From patchwork Fri Dec 28 10:50:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Chugh, Sanjeev" X-Patchwork-Id: 10744411 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 48BAA6C5 for ; Fri, 28 Dec 2018 10:50:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3A62C28B9F for ; Fri, 28 Dec 2018 10:50:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2E63428BBD; Fri, 28 Dec 2018 10:50:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 999CD28B9F for ; Fri, 28 Dec 2018 10:50:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732062AbeL1Ku3 (ORCPT ); Fri, 28 Dec 2018 05:50:29 -0500 Received: from relay1.mentorg.com ([192.94.38.131]:52332 "EHLO relay1.mentorg.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731503AbeL1Ku3 (ORCPT ); Fri, 28 Dec 2018 05:50:29 -0500 Received: from nat-ies.mentorg.com ([192.94.31.2] helo=svr-ies-mbx-01.mgc.mentorg.com) by relay1.mentorg.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-SHA384:256) id 1gcpik-0003md-78 from Sanjeev_Chugh@mentor.com ; Fri, 28 Dec 2018 02:50:26 -0800 Received: from inndt255.mgc.mentorg.com (137.202.0.90) by svr-ies-mbx-01.mgc.mentorg.com (139.181.222.1) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Fri, 28 Dec 2018 10:50:21 +0000 From: Sanjeev Chugh To: , CC: , Subject: [PATCH V1 0/1] atmel_mxt_ts: Avoid memory free operation for unallocated kernel memory pointer Date: Fri, 28 Dec 2018 16:20:13 +0530 Message-ID: <1545994214-30023-1-git-send-email-sanjeev_chugh@mentor.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-Originating-IP: [137.202.0.90] X-ClientProxiedBy: SVR-IES-MBX-08.mgc.mentorg.com (139.181.222.8) To svr-ies-mbx-01.mgc.mentorg.com (139.181.222.1) Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Please consider taking this patch to prevent kernel oops. ========================================================== If there is an attempt to update Atmel device a cfg file which is not in acceptable format or an invalid file. This leads to kernel hitting a BUG macro in mm/slub.c. This is the callstack seen. [ 3436.264512] kernel BUG at mm/slub.c:3892! [ 3436.268549] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [ 3436.378927] [last unloaded: atmel_mxt_ts] [ 3436.405034] PC is at kfree+0x70/0x22c [ 3436.408723] LR is at mxt_configure_objects+0x2b0/0xe60 [atmel_mxt_ts] [ 3436.528144] Process load_firmware.s (pid: 3852, stack limit = 0xffff00001f2d0000) [ 3436.535646] Call trace: [ 3436.538097] Exception stack(0xffff00001f2d3a30 to 0xffff00001f2d3b70) [ 3436.544554] 3a20: ffff7e0000228e20 ffff7e0000228e20 [ 3436.552403] 3a40: ffff800690dd8f00 00000000002c4841 0000000000000000 0000000000000000 [ 3436.560252] 3a60: ffff000008b88b28 0000000000000371 0000000000000007 0000000000000000 [ 3436.568102] 3a80: ffff000008b88b1e 00000000fffffff2 0000000000000020 ffffffffffffffff [ 3436.575951] 3aa0: ffff000008b8ab18 00000000ccd114e6 0000000000000000 0000000000000000 [ 3436.583800] 3ac0: 000000000000000a ffff7e0000228e00 ffff000008a38b08 0000000000000000 [ 3436.591649] 3ae0: ffff800696733020 ffff800690815b20 ffff000008a38b08 ffff800696733020 [ 3436.599498] 3b00: ffff800690815ac8 ffff000008741000 ffff80069519f000 ffff00001f2d3b70 [ 3436.607347] 3b20: ffff000000f93118 ffff00001f2d3b70 ffff0000081cf3f0 0000000040000145 [ 3436.615196] 3b40: ffff800690815018 ffff800690815ac8 0000ffffffffffff ffff000000f96c1e [ 3436.623045] 3b60: ffff00001f2d3b70 ffff0000081cf3f0 [ 3436.627937] [] kfree+0x70/0x22c [ 3436.632663] [] mxt_configure_objects+0x2b0/0xe60 [atmel_mxt_ts] [ 3436.640173] [] mxt_process_operation+0x188/0x4e0 [atmel_mxt_ts] [ 3436.647682] [] mxt_update_cfg_store+0x4c/0x90 [atmel_mxt_ts] [ 3436.654929] [] dev_attr_store+0x18/0x28 [ 3436.660347] [] sysfs_kf_write+0x44/0x50 [ 3436.665761] [] kernfs_fop_write+0x130/0x194 [ 3436.671527] [] __vfs_write+0x34/0x138 [ 3436.676766] [] vfs_write+0xc0/0x17c [ 3436.681832] [] SyS_write+0x60/0xb8 [ 3436.686809] Exception stack(0xffff00001f2d3ec0 to 0xffff00001f2d4000) [ 3436.693266] 3ec0: 0000000000000001 000000000e58cc80 0000000000000016 0000000000000000 [ 3436.701116] 3ee0: 0000000000000888 5551000454000000 0000ffffba6d39f0 0000000000000015 [ 3436.708965] 3f00: 0000000000000040 ffffff80ffffffc8 0000000000000000 0000000000000020 [ 3436.716814] 3f20: 0000000000000000 0000000000000000 000000000000003d 0000000000000000 [ 3436.724664] 3f40: 0000000000000000 0000ffffba5f8fe0 0000000000000000 0000000000000016 [ 3436.732513] 3f60: 000000000e58cc80 0000ffffba6d4480 0000000000000016 0000ffffba6d0638 [ 3436.740362] 3f80: 0000000000000016 00000000004a2878 00000000004c0000 0000000000000000 [ 3436.748212] 3fa0: 00000000004c0000 0000ffffc5b1f9a0 0000ffffba5fc1b8 0000ffffc5b1f9a0 [ 3436.756062] 3fc0: 0000ffffba64cd18 0000000020000000 0000000000000001 0000000000000040 [ 3436.763911] 3fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 3436.771765] [] el0_svc_naked+0x34/0x38 Analysis of the above callback suggested that in function mxt_update_cfg, if file is considered as unrecognised file, in that it will go ahead and try to free cfg.mem as well which is not allocated yet. So this should be avoided by not calling kfree(cfg.mem). ===================================================================== Testing: Try updating the Atmel device with an invalid file let say just a text file. This should reproduce the kernel oops. Sanjeev Chugh (1): Input: atmel_mxt_ts: Don't try to free unallocated kernel memory drivers/input/touchscreen/atmel_mxt_ts.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)