| Message ID | 20151219105824.GA3749@mwanda (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On Sat, 19 Dec 2015, Dan Carpenter wrote: > We didn't check input_allocate_device() for failures so it could lead to > a NULL deref. The patch does several other things... julia > > Fixes: 6b0f8f9c52ef ('Input: add eGalaxTouch serial touchscreen driver') > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > diff --git a/drivers/input/touchscreen/egalax_ts_serial.c b/drivers/input/touchscreen/egalax_ts_serial.c > index a078c1c..8becd26 100644 > --- a/drivers/input/touchscreen/egalax_ts_serial.c > +++ b/drivers/input/touchscreen/egalax_ts_serial.c > @@ -104,10 +104,13 @@ static int egalax_connect(struct serio *serio, struct serio_driver *drv) > int error; > > egalax = kzalloc(sizeof(struct egalax), GFP_KERNEL); > + if (!egalax) > + return -ENOMEM; > + > input_dev = input_allocate_device(); > - if (!egalax) { > + if (!input_dev) { > error = -ENOMEM; > - goto err_free_mem; > + goto err_free_egalax; > } > > egalax->serio = serio; > @@ -145,8 +148,8 @@ err_close_serio: > serio_close(serio); > err_reset_drvdata: > serio_set_drvdata(serio, NULL); > -err_free_mem: > input_free_device(input_dev); > +err_free_egalax: > kfree(egalax); > return error; > } > -- > To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Dan, On Sat, Dec 19, 2015 at 01:58:24PM +0300, Dan Carpenter wrote: > We didn't check input_allocate_device() for failures so it could lead to > a NULL deref. > > Fixes: 6b0f8f9c52ef ('Input: add eGalaxTouch serial touchscreen driver') > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > diff --git a/drivers/input/touchscreen/egalax_ts_serial.c b/drivers/input/touchscreen/egalax_ts_serial.c > index a078c1c..8becd26 100644 > --- a/drivers/input/touchscreen/egalax_ts_serial.c > +++ b/drivers/input/touchscreen/egalax_ts_serial.c > @@ -104,10 +104,13 @@ static int egalax_connect(struct serio *serio, struct serio_driver *drv) > int error; > > egalax = kzalloc(sizeof(struct egalax), GFP_KERNEL); > + if (!egalax) > + return -ENOMEM; > + > input_dev = input_allocate_device(); > - if (!egalax) { > + if (!input_dev) { > error = -ENOMEM; > - goto err_free_mem; > + goto err_free_egalax; > } > > egalax->serio = serio; > @@ -145,8 +148,8 @@ err_close_serio: > serio_close(serio); > err_reset_drvdata: > serio_set_drvdata(serio, NULL); > -err_free_mem: > input_free_device(input_dev); > +err_free_egalax: > kfree(egalax); > return error; > } This is my screwup. The original code had the "if (!egalax || !input_dev)" check but I was considering using devm (but then decided against it) but forget to adjust the check back. I'll put it back in. Thank you for noticing!
On Sat, Dec 19, 2015 at 12:04:56PM +0100, Julia Lawall wrote: > On Sat, 19 Dec 2015, Dan Carpenter wrote: > > > We didn't check input_allocate_device() for failures so it could lead to > > a NULL deref. > > The patch does several other things... Not really. It's all part of fixing the input_allocate_device() check. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/input/touchscreen/egalax_ts_serial.c b/drivers/input/touchscreen/egalax_ts_serial.c index a078c1c..8becd26 100644 --- a/drivers/input/touchscreen/egalax_ts_serial.c +++ b/drivers/input/touchscreen/egalax_ts_serial.c @@ -104,10 +104,13 @@ static int egalax_connect(struct serio *serio, struct serio_driver *drv) int error; egalax = kzalloc(sizeof(struct egalax), GFP_KERNEL); + if (!egalax) + return -ENOMEM; + input_dev = input_allocate_device(); - if (!egalax) { + if (!input_dev) { error = -ENOMEM; - goto err_free_mem; + goto err_free_egalax; } egalax->serio = serio; @@ -145,8 +148,8 @@ err_close_serio: serio_close(serio); err_reset_drvdata: serio_set_drvdata(serio, NULL); -err_free_mem: input_free_device(input_dev); +err_free_egalax: kfree(egalax); return error; }
We didn't check input_allocate_device() for failures so it could lead to a NULL deref. Fixes: 6b0f8f9c52ef ('Input: add eGalaxTouch serial touchscreen driver') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html