Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp2421895imj; Mon, 18 Feb 2019 05:49:47 -0800 (PST) X-Google-Smtp-Source: AHgI3IYxwy5v80A+gytds3PYRMYeKBwyL3EayxsoYm8D+84YO7KUw55IyVGT0fse8mtCrm/WGb/X X-Received: by 2002:a17:902:10e:: with SMTP id 14mr18618838plb.14.1550497787625; Mon, 18 Feb 2019 05:49:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550497787; cv=none; d=google.com; s=arc-20160816; b=b7veqttER/TzkuiIv1ztXCHKR2awafGbsbtucxnNhSx+rZD5aek6WxToK4xDMWMxA/ h+JusKyoOpLTPdUYJIaqaaKKd9+mZ047meVqdz3Yomd2Z+64oftW5sS90gKabizp0T04 u95ZvP7oIr+f2DtsIkKmgbdxi/LWn6Af+acqH4TWBFd77Q4cLnCyv6g1VtICaq+BbiS9 PqRUrVwCaATv51IYw9JjBl1K8f/9i06kl40D1DQHwdlOSjXwA9hREdlSVn7LiG4/BM6q lG5gbqUIpPWRfhQF2XBlSkItaXZ9tcO9MUIHifYyfFBGvn4v5K9Iox7YXnzIn9CYK2wn QiCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jw1EGeWS5jqHpNS0IBR6JC0nsnDIQDhohhzWUvp4tpw=; b=iIlb+2OfiNeCaC+vHZhwlOe/dDzmM05rSCiXZYAzjm0JVF00+T9Eh3cnAZKSJw5olz pB7Cqn6ctoOygHojDopDhddrVLlQWnOWWA1RIZAOWXvOe5OyS/9Qf9XLo8Y8dNBGWUh7 5Ihk/XJ6zkWhEUo/CwZ6ikgilI15BvISqn42cRhdtdtMrUS++Qtiq7W1BEavow4nZXeW 35ReFbfMb5YQSJv4ZZPZhDFPN23xoVH+Z7WFi209FrjhOwy9DHTjveG+20N8GLkGvvRM fRU6TI3ymnDXMqfRz1LH4Hs3xNbaVeTormNLddMBj7vOHo6yQJddH6FcdCF1IAr8kZEG iVbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QzX6jYEH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m5si12310462pgq.193.2019.02.18.05.49.31; Mon, 18 Feb 2019 05:49:47 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QzX6jYEH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731143AbfBRNr7 (ORCPT + 99 others); Mon, 18 Feb 2019 08:47:59 -0500 Received: from mail.kernel.org ([198.145.29.99]:54696 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729182AbfBRNr5 (ORCPT ); Mon, 18 Feb 2019 08:47:57 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3E194217F5; Mon, 18 Feb 2019 13:47:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1550497676; bh=XIR9ZHzMTUM3h5m9mbZk8/Vavc2g8lkM0/bLXXSXouY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QzX6jYEHarR4sC8N7TKjn7UwE+vVizyV0OnipEctboBbHPq6wJw3AxfjeJkwk9P1+ GXqZOalcO84rSBsHHRBvcfKB5qn8nj9JK9hSXk/7gx6iI2Ml8UOXJsWmxChsj/t2EH k2yJM0ISPXYLGFWY/4412mPNMpia3lWrRY2qhyjM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jonathan Bakker , =?UTF-8?q?Pawe=C5=82=20Chmiel?= , Dmitry Torokhov Subject: [PATCH 4.20 67/92] Input: bma150 - register input device after setting private data Date: Mon, 18 Feb 2019 14:43:10 +0100 Message-Id: <20190218133501.169969448@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190218133454.668268457@linuxfoundation.org> References: <20190218133454.668268457@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jonathan Bakker commit 90cc55f067f6ca0e64e5e52883ece47d8af7b67b upstream. Otherwise we introduce a race condition where userspace can request input before we're ready leading to null pointer dereference such as input: bma150 as /devices/platform/i2c-gpio-2/i2c-5/5-0038/input/input3 Unable to handle kernel NULL pointer dereference at virtual address 00000018 pgd = (ptrval) [00000018] *pgd=55dac831, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] PREEMPT ARM Modules linked in: bma150 input_polldev [last unloaded: bma150] CPU: 0 PID: 2870 Comm: accelerometer Not tainted 5.0.0-rc3-dirty #46 Hardware name: Samsung S5PC110/S5PV210-based board PC is at input_event+0x8/0x60 LR is at bma150_report_xyz+0x9c/0xe0 [bma150] pc : [<80450f70>] lr : [<7f0a614c>] psr: 800d0013 sp : a4c1fd78 ip : 00000081 fp : 00020000 r10: 00000000 r9 : a5e2944c r8 : a7455000 r7 : 00000016 r6 : 00000101 r5 : a7617940 r4 : 80909048 r3 : fffffff2 r2 : 00000000 r1 : 00000003 r0 : 00000000 Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: 54e34019 DAC: 00000051 Process accelerometer (pid: 2870, stack limit = 0x(ptrval)) Stackck: (0xa4c1fd78 to 0xa4c20000) fd60: fffffff3 fc813f6c fd80: 40410581 d7530ce3 a5e2817c a7617f00 a5e29404 a5e2817c 00000000 7f008324 fda0: a5e28000 8044f59c a5fdd9d0 a5e2945c a46a4a00 a5e29668 a7455000 80454f10 fdc0: 80909048 a5e29668 a5fdd9d0 a46a4a00 806316d0 00000000 a46a4a00 801df5f0 fde0: 00000000 d7530ce3 a4c1fec0 a46a4a00 00000000 a5fdd9d0 a46a4a08 801df53c fe00: 00000000 801d74bc a4c1fec0 00000000 a4c1ff70 00000000 a7038da8 00000000 fe20: a46a4a00 801e91fc a411bbe0 801f2e88 00000004 00000000 80909048 00000041 fe40: 00000000 00020000 00000000 dead4ead a6a88da0 00000000 ffffe000 806fcae8 fe60: a4c1fec8 00000000 80909048 00000002 a5fdd9d0 a7660110 a411bab0 00000001 fe80: dead4ead ffffffff ffffffff a4c1fe8c a4c1fe8c d7530ce3 20000013 80909048 fea0: 80909048 a4c1ff70 00000001 fffff000 a4c1e000 00000005 00026038 801eabd8 fec0: a7660110 a411bab0 b9394901 00000006 a696201b 76fb3000 00000000 a7039720 fee0: a5fdd9d0 00000101 00000002 00000096 00000000 00000000 00000000 a4c1ff00 ff00: a6b310f4 805cb174 a6b310f4 00000010 00000fe0 00000010 a4c1e000 d7530ce3 ff20: 00000003 a5f41400 a5f41424 00000000 a6962000 00000000 00000003 00000002 ff40: ffffff9c 000a0000 80909048 d7530ce3 a6962000 00000003 80909048 ffffff9c ff60: a6962000 801d890c 00000000 00000000 00020000 a7590000 00000004 00000100 ff80: 00000001 d7530ce3 000288b8 00026320 000288b8 00000005 80101204 a4c1e000 ffa0: 00000005 80101000 000288b8 00026320 000288b8 000a0000 00000000 00000000 ffc0: 000288b8 00026320 000288b8 00000005 7eef3bac 000264e8 00028ad8 00026038 ffe0: 00000005 7eef3300 76f76e91 76f78546 800d0030 000288b8 00000000 00000000 [<80450f70>] (input_event) from [] (0xa5e2817c) Code: e1a08148 eaffffa8 e351001f 812fff1e (e590c018) ---[ end trace 1c691ee85f2ff243 ]--- Signed-off-by: Jonathan Bakker Signed-off-by: Paweł Chmiel Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman --- drivers/input/misc/bma150.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- a/drivers/input/misc/bma150.c +++ b/drivers/input/misc/bma150.c @@ -481,13 +481,14 @@ static int bma150_register_input_device( idev->close = bma150_irq_close; input_set_drvdata(idev, bma150); + bma150->input = idev; + error = input_register_device(idev); if (error) { input_free_device(idev); return error; } - bma150->input = idev; return 0; } @@ -510,15 +511,15 @@ static int bma150_register_polled_device bma150_init_input_device(bma150, ipoll_dev->input); + bma150->input_polled = ipoll_dev; + bma150->input = ipoll_dev->input; + error = input_register_polled_device(ipoll_dev); if (error) { input_free_polled_device(ipoll_dev); return error; } - bma150->input_polled = ipoll_dev; - bma150->input = ipoll_dev->input; - return 0; }