From: Easwar Hariharan <eahariha@linux.microsoft.com>
To: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
AngeloGioacchino Del Regno
<angelogioacchino.delregno@collabora.com>,
eahariha@linux.microsoft.com, kernel@collabora.com,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org
Subject: Re: [PATCH] Input: mtk-pmic-keys: Fix null pointer dereference when no compatible data
Date: Mon, 30 Jun 2025 13:18:40 -0700 [thread overview]
Message-ID: <41f3cc74-694e-41be-b767-20c7561990b8@linux.microsoft.com> (raw)
In-Reply-To: <20250630-mtk-pmic-keys-fix-crash-v1-1-e47351fa9d1f@collabora.com>
On 6/30/2025 7:03 AM, Louis-Alexis Eyraud wrote:
> In mtk_pmic_keys_probe function, the of_match_device function is
> called to retrieve the compatible platform device info but its return
> data pointer is not checked. It can lead to a null pointer deference
> later when accessing the data field, if of_match_device returned a null
> pointer. So, add a pointer check after calling of_match_device function
> and return an EINVAL error in null case.
>
> Signed-off-by: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
> ---
> This patch fixes a NULL pointer dereference that occurs during the
> mtk_pmic_keys driver probe and observed at least on Mediatek Genio
> 1200-EVK board with a kernel based on linux-next (tag: 20250630),
> when it is configured to have mtk_pmic_keys driver as builtin
> (CONFIG_KEYBOARD_MTK_PMIC=y):
> ```
> Unable to handle kernel NULL pointer dereference at virtual address
> 00000000000000c0
> Mem abort info:
> ESR = 0x0000000096000004
> EC = 0x25: DABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> FSC = 0x04: level 0 translation fault
> Data abort info:
> ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
> CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> [00000000000000c0] user address but active_mm is swapper
> Internal error: Oops: 0000000096000004 [#1] SMP
> Modules linked in:
> CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted
> 6.16.0-rc4-next-20250630-00001-gea99c662a089 #145 PREEMPT
> Hardware name: MediaTek Genio 1200 EVK-P1V2-EMMC (DT)
> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : mtk_pmic_keys_probe+0x94/0x500
> lr : mtk_pmic_keys_probe+0x78/0x500
> sp : ffff80008275bb30
> x29: ffff80008275bb70 x28: ffff80008202bbb0 x27: ffff800081df00b0
> x26: ffff800081ef9060 x25: ffff0000c6fcf400 x24: 0000000000000000
> x23: 0000000000000000 x22: ffff0000c6fcf410 x21: ffff0000c09f8480
> x20: ffff0000c09f4b80 x19: 0000000000000000 x18: 00000000ffffffff
> x17: ffff8000824cb228 x16: 00000000d7fcbc9e x15: ffff0000c0a2b274
> x14: ffff80008275bad0 x13: ffff0000c0a2ba1c x12: 786d692d696d6373
> x11: 0000000000000040 x10: 0000000000000001 x9 : 0000000000000000
> x8 : ffff0000c09f8500 x7 : 0000000000000000 x6 : 000000000000003f
> x5 : 0000000000000040 x4 : ffff0000c6fcf410 x3 : ffff0000c6fcf6c0
> x2 : ffff0000c09f8400 x1 : ffff0000c36da000 x0 : ffff0000c6fcf410
> Call trace:
> mtk_pmic_keys_probe+0x94/0x500 (P)
> platform_probe+0x68/0xdc
> really_probe+0xbc/0x2c0
> __driver_probe_device+0x78/0x120
> driver_probe_device+0x3c/0x154
> __driver_attach+0x90/0x1a0
> bus_for_each_dev+0x7c/0xdc
> driver_attach+0x24/0x30
> bus_add_driver+0xe4/0x208
> driver_register+0x68/0x130
> __platform_driver_register+0x24/0x30
> pmic_keys_pdrv_init+0x1c/0x28
> do_one_initcall+0x60/0x1d4
> kernel_init_freeable+0x24c/0x2b4
> kernel_init+0x20/0x140
> ret_from_fork+0x10/0x20
> Code: aa1603e0 f90006b6 f9400681 f9000aa1 (f9406261)
> ---[ end trace 0000000000000000 ]---
> ```
> ---
> drivers/input/keyboard/mtk-pmic-keys.c | 3 +++
> 1 file changed, 3 insertions(+)
It's preferred to have the stack trace in the commit message body rather than below
the cut line to allow for searching for the oops message in git history.
Also, it may make sense to CC: stable@vger.kernel.org for backports
Thanks,
Easwar (he/him)
next prev parent reply other threads:[~2025-06-30 20:21 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-30 14:03 [PATCH] Input: mtk-pmic-keys: Fix null pointer dereference when no compatible data Louis-Alexis Eyraud
2025-06-30 14:06 ` AngeloGioacchino Del Regno
2025-06-30 15:25 ` Dmitry Torokhov
2025-06-30 19:59 ` Nícolas F. R. A. Prado
2025-06-30 23:03 ` Dmitry Torokhov
2025-06-30 20:18 ` Easwar Hariharan [this message]
2025-06-30 21:46 ` Dmitry Torokhov
2025-06-30 22:23 ` Easwar Hariharan
2025-06-30 23:06 ` Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41f3cc74-694e-41be-b767-20c7561990b8@linux.microsoft.com \
--to=eahariha@linux.microsoft.com \
--cc=angelogioacchino.delregno@collabora.com \
--cc=dmitry.torokhov@gmail.com \
--cc=kernel@collabora.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=louisalexis.eyraud@collabora.com \
--cc=matthias.bgg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox