HID: picolcd: Prevent NULL pointer dereference on

linux-input.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* HID: picolcd: Prevent NULL pointer dereference on _remove()
@ 2013-08-31 12:07 Bruno Prémont
  2013-09-02 11:37 ` Jiri Kosina
  0 siblings, 1 reply; 2+ messages in thread
From: Bruno Prémont @ 2013-08-31 12:07 UTC (permalink / raw)
  To: Jiri Kosina; +Cc: linux-input

When picolcd is switched into bootloader mode (for FW flashing) make
sure not to try to dereference NULL-pointers of feature-devices during
unplug/unbind.

This fixes following BUG:
  BUG: unable to handle kernel NULL pointer dereference at 00000298
  IP: [<f811f56b>] picolcd_exit_framebuffer+0x1b/0x80 [hid_picolcd]
  *pde = 00000000
  Oops: 0000 [#1]
  Modules linked in: hid_picolcd syscopyarea sysfillrect sysimgblt fb_sys_fops
  CPU: 0 PID: 15 Comm: khubd Not tainted 3.11.0-rc7-00002-g50d62d4 #2
  EIP: 0060:[<f811f56b>] EFLAGS: 00010292 CPU: 0
  EIP is at picolcd_exit_framebuffer+0x1b/0x80 [hid_picolcd]
  Call Trace:
   [<f811d1ab>] picolcd_remove+0xcb/0x120 [hid_picolcd]
   [<c1469b09>] hid_device_remove+0x59/0xc0
   [<c13464ca>] __device_release_driver+0x5a/0xb0
   [<c134653f>] device_release_driver+0x1f/0x30
   [<c134603d>] bus_remove_device+0x9d/0xd0
   [<c13439a5>] device_del+0xd5/0x150
   [<c14696a4>] hid_destroy_device+0x24/0x60
   [<c1474cbb>] usbhid_disconnect+0x1b/0x40
   ...

Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
Cc: stable@kernel.org
---
 drivers/hid/hid-picolcd_cir.c | 3 ++-
 drivers/hid/hid-picolcd_fb.c  | 6 +++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-picolcd_cir.c b/drivers/hid/hid-picolcd_cir.c
index e346038..59d5eb1 100644
--- a/drivers/hid/hid-picolcd_cir.c
+++ b/drivers/hid/hid-picolcd_cir.c
@@ -145,6 +145,7 @@ void picolcd_exit_cir(struct picolcd_data *data)
 	struct rc_dev *rdev = data->rc_dev;
 
 	data->rc_dev = NULL;
-	rc_unregister_device(rdev);
+	if (rdev)
+		rc_unregister_device(rdev);
 }
 
diff --git a/drivers/hid/hid-picolcd_fb.c b/drivers/hid/hid-picolcd_fb.c
index 591f6b2..c930ab8 100644
--- a/drivers/hid/hid-picolcd_fb.c
+++ b/drivers/hid/hid-picolcd_fb.c
@@ -593,10 +593,14 @@ err_nomem:
 void picolcd_exit_framebuffer(struct picolcd_data *data)
 {
 	struct fb_info *info = data->fb_info;
-	struct picolcd_fb_data *fbdata = info->par;
+	struct picolcd_fb_data *fbdata;
 	unsigned long flags;
 
+	if (!info)
+		return;
+
 	device_remove_file(&data->hdev->dev, &dev_attr_fb_update_rate);
+	fbdata = info->par;
 
 	/* disconnect framebuffer from HID dev */
 	spin_lock_irqsave(&fbdata->lock, flags);
-- 
1.8.1.5

--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: HID: picolcd: Prevent NULL pointer dereference on _remove()
  2013-08-31 12:07 HID: picolcd: Prevent NULL pointer dereference on _remove() Bruno Prémont
@ 2013-09-02 11:37 ` Jiri Kosina
  0 siblings, 0 replies; 2+ messages in thread
From: Jiri Kosina @ 2013-09-02 11:37 UTC (permalink / raw)
  To: Bruno Prémont; +Cc: linux-input

On Sat, 31 Aug 2013, Bruno Prémont wrote:

> When picolcd is switched into bootloader mode (for FW flashing) make
> sure not to try to dereference NULL-pointers of feature-devices during
> unplug/unbind.
> 
> This fixes following BUG:
>   BUG: unable to handle kernel NULL pointer dereference at 00000298
>   IP: [<f811f56b>] picolcd_exit_framebuffer+0x1b/0x80 [hid_picolcd]
>   *pde = 00000000
>   Oops: 0000 [#1]
>   Modules linked in: hid_picolcd syscopyarea sysfillrect sysimgblt fb_sys_fops
>   CPU: 0 PID: 15 Comm: khubd Not tainted 3.11.0-rc7-00002-g50d62d4 #2
>   EIP: 0060:[<f811f56b>] EFLAGS: 00010292 CPU: 0
>   EIP is at picolcd_exit_framebuffer+0x1b/0x80 [hid_picolcd]
>   Call Trace:
>    [<f811d1ab>] picolcd_remove+0xcb/0x120 [hid_picolcd]
>    [<c1469b09>] hid_device_remove+0x59/0xc0
>    [<c13464ca>] __device_release_driver+0x5a/0xb0
>    [<c134653f>] device_release_driver+0x1f/0x30
>    [<c134603d>] bus_remove_device+0x9d/0xd0
>    [<c13439a5>] device_del+0xd5/0x150
>    [<c14696a4>] hid_destroy_device+0x24/0x60
>    [<c1474cbb>] usbhid_disconnect+0x1b/0x40
>    ...
> 
> Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
> Cc: stable@kernel.org
> ---
>  drivers/hid/hid-picolcd_cir.c | 3 ++-
>  drivers/hid/hid-picolcd_fb.c  | 6 +++++-
>  2 files changed, 7 insertions(+), 2 deletions(-)

Applied, thanks Bruno.

-- 
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-09-02 11:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-31 12:07 HID: picolcd: Prevent NULL pointer dereference on _remove() Bruno Prémont
2013-09-02 11:37 ` Jiri Kosina

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).