From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Jonathan Bakker" <xc-racer2@live.ca>,
"Paweł Chmiel" <pawel.mikolaj.chmiel@gmail.com>,
"Dmitry Torokhov" <dmitry.torokhov@gmail.com>
Subject: [PATCH 4.20 67/92] Input: bma150 - register input device after setting private data
Date: Mon, 18 Feb 2019 14:43:10 +0100 [thread overview]
Message-ID: <20190218133501.169969448@linuxfoundation.org> (raw)
In-Reply-To: <20190218133454.668268457@linuxfoundation.org>
4.20-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Bakker <xc-racer2@live.ca>
commit 90cc55f067f6ca0e64e5e52883ece47d8af7b67b upstream.
Otherwise we introduce a race condition where userspace can request input
before we're ready leading to null pointer dereference such as
input: bma150 as /devices/platform/i2c-gpio-2/i2c-5/5-0038/input/input3
Unable to handle kernel NULL pointer dereference at virtual address 00000018
pgd = (ptrval)
[00000018] *pgd=55dac831, *pte=00000000, *ppte=00000000
Internal error: Oops: 17 [#1] PREEMPT ARM
Modules linked in: bma150 input_polldev [last unloaded: bma150]
CPU: 0 PID: 2870 Comm: accelerometer Not tainted 5.0.0-rc3-dirty #46
Hardware name: Samsung S5PC110/S5PV210-based board
PC is at input_event+0x8/0x60
LR is at bma150_report_xyz+0x9c/0xe0 [bma150]
pc : [<80450f70>] lr : [<7f0a614c>] psr: 800d0013
sp : a4c1fd78 ip : 00000081 fp : 00020000
r10: 00000000 r9 : a5e2944c r8 : a7455000
r7 : 00000016 r6 : 00000101 r5 : a7617940 r4 : 80909048
r3 : fffffff2 r2 : 00000000 r1 : 00000003 r0 : 00000000
Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 10c5387d Table: 54e34019 DAC: 00000051
Process accelerometer (pid: 2870, stack limit = 0x(ptrval))
Stackck: (0xa4c1fd78 to 0xa4c20000)
fd60: fffffff3 fc813f6c
fd80: 40410581 d7530ce3 a5e2817c a7617f00 a5e29404 a5e2817c 00000000 7f008324
fda0: a5e28000 8044f59c a5fdd9d0 a5e2945c a46a4a00 a5e29668 a7455000 80454f10
fdc0: 80909048 a5e29668 a5fdd9d0 a46a4a00 806316d0 00000000 a46a4a00 801df5f0
fde0: 00000000 d7530ce3 a4c1fec0 a46a4a00 00000000 a5fdd9d0 a46a4a08 801df53c
fe00: 00000000 801d74bc a4c1fec0 00000000 a4c1ff70 00000000 a7038da8 00000000
fe20: a46a4a00 801e91fc a411bbe0 801f2e88 00000004 00000000 80909048 00000041
fe40: 00000000 00020000 00000000 dead4ead a6a88da0 00000000 ffffe000 806fcae8
fe60: a4c1fec8 00000000 80909048 00000002 a5fdd9d0 a7660110 a411bab0 00000001
fe80: dead4ead ffffffff ffffffff a4c1fe8c a4c1fe8c d7530ce3 20000013 80909048
fea0: 80909048 a4c1ff70 00000001 fffff000 a4c1e000 00000005 00026038 801eabd8
fec0: a7660110 a411bab0 b9394901 00000006 a696201b 76fb3000 00000000 a7039720
fee0: a5fdd9d0 00000101 00000002 00000096 00000000 00000000 00000000 a4c1ff00
ff00: a6b310f4 805cb174 a6b310f4 00000010 00000fe0 00000010 a4c1e000 d7530ce3
ff20: 00000003 a5f41400 a5f41424 00000000 a6962000 00000000 00000003 00000002
ff40: ffffff9c 000a0000 80909048 d7530ce3 a6962000 00000003 80909048 ffffff9c
ff60: a6962000 801d890c 00000000 00000000 00020000 a7590000 00000004 00000100
ff80: 00000001 d7530ce3 000288b8 00026320 000288b8 00000005 80101204 a4c1e000
ffa0: 00000005 80101000 000288b8 00026320 000288b8 000a0000 00000000 00000000
ffc0: 000288b8 00026320 000288b8 00000005 7eef3bac 000264e8 00028ad8 00026038
ffe0: 00000005 7eef3300 76f76e91 76f78546 800d0030 000288b8 00000000 00000000
[<80450f70>] (input_event) from [<a5e2817c>] (0xa5e2817c)
Code: e1a08148 eaffffa8 e351001f 812fff1e (e590c018)
---[ end trace 1c691ee85f2ff243 ]---
Signed-off-by: Jonathan Bakker <xc-racer2@live.ca>
Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/misc/bma150.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/input/misc/bma150.c
+++ b/drivers/input/misc/bma150.c
@@ -481,13 +481,14 @@ static int bma150_register_input_device(
idev->close = bma150_irq_close;
input_set_drvdata(idev, bma150);
+ bma150->input = idev;
+
error = input_register_device(idev);
if (error) {
input_free_device(idev);
return error;
}
- bma150->input = idev;
return 0;
}
@@ -510,15 +511,15 @@ static int bma150_register_polled_device
bma150_init_input_device(bma150, ipoll_dev->input);
+ bma150->input_polled = ipoll_dev;
+ bma150->input = ipoll_dev->input;
+
error = input_register_polled_device(ipoll_dev);
if (error) {
input_free_polled_device(ipoll_dev);
return error;
}
- bma150->input_polled = ipoll_dev;
- bma150->input = ipoll_dev->input;
-
return 0;
}
next prev parent reply other threads:[~2019-02-18 13:48 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-18 13:42 [PATCH 4.20 00/92] 4.20.11-stable review Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 01/92] dt-bindings: eeprom: at24: add "atmel,24c2048" compatible string Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 02/92] eeprom: at24: add support for 24c2048 Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 03/92] blk-mq: fix a hung issue when fsync Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 04/92] drm/amdgpu/sriov:Correct pfvf exchange logic Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 05/92] ACPI: NUMA: Use correct type for printing addresses on i386-PAE Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 06/92] perf stat: Fix endless wait for child process Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 07/92] perf report: Fix wrong iteration count in --branch-history Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 08/92] perf test shell: Use a fallback to get the pathname in vfs_getname Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 09/92] soc: renesas: r8a774c0-sysc: Fix initialization order of 3DG-{A,B} Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 10/92] tools uapi: fix RISC-V 64-bit support Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 11/92] riscv: fix trace_sys_exit hook Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 12/92] cpufreq: check if policy is inactive early in __cpufreq_get() Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 13/92] csky: fixup relocation error with 807 & 860 Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 14/92] csky: fixup CACHEV1 store instruction fast retire Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 15/92] csky: fixup compile error with pte_alloc Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 16/92] irqchip/csky: fixup handle_irq_perbit break irq Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 17/92] drm/amd/powerplay: avoid possible buffer overflow Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 18/92] drm/bridge: tc358767: add bus flags Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 19/92] drm/bridge: tc358767: add defines for DP1_SRCCTRL & PHY_2LANE Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 20/92] drm/bridge: tc358767: fix single lane configuration Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 21/92] drm/bridge: tc358767: fix initial DP0/1_SRCCTRL value Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 22/92] drm/bridge: tc358767: reject modes which require too much BW Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 23/92] drm/bridge: tc358767: fix output H/V syncs Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 24/92] nvme-pci: use the same attributes when freeing host_mem_desc_bufs Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 25/92] nvme-pci: fix out of bounds access in nvme_cqe_pending Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 26/92] nvme-multipath: zero out ANA log buffer Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 27/92] nvme: pad fake subsys NQN vid and ssvid with zeros Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 28/92] nvme: introduce NVME_QUIRK_IGNORE_DEV_SUBNQN Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 29/92] drm/amdgpu: fix CPDMA hang in PRT mode for VEGA20 Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 30/92] drm/amdgpu: set WRITE_BURST_LENGTH to 64B to workaround SDMA1 hang Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 31/92] drm/amdgpu: disable system memory page tables for now Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 32/92] ARM: dts: da850-evm: Correct the audio codec regulators Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 33/92] ARM: dts: da850-evm: Correct the sound card name Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 34/92] ARM: dts: da850-lcdk: Correct the audio codec regulators Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 35/92] ARM: dts: da850-lcdk: Correct the sound card name Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 36/92] ARM: dts: kirkwood: Fix polarity of GPIO fan lines Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 37/92] csky: fixup compile error with CPU 810 Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 38/92] gpio: pl061: handle failed allocations Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 39/92] drm/nouveau: Dont disable polling in fallback mode Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 40/92] drm/nouveau/falcon: avoid touching registers if engine is off Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 41/92] cifs: Limit memory used by lock request calls to a page Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 42/92] CIFS: Fix credits calculation for cancelled requests Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 43/92] CIFS: Move credit processing to mid callbacks for SMB3 Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 44/92] CIFS: Fix error paths in writeback code Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 45/92] kvm: sev: Fail KVM_SEV_INIT if already initialized Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 46/92] CIFS: Fix credit calculations in compound mid callback Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 47/92] CIFS: Do not assume one credit for async responses Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 48/92] CIFS: Fix mounts if the client is low on credits Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 49/92] gpio: mxc: move gpio noirq suspend/resume to syscore phase Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 50/92] Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G" Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 51/92] Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 52/92] arm64: dts: rockchip: enable usb-host regulators at boot on rk3328-rock64 Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 53/92] ARM: OMAP5+: Fix inverted nirq pin interrupts with irq_set_type Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 54/92] perf/core: Fix impossible ring-buffer sizes warning Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 55/92] perf/x86: Add check_period PMU callback Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 56/92] ALSA: hda - Add quirk for HP EliteBook 840 G5 Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 57/92] ALSA: usb-audio: Fix implicit fb endpoint setup by quirk Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 58/92] ALSA: pcm: Revert capture stream behavior change in blocking mode Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 59/92] ASoC: hdmi-codec: fix oops on re-probe Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 60/92] tools uapi: fix Alpha support Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 61/92] riscv: Add pte bit to distinguish swap from invalid Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 62/92] x86/kvm/nVMX: read from MSR_IA32_VMX_PROCBASED_CTLS2 only when it is available Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 63/92] kvm: vmx: Fix entry number check for add_atomic_switch_msr() Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 64/92] mmc: sunxi: Disable HS-DDR mode for H5 eMMC controller by default Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 65/92] mmc: sunxi: Filter out unsupported modes declared in the device tree Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 66/92] mmc: block: handle complete_work on separate workqueue Greg Kroah-Hartman
2019-02-18 13:43 ` Greg Kroah-Hartman [this message]
2019-02-18 13:43 ` [PATCH 4.20 68/92] Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 69/92] Revert "nfsd4: return default lease period" Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 70/92] Revert "mm: dont reclaim inodes with many attached pages" Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 71/92] Revert "mm: slowly shrink slabs with a relatively small number of objects" Greg Kroah-Hartman
2019-02-18 15:30 ` Rik van Riel
2019-02-18 16:16 ` Greg Kroah-Hartman
2019-02-18 17:38 ` Michal Hocko
2019-02-18 18:57 ` Roman Gushchin
2019-02-18 19:14 ` Michal Hocko
2019-02-18 19:30 ` Roman Gushchin
2019-02-18 19:34 ` Sasha Levin
2019-02-19 18:43 ` Wolfgang Walter
2019-02-18 13:43 ` [PATCH 4.20 72/92] mm: proc: smaps_rollup: fix pss_locked calculation Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 73/92] alpha: fix page fault handling for r16-r18 targets Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 74/92] alpha: Fix Eiger NR_IRQS to 128 Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 75/92] s390/suspend: fix stack setup in swsusp_arch_suspend Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 76/92] s390/zcrypt: fix specification exception on z196 during ap probe Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 77/92] tracing: probeevent: Correctly update remaining space in dynamic area Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 78/92] x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 79/92] powerpc/64s: Fix possible corruption on big endian due to pgd/pud_present() Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 80/92] scsi: sd: fix entropy gathering for most rotational disks Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 81/92] signal: Restore the stop PTRACE_EVENT_EXIT Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 82/92] crypto: ccree - fix resume race condition on init Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 83/92] md/raid1: dont clear bitmap bits on interrupted recovery Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 84/92] x86/a.out: Clear the dump structure initially Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 85/92] sunrpc: fix 4 more call sites that were using stack memory with a scatterlist Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 86/92] dm crypt: dont overallocate the integrity tag space Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 87/92] dm thin: fix bug where bio that overwrites thin block ignores FUA Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 88/92] drm: Use array_size() when creating lease Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 89/92] drm/vkms: Fix license inconsistent Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 90/92] drm/sched: Always trace the dependencies we wait on, to fix a race Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 91/92] drm/i915: Block fbdev HPD processing during suspend Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 92/92] drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set Greg Kroah-Hartman
2019-02-19 5:48 ` [PATCH 4.20 00/92] 4.20.11-stable review Naresh Kamboju
2019-02-19 12:47 ` Greg Kroah-Hartman
2019-02-19 17:39 ` Guenter Roeck
2019-02-20 9:04 ` Greg Kroah-Hartman
2019-02-20 0:16 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190218133501.169969448@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pawel.mikolaj.chmiel@gmail.com \
--cc=stable@vger.kernel.org \
--cc=xc-racer2@live.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.