.com with ESMTPSA id k2-20020a37ba02000000b0067dc1b0104asm2780044qkf.124.2022.04.21.04.53.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Apr 2022 04:53:35 -0700 (PDT) Sender: Corey Minyard Received: from minyard.net (unknown [IPv6:2001:470:b8f6:1b:a578:422:b82d:51be]) by serve.minyard.net (Postfix) with ESMTPSA id 18B6B1800BB; Thu, 21 Apr 2022 11:53:34 +0000 (UTC) Date: Thu, 21 Apr 2022 06:53:32 -0500 From: Corey Minyard To: Wei Yongjun Cc: openipmi-developer@lists.sourceforge.net, linux-kernel@vger.kernel.org, Hulk Robot Subject: Re: [PATCH] ipmi: ipmi_ipmb: Fix null-ptr-deref in ipmi_unregister_smi() Message-ID: <20220421115332.GZ426325@minyard.net> Reply-To: minyard@acm.org References: <20220421100835.1942677-1-weiyongjun1@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220421100835.1942677-1-weiyongjun1@huawei.com> X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 21, 2022 at 10:08:35AM +0000, Wei Yongjun wrote: > KASAN report null-ptr-deref as follows: > > KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 > RIP: 0010:ipmi_unregister_smi+0x7d/0xd50 drivers/char/ipmi/ipmi_msghandler.c:3680 > Call Trace: > ipmi_ipmb_remove+0x138/0x1a0 drivers/char/ipmi/ipmi_ipmb.c:443 > ipmi_ipmb_probe+0x409/0xda1 drivers/char/ipmi/ipmi_ipmb.c:548 > i2c_device_probe+0x959/0xac0 drivers/i2c/i2c-core-base.c:563 > really_probe+0x3f3/0xa70 drivers/base/dd.c:541 > > In ipmi_ipmb_probe(), 'iidev->intf' is not set before ipmi_register_smi() success. > And in the error handling case, ipmi_ipmb_remove() is called to release resources, > ipmi_unregister_smi() is called without check 'iidev->intf', this will cause KASAN > null-ptr-deref issue. > > Fix by adding NULL check prior to calling ipmi_unregister_smi(). This bug is valid, but I'd like to fix it another way. General kernel style is to allow NULL to be passed into these sorts of things and just return if it's NULL. So I've fixed it that way. Fix is in linux-next. Thanks, -corey > > Fixes: 57c9e3c9a374 ("ipmi:ipmi_ipmb: Unregister the SMI on remove") > Reported-by: Hulk Robot > Signed-off-by: Wei Yongjun > --- > drivers/char/ipmi/ipmi_ipmb.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/char/ipmi/ipmi_ipmb.c b/drivers/char/ipmi/ipmi_ipmb.c > index b81b862532fb..ea8fdb5ecfc9 100644 > --- a/drivers/char/ipmi/ipmi_ipmb.c > +++ b/drivers/char/ipmi/ipmi_ipmb.c > @@ -437,7 +437,8 @@ static int ipmi_ipmb_remove(struct i2c_client *client) > iidev->client = NULL; > ipmi_ipmb_stop_thread(iidev); > > - ipmi_unregister_smi(iidev->intf); > + if (iidev->intf) > + ipmi_unregister_smi(iidev->intf); > > return 0; > } > -- > 2.25.1 >