Bug 196467 - Invalid freeing of resources in asus-wmi.c, introduced by commit 71050ae7bf83e4d71a859257d11adc5de517073e "platform/x86: asus-wmi: Detect quirk_no_rfkill from the DSDT"
Summary: Invalid freeing of resources in asus-wmi.c, introduced by commit 71050ae7bf83...
Status: NEW
Alias: None
Product: Drivers
Classification: Unclassified
Component: Platform_x86 (show other bugs)
Hardware: i386 Linux
: P1 high
Assignee: drivers_platform_x86@kernel-bugs.osdl.org
Keywords: trivial
Depends on:
Reported: 2017-07-24 17:29 UTC by red.f0xyz
Modified: 2018-05-31 16:54 UTC (History)
2 users (show)

See Also:
Kernel Version: 4.9.34
Regression: No
Bisected commit-id:

Kernel oops, NULL pointer dereference in mutex_lock (4.83 KB, text/plain)
2017-07-24 17:29 UTC, red.f0xyz
Proposed one-line patch (693 bytes, patch)
2017-07-24 17:31 UTC, red.f0xyz
Details | Diff
platform/x86: asus-wmi: Fix NULL pointer dereference (5.15 KB, patch)
2018-04-07 01:52 UTC, João Paulo Rechi Vita
Details | Diff

Description red.f0xyz 2017-07-24 17:29:10 UTC
Created attachment 257681 [details]
Kernel oops, NULL pointer dereference in mutex_lock

After updating from mainline linux 4.9.16 to 4.9.34 wlan led on my asus k65cm rendered broken. It doesn't light up anymore. After some researching I found out that changed code in asus-wmi.c calls asus_wmi_rfkill_init() depending on ASHS ACPI configuration ignoring predefined quirks. The driver finds "ATK4001" on my system and hence doesn't call asus_wmi_rfkill_init() in asus_wmi_add(). However, it still calls to asus_wmi_rfkill_exit() at asus_wmi_remove(), which in turn calls asus_rfkill_hotplug(). The latter tries to acquire mutexes, which should be initialized by preceding call to asus_wmi_rfkill_init(), which in my case was not done. This behaviour results in kernel oops triggered by attempts to remove asus-nb-wmi module (see attachment). The bug seems to persist in most recent kernel versions.
Comment 1 red.f0xyz 2017-07-24 17:31:58 UTC
Created attachment 257683 [details]
Proposed one-line patch
Comment 2 João Paulo Rechi Vita 2018-04-07 01:47:31 UTC
Good catch and analysis, although I believe we also need a similar fix on the call to asus_wmi_rfkill_exit() in asus_wmi_add(). Also, asus->driver->quirks->no_rfkill does not exist anymore, but I believe the problem is still present on current kernels.

Can you verify if the problem still happens on a recent kernel? Ideally either v4.16 or platform-drivers-x86/for-next. I don't have a machine where "wlan_ctrl_by_user = 1" anymore. If so, please attach an updated kernel panic log. Additionally, are you able to test if the following change fixes the problem (assuming you can reproduce it on a newer kernel)?

diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
index a32c5c00e0e7..6f0967611083 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -1025,6 +1025,9 @@ static int asus_new_rfkill(struct asus_wmi *asus,
 static void asus_wmi_rfkill_exit(struct asus_wmi *asus)
+       if (asus->driver->wlan_ctrl_by_user && ashs_present())
+               return;
        asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P5");
        asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P6");
        asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P7");
Comment 3 João Paulo Rechi Vita 2018-04-07 01:52:57 UTC
Created attachment 275143 [details]
platform/x86: asus-wmi: Fix NULL pointer dereference
Comment 4 João Paulo Rechi Vita 2018-04-07 01:55:18 UTC
The change I suggested on Comment 2 is not complete (it will not build). Please use attachment 275143 [details] instead.
Comment 5 João Paulo Rechi Vita 2018-05-31 16:54:41 UTC
The attached patch has been merged to Linus' tree as commit 32ffd6e8d1. It would still be great to see testing results from the OP, but this can be closed as resolved.

Note You need to log in before you can comment on or make changes to this bug.