Re: [PATCH 4/4] intel_th: Fix a NULL dereference when hub driver is not loaded

[Sasha Levin]

Hi

[This is an automated email]

This commit has been processed because it contains a "Fixes:" tag
fixing commit: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) 
Trace Hub devices").

The bot has tested the following trees: v5.7.7, v5.4.50, v4.19.131, v4.14.187, 
v4.9.229, v4.4.229.

v5.7.7: Build OK!
v5.4.50: Build OK!
v4.19.131: Build OK!
v4.14.187: Failed to apply! Possible dependencies:
c2d2c7de972d7 ("intel_th: Don't touch switch routing in host mode")

v4.9.229: Failed to apply! Possible dependencies:
c2d2c7de972d7 ("intel_th: Don't touch switch routing in host mode")

v4.4.229: Failed to apply! Possible dependencies:
c2d2c7de972d7 ("intel_th: Don't touch switch routing in host mode")


NOTE: The patch will not be queued to stable trees until it is upstream.

How should we proceed with this patch?

-- 
Thanks
Sasha

[PATCH 4/4] intel_th: Fix a NULL dereference when hub driver is not loaded

[Alexander Shishkin]

Connecting master to an output port when GTH driver module is not loaded
triggers a NULL dereference:

> RIP: 0010:intel_th_set_output+0x35/0x70 [intel_th]
> Call Trace:
>  ? sth_stm_link+0x12/0x20 [intel_th_sth]
>  stm_source_link_store+0x164/0x270 [stm_core]
>  dev_attr_store+0x17/0x30
>  sysfs_kf_write+0x3e/0x50
>  kernfs_fop_write+0xda/0x1b0
>  __vfs_write+0x1b/0x40
>  vfs_write+0xb9/0x1a0
>  ksys_write+0x67/0xe0
>  __x64_sys_write+0x1a/0x20
>  do_syscall_64+0x57/0x1d0
>  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Make sure the module in question is loaded and return an error if not.

Signed-off-by: Alexander Shishkin 
Fixes: 39f4034693b7c ("intel_th: Add driver infrastructure for Intel(R) Trace 
Hub devices")
Reviewed-by: Andy Shevchenko 
Reported-by: Ammy Yi 
Tested-by: Ammy Yi 
Cc: sta...@vger.kernel.org # v4.4
---
 drivers/hwtracing/intel_th/core.c | 21 ++---
 drivers/hwtracing/intel_th/sth.c  |  4 +---
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/drivers/hwtracing/intel_th/core.c 
b/drivers/hwtracing/intel_th/core.c
index ca232ec565e8..c9ac3dc65113 100644
--- a/drivers/hwtracing/intel_th/core.c
+++ b/drivers/hwtracing/intel_th/core.c
@@ -1021,15 +1021,30 @@ int intel_th_set_output(struct intel_th_device *thdev,
 {
struct intel_th_device *hub = to_intel_th_hub(thdev);
struct intel_th_driver *hubdrv = to_intel_th_driver(hub->dev.driver);
+   int ret;
 
/* In host mode, this is up to the external debugger, do nothing. */
if (hub->host_mode)
return 0;
 
-   if (!hubdrv->set_output)
-   return -ENOTSUPP;
+   /*
+* hub is instantiated together with the source device that
+* calls here, so guaranteed to be present.
+*/
+   hubdrv = to_intel_th_driver(hub->dev.driver);
+   if (!hubdrv || !try_module_get(hubdrv->driver.owner))
+   return -EINVAL;
+
+   if (!hubdrv->set_output) {
+   ret = -ENOTSUPP;
+   goto out;
+   }
+
+   ret = hubdrv->set_output(hub, master);
 
-   return hubdrv->set_output(hub, master);
+out:
+   module_put(hubdrv->driver.owner);
+   return ret;
 }
 EXPORT_SYMBOL_GPL(intel_th_set_output);
 
diff --git a/drivers/hwtracing/intel_th/sth.c b/drivers/hwtracing/intel_th/sth.c
index 3a1f4e650378..a1529f571491 100644
--- a/drivers/hwtracing/intel_th/sth.c
+++ b/drivers/hwtracing/intel_th/sth.c
@@ -161,9 +161,7 @@ static int sth_stm_link(struct stm_data *stm_data, unsigned 
int master,
 {
struct sth_device *sth = container_of(stm_data, struct sth_device, stm);
 
-   intel_th_set_output(to_intel_th_device(sth->dev), master);
-
-   return 0;
+   return intel_th_set_output(to_intel_th_device(sth->dev), master);
 }
 
 static int intel_th_sw_init(struct sth_device *sth)
-- 
2.27.0