[PATCH RESEND] Input: psmouse: add NULL check to psmouse_from_serio()

[PATCH RESEND] Input: psmouse: add NULL check to psmouse_from_serio()

[Takashi Iwai]

The serio drvdata can be still NULL while the PS/2 interrupt is
processed.  This leaded to crash with a NULL dereference Oops, as
psmouse_from_serio() blindly assumes the non-NULL ps2dev object.

Add a NULL check and return NULL from psmouse_from_serio().  The
returned NULL is handled properly in the caller side, skipping the
rest gracefully.

The log in the bugzilla entry showed that the probe of synaptics
driver succeeded after that point.  So this is a stop-gap solution.

Link: https://bugzilla.suse.com/show_bug.cgi?id=1219522
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---

It was submitted in a few months ago
  https://lore.kernel.org/20240405084448.15754-1-tiwai@suse.de
but seems forgotten.  Simply resubmitted.


 drivers/input/mouse/psmouse-base.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c
index a2c9f7144864..d428e9ac86f6 100644
--- a/drivers/input/mouse/psmouse-base.c
+++ b/drivers/input/mouse/psmouse-base.c
@@ -120,6 +120,8 @@ struct psmouse *psmouse_from_serio(struct serio *serio)
 {
 	struct ps2dev *ps2dev = serio_get_drvdata(serio);
 
+	if (!ps2dev)
+		return NULL;
 	return container_of(ps2dev, struct psmouse, ps2dev);
 }
 
-- 
2.43.0

Re: [PATCH RESEND] Input: psmouse: add NULL check to psmouse_from_serio()

[Dmitry Torokhov]

Hi Takashi,


On Mon, Dec 30, 2024 at 12:15:52PM +0100, Takashi Iwai wrote:
> The serio drvdata can be still NULL while the PS/2 interrupt is
> processed.  This leaded to crash with a NULL dereference Oops, as
> psmouse_from_serio() blindly assumes the non-NULL ps2dev object.
> 
> Add a NULL check and return NULL from psmouse_from_serio().  The
> returned NULL is handled properly in the caller side, skipping the
> rest gracefully.
> 
> The log in the bugzilla entry showed that the probe of synaptics
> driver succeeded after that point.  So this is a stop-gap solution.
> 
> Link: https://bugzilla.suse.com/show_bug.cgi?id=1219522
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
> 
> It was submitted in a few months ago
>   https://lore.kernel.org/20240405084448.15754-1-tiwai@suse.de
> but seems forgotten.  Simply resubmitted.
> 
> 
>  drivers/input/mouse/psmouse-base.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c
> index a2c9f7144864..d428e9ac86f6 100644
> --- a/drivers/input/mouse/psmouse-base.c
> +++ b/drivers/input/mouse/psmouse-base.c
> @@ -120,6 +120,8 @@ struct psmouse *psmouse_from_serio(struct serio *serio)
>  {
>  	struct ps2dev *ps2dev = serio_get_drvdata(serio);
>  
> +	if (!ps2dev)
> +		return NULL;

Thank you for resending and reminding me of this issue, however
psmouse_from_serio() should not return NULL as most callers do not
expect it. Synaptics driver needs to make sure the port is bound to
an instance of psmouse and do it in interrupt-safe way. I will make a
patch.


>  	return container_of(ps2dev, struct psmouse, ps2dev);
>  }
>  
> -- 
> 2.43.0
> 

Thanks.

-- 
Dmitry

Re: [PATCH RESEND] Input: psmouse: add NULL check to psmouse_from_serio()

[Takashi Iwai]

On Mon, 06 Jan 2025 07:59:51 +0100,
Dmitry Torokhov wrote:
> 
> Hi Takashi,
> 
> 
> On Mon, Dec 30, 2024 at 12:15:52PM +0100, Takashi Iwai wrote:
> > The serio drvdata can be still NULL while the PS/2 interrupt is
> > processed.  This leaded to crash with a NULL dereference Oops, as
> > psmouse_from_serio() blindly assumes the non-NULL ps2dev object.
> > 
> > Add a NULL check and return NULL from psmouse_from_serio().  The
> > returned NULL is handled properly in the caller side, skipping the
> > rest gracefully.
> > 
> > The log in the bugzilla entry showed that the probe of synaptics
> > driver succeeded after that point.  So this is a stop-gap solution.
> > 
> > Link: https://bugzilla.suse.com/show_bug.cgi?id=1219522
> > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> > ---
> > 
> > It was submitted in a few months ago
> >   https://lore.kernel.org/20240405084448.15754-1-tiwai@suse.de
> > but seems forgotten.  Simply resubmitted.
> > 
> > 
> >  drivers/input/mouse/psmouse-base.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c
> > index a2c9f7144864..d428e9ac86f6 100644
> > --- a/drivers/input/mouse/psmouse-base.c
> > +++ b/drivers/input/mouse/psmouse-base.c
> > @@ -120,6 +120,8 @@ struct psmouse *psmouse_from_serio(struct serio *serio)
> >  {
> >  	struct ps2dev *ps2dev = serio_get_drvdata(serio);
> >  
> > +	if (!ps2dev)
> > +		return NULL;
> 
> Thank you for resending and reminding me of this issue, however
> psmouse_from_serio() should not return NULL as most callers do not
> expect it. Synaptics driver needs to make sure the port is bound to
> an instance of psmouse and do it in interrupt-safe way. I will make a
> patch.

Fair enough.  My patch was intended to be a band-aid fix, so it's fine
to skip it.

Let me know if the proper fix patch is available.


thanks,

Takashi