From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Marc Zyngier <maz@kernel.org>,
Vinod Koul <vkoul@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 21/42] phy: tegra: xusb: Fix dangling pointer on probe failure
Date: Tue, 1 Dec 2020 09:53:19 +0100 [thread overview]
Message-ID: <20201201084643.696079174@linuxfoundation.org> (raw)
In-Reply-To: <20201201084642.194933793@linuxfoundation.org>
From: Marc Zyngier <maz@kernel.org>
[ Upstream commit eb9c4dd9bdfdebaa13846c16a8c79b5b336066b6 ]
If, for some reason, the xusb PHY fails to probe, it leaves
a dangling pointer attached to the platform device structure.
This would normally be harmless, but the Tegra XHCI driver then
goes and extract that pointer from the PHY device. Things go
downhill from there:
8.752082] [004d554e5145533c] address between user and kernel address ranges
[ 8.752085] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[ 8.752088] Modules linked in: max77620_regulator(E+) xhci_tegra(E+) sdhci_tegra(E+) xhci_hcd(E) sdhci_pltfm(E) cqhci(E) fixed(E) usbcore(E) scsi_mod(E) sdhci(E) host1x(E+)
[ 8.752103] CPU: 4 PID: 158 Comm: systemd-udevd Tainted: G S W E 5.9.0-rc7-00298-gf6337624c4fe #1980
[ 8.752105] Hardware name: NVIDIA Jetson TX2 Developer Kit (DT)
[ 8.752108] pstate: 20000005 (nzCv daif -PAN -UAO BTYPE=--)
[ 8.752115] pc : kobject_put+0x1c/0x21c
[ 8.752120] lr : put_device+0x20/0x30
[ 8.752121] sp : ffffffc012eb3840
[ 8.752122] x29: ffffffc012eb3840 x28: ffffffc010e82638
[ 8.752125] x27: ffffffc008d56440 x26: 0000000000000000
[ 8.752128] x25: ffffff81eb508200 x24: 0000000000000000
[ 8.752130] x23: ffffff81eb538800 x22: 0000000000000000
[ 8.752132] x21: 00000000fffffdfb x20: ffffff81eb538810
[ 8.752134] x19: 3d4d554e51455300 x18: 0000000000000020
[ 8.752136] x17: ffffffc008d00270 x16: ffffffc008d00c94
[ 8.752138] x15: 0000000000000004 x14: ffffff81ebd4ae90
[ 8.752140] x13: 0000000000000000 x12: ffffff81eb86a4e8
[ 8.752142] x11: ffffff81eb86a480 x10: ffffff81eb862fea
[ 8.752144] x9 : ffffffc01055fb28 x8 : ffffff81eb86a4a8
[ 8.752146] x7 : 0000000000000001 x6 : 0000000000000001
[ 8.752148] x5 : ffffff81dff8bc38 x4 : 0000000000000000
[ 8.752150] x3 : 0000000000000001 x2 : 0000000000000001
[ 8.752152] x1 : 0000000000000002 x0 : 3d4d554e51455300
[ 8.752155] Call trace:
[ 8.752157] kobject_put+0x1c/0x21c
[ 8.752160] put_device+0x20/0x30
[ 8.752164] tegra_xusb_padctl_put+0x24/0x3c
[ 8.752170] tegra_xusb_probe+0x8b0/0xd10 [xhci_tegra]
[ 8.752174] platform_drv_probe+0x60/0xb4
[ 8.752176] really_probe+0xf0/0x504
[ 8.752179] driver_probe_device+0x100/0x170
[ 8.752181] device_driver_attach+0xcc/0xd4
[ 8.752183] __driver_attach+0xb0/0x17c
[ 8.752185] bus_for_each_dev+0x7c/0xd4
[ 8.752187] driver_attach+0x30/0x3c
[ 8.752189] bus_add_driver+0x154/0x250
[ 8.752191] driver_register+0x84/0x140
[ 8.752193] __platform_driver_register+0x54/0x60
[ 8.752197] tegra_xusb_init+0x40/0x1000 [xhci_tegra]
[ 8.752201] do_one_initcall+0x54/0x2d0
[ 8.752205] do_init_module+0x68/0x29c
[ 8.752207] load_module+0x2178/0x26c0
[ 8.752209] __do_sys_finit_module+0xb0/0x120
[ 8.752211] __arm64_sys_finit_module+0x2c/0x40
[ 8.752215] el0_svc_common.constprop.0+0x80/0x240
[ 8.752218] do_el0_svc+0x30/0xa0
[ 8.752220] el0_svc+0x18/0x50
[ 8.752223] el0_sync_handler+0x90/0x318
[ 8.752225] el0_sync+0x158/0x180
[ 8.752230] Code: a9bd7bfd 910003fd a90153f3 aa0003f3 (3940f000)
[ 8.752232] ---[ end trace 90f6c89d62d85ff5 ]---
Reset the pointer on probe failure fixes the issue.
Fixes: 53d2a715c2403 ("phy: Add Tegra XUSB pad controller support")
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20201013095820.311376-1-maz@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/tegra/xusb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c
index bd0e659002161..0156134dd022d 100644
--- a/drivers/phy/tegra/xusb.c
+++ b/drivers/phy/tegra/xusb.c
@@ -916,6 +916,7 @@ remove_pads:
reset:
reset_control_assert(padctl->rst);
remove:
+ platform_set_drvdata(pdev, NULL);
soc->ops->remove(padctl);
return err;
}
--
2.27.0
next prev parent reply other threads:[~2020-12-01 8:55 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-01 8:52 [PATCH 4.9 00/42] 4.9.247-rc1 review Greg Kroah-Hartman
2020-12-01 8:52 ` [PATCH 4.9 01/42] perf event: Check ref_reloc_sym before using it Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 02/42] mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 03/42] btrfs: fix lockdep splat when reading qgroup config on mount Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 04/42] PCI: Add device even if driver attach failed Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 05/42] btrfs: tree-checker: Enhance chunk checker to validate chunk profile Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 06/42] btrfs: inode: Verify inode mode to avoid NULL pointer dereference Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 07/42] KVM: x86: Fix split-irqchip vs interrupt injection window request Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 08/42] arm64: pgtable: Fix pte_accessible() Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 09/42] ALSA: hda/hdmi: Use single mutex unlock in error paths Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 10/42] ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 11/42] HID: cypress: Support Varmilo Keyboards media hotkeys Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 12/42] Input: i8042 - allow insmod to succeed on devices without an i8042 controller Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 13/42] HID: hid-sensor-hub: Fix issue with devices with no report ID Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 14/42] dmaengine: xilinx_dma: use readl_poll_timeout_atomic variant Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 15/42] x86/xen: dont unbind uninitialized lock_kicker_irq Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 16/42] proc: dont allow async path resolution of /proc/self components Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 17/42] dmaengine: pl330: _prep_dma_memcpy: Fix wrong burst size Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 18/42] scsi: libiscsi: Fix NOP race condition Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 19/42] scsi: target: iscsi: Fix cmd abort fabric stop race Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 20/42] perf/x86: fix sysfs type mismatches Greg Kroah-Hartman
2020-12-01 8:53 ` Greg Kroah-Hartman [this message]
2020-12-01 8:53 ` [PATCH 4.9 22/42] batman-adv: set .owner to THIS_MODULE Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 23/42] scsi: ufs: Fix race between shutdown and runtime resume flow Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 24/42] bnxt_en: fix error return code in bnxt_init_board() Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 25/42] video: hyperv_fb: Fix the cache type when mapping the VRAM Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 26/42] bnxt_en: Release PCI regions when DMA mask setup fails during probe Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 27/42] IB/mthca: fix return value of error branch in mthca_init_cq() Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 28/42] nfc: s3fwrn5: use signed integer for parsing GPIO numbers Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 29/42] net: ena: set initial DMA width to avoid intel iommu issue Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 30/42] ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 31/42] efivarfs: revert "fix memory leak in efivarfs_create()" Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 32/42] can: gs_usb: fix endianess problem with candleLight firmware Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 33/42] platform/x86: toshiba_acpi: Fix the wrong variable assignment Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 34/42] perf probe: Fix to die_entrypc() returns error correctly Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 35/42] USB: core: Change %pK for __user pointers to %px Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 36/42] usb: gadget: f_midi: Fix memleak in f_midi_alloc Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 37/42] usb: gadget: Fix memleak in gadgetfs_fill_super Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 38/42] x86/speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 39/42] regulator: avoid resolve_supply() infinite recursion Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 40/42] regulator: workaround self-referent regulators Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 41/42] USB: core: add endpoint-blacklist quirk Greg Kroah-Hartman
2020-12-01 8:53 ` [PATCH 4.9 42/42] USB: core: Fix regression in Hercules audio card Greg Kroah-Hartman
2020-12-01 21:39 ` [PATCH 4.9 00/42] 4.9.247-rc1 review Guenter Roeck
2020-12-02 6:14 ` Naresh Kamboju
2020-12-02 17:04 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201201084643.696079174@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).