lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1274226413-8520-1-git-send-email-khilman@deeprootsystems.com>
Date:	Tue, 18 May 2010 16:46:53 -0700
From:	Kevin Hilman <khilman@...prootsystems.com>
To:	linux-input@...r.kernel.org
Cc:	linux-omap@...r.kernel.org,
	Dmitry Torokhov <dmitry.torokhov@...il.com>,
	Michael Roth <mroth@...sie.de>, Pavel Machek <pavel@....cz>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Mike Frysinger <vapier@...too.org>,
	linux-kernel@...r.kernel.org
Subject: [PATCH] touchscreen: ads7846: please don't touch free'd memory

If the _probe() method fails, the 'ts' struct is freed, yet it is
still used as the drvdata passed to suspend/resume/remove methods.
Even though the input device does not get registerd, the driver's
suspend/resume methods still get called as it's a registered SPI
device.  This patch adds sanity checks to these methods to ensure that
drvdata is valid before using it.

Problem discovered when using lockdep since the ts->lock taken in
suspend & resume methods was left pointing into free'd memory if
_probe() fails.

Signed-off-by: Kevin Hilman <khilman@...prootsystems.com>
---
 drivers/input/touchscreen/ads7846.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c
index 532279c..1da2369 100644
--- a/drivers/input/touchscreen/ads7846.c
+++ b/drivers/input/touchscreen/ads7846.c
@@ -815,6 +815,9 @@ static int ads7846_suspend(struct spi_device *spi, pm_message_t message)
 {
 	struct ads7846 *ts = dev_get_drvdata(&spi->dev);
 
+	if (WARN_ON_ONCE(!ts))
+		return 0;
+
 	spin_lock_irq(&ts->lock);
 
 	ts->is_suspended = 1;
@@ -833,6 +836,9 @@ static int ads7846_resume(struct spi_device *spi)
 {
 	struct ads7846 *ts = dev_get_drvdata(&spi->dev);
 
+	if (WARN_ON_ONCE(!ts))
+		return 0;
+
 	if (device_may_wakeup(&ts->spi->dev))
 		disable_irq_wake(ts->spi->irq);
 
@@ -1231,6 +1237,7 @@ static int __devinit ads7846_probe(struct spi_device *spi)
 	input_free_device(input_dev);
 	kfree(packet);
 	kfree(ts);
+	dev_set_drvdata(&spi->dev, NULL);
 	return err;
 }
 
@@ -1240,6 +1247,9 @@ static int __devexit ads7846_remove(struct spi_device *spi)
 
 	device_init_wakeup(&spi->dev, false);
 
+	if (WARN_ON_ONCE(!ts))
+		return 0;
+
 	ads784x_hwmon_unregister(spi, ts);
 	input_unregister_device(ts->input);
 
-- 
1.7.0.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ