From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+f49d12d34f2321cf4df2@syzkaller.appspotmail.com,
Sean Young <sean@mess.org>,
Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Subject: [PATCH 5.3 78/95] media: imon: invalid dereference in imon_touch_event
Date: Wed, 27 Nov 2019 21:32:35 +0100 [thread overview]
Message-ID: <20191127202946.744284917@linuxfoundation.org> (raw)
In-Reply-To: <20191127202845.651587549@linuxfoundation.org>
From: Sean Young <sean@mess.org>
commit f3f5ba42c58d56d50f539854d8cc188944e96087 upstream.
The touch timer is set up in intf1. If the second interface does not exist,
the timer and touch input device are not setup and we get the following
error, when touch events are reported via intf0.
kernel BUG at kernel/time/timer.c:956!
invalid opcode: 0000 [#1] SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc1+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__mod_timer kernel/time/timer.c:956 [inline]
RIP: 0010:__mod_timer kernel/time/timer.c:949 [inline]
RIP: 0010:mod_timer+0x5a2/0xb50 kernel/time/timer.c:1100
Code: 45 10 c7 44 24 14 ff ff ff ff 48 89 44 24 08 48 8d 45 20 48 c7 44 24 18 00 00 00 00 48 89 04 24 e9 5a fc ff ff e8 ae ce 0e 00 <0f> 0b e8 a7 ce 0e 00 4c 89 74 24 20 e9 37 fe ff ff e8 98 ce 0e 00
RSP: 0018:ffff8881db209930 EFLAGS: 00010006
RAX: ffffffff86c2b200 RBX: 00000000ffffa688 RCX: ffffffff83efc583
RDX: 0000000000000100 RSI: ffffffff812f4d82 RDI: ffff8881d2356200
RBP: ffff8881d23561e8 R08: ffffffff86c2b200 R09: ffffed103a46abeb
R10: ffffed103a46abea R11: ffff8881d2355f53 R12: dffffc0000000000
R13: 1ffff1103b64132d R14: ffff8881d2355f50 R15: 0000000000000006
FS: 0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f75e2799000 CR3: 00000001d3b07000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
imon_touch_event drivers/media/rc/imon.c:1348 [inline]
imon_incoming_packet.isra.0+0x2546/0x2f10 drivers/media/rc/imon.c:1603
usb_rx_callback_intf0+0x151/0x1e0 drivers/media/rc/imon.c:1734
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1654
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1719
dummy_timer+0x120f/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1965
call_timer_fn+0x179/0x650 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786
__do_softirq+0x221/0x912 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
</IRQ>
RIP: 0010:default_idle+0x28/0x2e0 arch/x86/kernel/process.c:581
Code: 90 90 41 56 41 55 65 44 8b 2d 44 3a 8f 7a 41 54 55 53 0f 1f 44 00 00 e8 36 ee d0 fb e9 07 00 00 00 0f 00 2d fa dd 4f 00 fb f4 <65> 44 8b 2d 20 3a 8f 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffffff86c07da8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff86c2b200 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff86c2ba4c
RBP: fffffbfff0d85640 R08: ffffffff86c2b200 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3b6/0x500 kernel/sched/idle.c:263
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:355
start_kernel+0x82a/0x864 init/main.c:784
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
Modules linked in:
Reported-by: syzbot+f49d12d34f2321cf4df2@syzkaller.appspotmail.com
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/imon.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -1598,8 +1598,7 @@ static void imon_incoming_packet(struct
spin_unlock_irqrestore(&ictx->kc_lock, flags);
/* send touchscreen events through input subsystem if touchpad data */
- if (ictx->display_type == IMON_DISPLAY_TYPE_VGA && len == 8 &&
- buf[7] == 0x86) {
+ if (ictx->touch && len == 8 && buf[7] == 0x86) {
imon_touch_event(ictx, buf);
return;
next prev parent reply other threads:[~2019-11-27 21:11 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-27 20:31 [PATCH 5.3 00/95] 5.3.14-stable review Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 01/95] mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 02/95] net/mlx4_en: fix mlx4 ethtool -N insertion Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 03/95] net/mlx4_en: Fix wrong limitation for number of TX rings Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 04/95] net: rtnetlink: prevent underflows in do_setvfinfo() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 05/95] net/sched: act_pedit: fix WARN() in the traffic path Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 06/95] net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 07/95] sfc: Only cancel the PPS workqueue if it exists Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 08/95] net/mlxfw: Verify FSM error code translation doesnt exceed array size Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 09/95] net/mlx5e: Fix set vf link state error flow Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 10/95] net/mlx5: Fix auto group size calculation Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 11/95] net/tls: enable sk_msg redirect to tls socket egress Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 12/95] ipv6/route: return if there is no fib_nh_gw_family Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 13/95] taprio: dont reject same mqprio settings Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 14/95] net/ipv4: fix sysctl max for fib_multipath_hash_policy Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 15/95] net/mlx5e: Fix error flow cleanup in mlx5e_tc_tun_create_header_ipv4/6 Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 16/95] net/mlx5e: Do not use non-EXT link modes in EXT mode Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 17/95] net/mlx5: Update the list of the PCI supported devices Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 18/95] vhost/vsock: split packets to send using multiple buffers Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 19/95] gpio: max77620: Fixup debounce delays Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 20/95] gpio: bd70528: Use correct unit for debounce times Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 21/95] tools: gpio: Correctly add make dependencies for gpio_utils Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 22/95] fork: fix pidfd_poll()s return type Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 23/95] nbd:fix memory leak in nbd_get_socket() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 24/95] virtio_console: allocate inbufs in add_port() only if it is needed Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 25/95] virtio_ring: fix return code on DMA mapping fails Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 26/95] virtio_balloon: fix shrinker count Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 27/95] Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()" Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 29/95] mm/ksm.c: dont WARN if page is still mapped in remove_stable_node() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 30/95] drm/amdgpu: disable gfxoff when using register read interface Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 31/95] drm/amdgpu: disable gfxoff on original raven Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 32/95] drm/amd/powerplay: issue no PPSMC_MSG_GetCurrPkgPwr on unsupported ASICs Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 33/95] drm/i915: Dont oops in dumb_create ioctl if we have no crtcs Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 34/95] drm/i915/pmu: "Frequency" is reported as accumulated cycles Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 35/95] drm/i915/userptr: Try to acquire the page lock around set_page_dirty() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 36/95] Bluetooth: Fix invalid-free in bcsp_close() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 37/95] ath10k: restore QCA9880-AR1A (v1) detection Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 38/95] ath10k: Fix HOST capability QMI incompatibility Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 39/95] ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 40/95] ath9k_hw: fix uninitialized variable data Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 41/95] Revert "Bluetooth: hci_ll: set operational frequency earlier" Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 42/95] Revert "dm crypt: use WQ_HIGHPRI for the IO and crypt workqueues" Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 43/95] md/raid10: prevent access of uninitialized resync_pages offset Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 44/95] mdio_bus: Fix init if CONFIG_RESET_CONTROLLER=n Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 45/95] ARM: 8904/1: skip nomap memblocks while finding the lowmem/highmem boundary Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 46/95] x86/insn: Fix awk regexp warnings Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 47/95] x86/speculation: Fix incorrect MDS/TAA mitigation status Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 48/95] x86/speculation: Fix redundant MDS mitigation message Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 49/95] nbd: prevent memory leak Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 50/95] gve: fix dma sync bug where not all pages synced Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 51/95] x86/stackframe/32: Repair 32-bit Xen PV Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 52/95] x86/xen/32: Make xen_iret_crit_fixup() independent of frame layout Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 53/95] x86/xen/32: Simplify ring check in xen_iret_crit_fixup() Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 54/95] x86/doublefault/32: Fix stack canaries in the double fault handler Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 55/95] x86/pti/32: Size initial_page_table correctly Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 56/95] x86/cpu_entry_area: Add guard page for entry stack on 32bit Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 57/95] x86/entry/32: Fix IRET exception Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 58/95] x86/entry/32: Use %ss segment where required Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 59/95] x86/entry/32: Move FIXUP_FRAME after pushing %fs in SAVE_ALL Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 60/95] x86/entry/32: Unwind the ESPFIX stack earlier on exception entry Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 61/95] x86/entry/32: Fix NMI vs ESPFIX Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 62/95] selftests/x86/mov_ss_trap: Fix the SYSENTER test Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 63/95] selftests/x86/sigreturn/32: Invalidate DS and ES when abusing the kernel Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 64/95] x86/pti/32: Calculate the various PTI cpu_entry_area sizes correctly, make the CPU_ENTRY_AREA_PAGES assert precise Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 65/95] x86/entry/32: Fix FIXUP_ESPFIX_STACK with user CR3 Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 66/95] futex: Prevent robust futex exit race Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 67/95] ALSA: usb-audio: Fix NULL dereference at parsing BADD Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 68/95] nfc: port100: handle command failure cleanly Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 69/95] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 70/95] media: vivid: Set vid_cap_streaming and vid_out_streaming to true Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 71/95] media: vivid: Fix wrong locking that causes race conditions on streaming stop Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 72/95] media: usbvision: Fix invalid accesses after device disconnect Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 73/95] media: usbvision: Fix races among open, close, and disconnect Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 74/95] cpufreq: Add NULL checks to show() and store() methods of cpufreq Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 75/95] media: uvcvideo: Fix error path in control parsing failure Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 76/95] media: b2c2-flexcop-usb: add sanity checking Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 77/95] media: cxusb: detect cxusb_ctrl_msg error in query Greg Kroah-Hartman
2019-11-27 20:32 ` Greg Kroah-Hartman [this message]
2019-11-27 20:32 ` [PATCH 5.3 79/95] media: mceusb: fix out of bounds read in MCE receiver buffer Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 80/95] mm/slub.c: init_on_free=1 should wipe freelist ptr for bulk allocations Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 81/95] USBIP: add config dependency for SGL_ALLOC Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 82/95] usbip: tools: fix fd leakage in the function of read_attr_usbip_status Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 83/95] usbip: Fix uninitialized symbol nents in stub_recv_cmd_submit() Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 84/95] usb-serial: cp201x: support Mark-10 digital force gauge Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 85/95] USB: chaoskey: fix error case of a timeout Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 86/95] appledisplay: fix error handling in the scheduled work Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 87/95] USB: serial: mos7840: add USB ID to support Moxa UPort 2210 Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 88/95] USB: serial: mos7720: fix remote wakeup Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 89/95] USB: serial: mos7840: " Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 90/95] USB: serial: option: add support for DW5821e with eSIM support Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 91/95] USB: serial: option: add support for Foxconn T77W968 LTE modules Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 92/95] staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 93/95] powerpc/64s: support nospectre_v2 cmdline option Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 94/95] powerpc/book3s64: Fix link stack flush on context switch Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 95/95] KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel Greg Kroah-Hartman
2019-11-28 9:15 ` [PATCH 5.3 00/95] 5.3.14-stable review Jon Hunter
2019-11-28 10:36 ` Greg Kroah-Hartman
2019-11-28 12:03 ` Jon Hunter
2019-11-28 15:47 ` shuah
2019-11-28 15:59 ` Greg Kroah-Hartman
2019-11-28 23:56 ` shuah
2019-11-28 16:21 ` Guenter Roeck
2019-11-28 21:29 ` Daniel Díaz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191127202946.744284917@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+samsung@kernel.org \
--cc=sean@mess.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+f49d12d34f2321cf4df2@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).