From: Rand Deeb rand.sec96@gmail.com
[ Upstream commit 789c17185fb0f39560496c2beab9b57ce1d0cbe7 ]
The ssb_device_uevent() function first attempts to convert the 'dev' pointer to 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before performing the NULL check, potentially leading to a NULL pointer dereference if 'dev' is NULL.
To fix this issue, move the NULL check before dereferencing the 'dev' pointer, ensuring that the pointer is valid before attempting to use it.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rand Deeb rand.sec96@gmail.com Signed-off-by: Kalle Valo kvalo@kernel.org Link: https://msgid.link/20240306123028.164155-1-rand.sec96@gmail.com Signed-off-by: Jianqi Ren jianqi.ren.cn@windriver.com --- drivers/ssb/main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/ssb/main.c b/drivers/ssb/main.c index d52e91258e98..aae50a5dfb57 100644 --- a/drivers/ssb/main.c +++ b/drivers/ssb/main.c @@ -341,11 +341,13 @@ static int ssb_bus_match(struct device *dev, struct device_driver *drv)
static int ssb_device_uevent(struct device *dev, struct kobj_uevent_env *env) { - struct ssb_device *ssb_dev = dev_to_ssb_dev(dev); + struct ssb_device *ssb_dev;
if (!dev) return -ENODEV;
+ ssb_dev = dev_to_ssb_dev(dev); + return add_uevent_var(env, "MODALIAS=ssb:v%04Xid%04Xrev%02X", ssb_dev->id.vendor, ssb_dev->id.coreid,
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 789c17185fb0f39560496c2beab9b57ce1d0cbe7
WARNING: Author mismatch between patch and upstream commit: Backport author: jianqi.ren.cn@windriver.com Commit author: Rand Deeb rand.sec96@gmail.com
Status in newer kernel trees: 6.12.y | Present (exact SHA1) 6.6.y | Present (different SHA1: c5dc2d8eb398) 6.1.y | Not found
Note: The patch differs from the upstream commit: --- 1: 789c17185fb0f ! 1: c1a673cbf296f ssb: Fix potential NULL pointer dereference in ssb_device_uevent() @@ Metadata ## Commit message ## ssb: Fix potential NULL pointer dereference in ssb_device_uevent()
+ [ Upstream commit 789c17185fb0f39560496c2beab9b57ce1d0cbe7 ] + The ssb_device_uevent() function first attempts to convert the 'dev' pointer to 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before performing the NULL check, potentially leading to a NULL pointer @@ Commit message Signed-off-by: Rand Deeb rand.sec96@gmail.com Signed-off-by: Kalle Valo kvalo@kernel.org Link: https://msgid.link/20240306123028.164155-1-rand.sec96@gmail.com + Signed-off-by: Jianqi Ren jianqi.ren.cn@windriver.com
## drivers/ssb/main.c ## @@ drivers/ssb/main.c: static int ssb_bus_match(struct device *dev, struct device_driver *drv)
- static int ssb_device_uevent(const struct device *dev, struct kobj_uevent_env *env) + static int ssb_device_uevent(struct device *dev, struct kobj_uevent_env *env) { -- const struct ssb_device *ssb_dev = dev_to_ssb_dev(dev); -+ const struct ssb_device *ssb_dev; +- struct ssb_device *ssb_dev = dev_to_ssb_dev(dev); ++ struct ssb_device *ssb_dev;
if (!dev) return -ENODEV; ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.1.y | Success | Success |
linux-stable-mirror@lists.linaro.org