Re: [PATCH] Input: Use for_each_set_bit where appropriate

linux-input.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: Stephen Chandler Paul <cpaul@redhat.com>
Cc: aksgarg1989@gmail.com,
	"linux-input@vger.kernel.org" <linux-input@vger.kernel.org>
Subject: Re: [PATCH] Input: Use for_each_set_bit where appropriate
Date: Sat, 19 Sep 2015 11:26:22 -0700	[thread overview]
Message-ID: <20150919182622.GF7081@dtor-ws> (raw)
In-Reply-To: <1442520167.3355.13.camel@redhat.com>

On Thu, Sep 17, 2015 at 04:02:47PM -0400, Stephen Chandler Paul wrote:
> Hi! The currently upstream version of this patch actually breaks
> uinput, and causes the kernel to panic when attempting to run it under
> qemu using spice. Here's a backtrace from kdb:
> 
> Stack traceback for pid 656
> 0xffff8800babed480      656        1  1    2   R  0xffff8800babefa80 *spice-vdagentd
>  ffff88013747bd58 0000000000000018 ffff88013747bd80 ffff8800b7977000
>  0000000000000003 0000000000000001 0000000000000001 ffff8800b7977240
>  ffff88013747bdc0 ffffffff8163f449 0000000000000286 0000000000000018
> Call Trace:
>  [<ffffffff8163f449>] ? input_event+0x59/0x80
>  [<ffffffffa0509234>] ? uinput_write+0x154/0x460 [uinput]
>  [<ffffffffa00e704d>] ? port_fops_read+0xfd/0x1f0 [virtio_console]
>  [<ffffffff81261627>] ? __vfs_write+0x37/0x100
>  [<ffffffff81261ff9>] ? vfs_write+0xa9/0x1a0
>  [<ffffffff81283386>] ? __fget_light+0x66/0x90
>  [<ffffffff81262cf8>] ? SyS_write+0x58/0xd0
>  [<ffffffff81833c72>] ? entry_SYSCALL_64_fastpath+0x12/0x76
> 
> And the relevant messages from dmesg:
> 
> <1>[   15.064330] BUG: unable to handle kernel NULL pointer dereference at 0000000000000024
> <1>[   15.064336] IP: [<ffffffff8163f142>] input_handle_event+0x232/0x4e0
> <4>[   15.064343] PGD 0 
> <4>[   15.064345] Oops: 0000 [#1] SMP
> 
> The steps for reproducing this are pretty simple: setup a Fedora 22 VM,
> build the latest kernel and install it with make install, and try to
> boot the machine and use it over spice with qemu. After moving the
> cursor it'll run into a NULL dereference and panic.
> 
> I've tested reverting this commit, and that fixes the NULL dereference
> completely. I'm willing to git send-email you the revert if wish.

*sigh* Sorry about that, the 2nd chunk of the change was completely
bogus.

Does the patch below fixes this for you?

Thanks.

-- 
Dmitry

Input: uinput - fix crash when using ABS events

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

Commit b6d30968d86c45a7bb599eaca13ff048d3fa576c (Input: uinput - switch to
using for_each_set_bit()) switched driver to use for_each_set_bit().
However during initial write of the uinput structure that contains min/max
data for all possible axes none of them are reflected in dev->absbit yet
and so we were skipping over all of them and were not allocating absinfo
memory which caused crash later when driver tried to sens EV_ABS events:

<1>[   15.064330] BUG: unable to handle kernel NULL pointer dereference at 0000000000000024
<1>[   15.064336] IP: [<ffffffff8163f142>] input_handle_event+0x232/0x4e0
<4>[   15.064343] PGD 0
<4>[   15.064345] Oops: 0000 [#1] SMP

Fixes: b6d30968d86c45a7bb599eaca13ff048d3fa576c
Cc: stable@vger.kernel.org
Reported-by: Stephen Chandler Paul <cpaul@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
 drivers/input/misc/uinput.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 345df9b..5adbced 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -414,7 +414,7 @@ static int uinput_setup_device(struct uinput_device *udev,
 	dev->id.product	= user_dev->id.product;
 	dev->id.version	= user_dev->id.version;
 
-	for_each_set_bit(i, dev->absbit, ABS_CNT) {
+	for (i = 0; i < ABS_CNT; i++) {
 		input_abs_set_max(dev, i, user_dev->absmax[i]);
 		input_abs_set_min(dev, i, user_dev->absmin[i]);
 		input_abs_set_fuzz(dev, i, user_dev->absfuzz[i]);

next prev parent reply	other threads:[~2015-09-19 18:26 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-07-08 18:08 [PATCH] Input: Use for_each_set_bit where appropriate Anshul Garg
2015-09-17 20:02 ` Stephen Chandler Paul
2015-09-19 18:26   ` Dmitry Torokhov [this message]
2015-09-21 14:30     ` Stephen Chandler Paul
2015-09-21 22:58       ` Dmitry Torokhov
  -- strict thread matches above, loose matches on Subject: below --
2015-07-09 13:41 Anshul Garg
2015-07-09 17:26 ` Dmitry Torokhov
2015-07-09 17:35   ` Anshul Garg
2015-07-09 18:14     ` Dmitry Torokhov
2015-07-09 18:17       ` Anshul Garg

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:345df9b dfblob:5adbced )
 OR (
bs:"Re: [PATCH] Input: Use for_each_set_bit where appropriate" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150919182622.GF7081@dtor-ws \
    --to=dmitry.torokhov@gmail.com \
    --cc=aksgarg1989@gmail.com \
    --cc=cpaul@redhat.com \
    --cc=linux-input@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).