| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Jul 2021 08:02:55 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Jeremy Cline <jeremy@...ine.org>,
Hans de Goede <hdegoede@...hat.com>,
Andy Shevchenko <andy.shevchenko@...il.com>,
Stable@...r.kernel.org,
Jonathan Cameron <Jonathan.Cameron@...wei.com>
Subject: [PATCH 5.12 092/700] iio: accel: bmc150: Fix dereferencing the wrong pointer in bmc150_get/set_second_device
From: Hans de Goede <hdegoede@...hat.com>
commit f2bf22dc9ea8ead180fc0221874bd556bf1d2685 upstream.
The drvdata for iio-parent devices points to the struct iio_dev for
the iio-device. So by directly casting the return from i2c_get_clientdata()
to struct bmc150_accel_data * the code was ending up storing the second_dev
pointer in (and retrieving it from) some semi-random offset inside
struct iio_dev, rather then storing it in the second_dev member of the
bmc150_accel_data struct.
Fix the code to get the struct bmc150_accel_data * pointer to call
iio_priv() on the struct iio_dev * returned by i2c_get_clientdata(),
so that the correct pointer gets dereferenced.
This fixes the following oops on rmmod, caused by trying to
dereference the wrong return of bmc150_get_second_device():
[ 238.980737] BUG: unable to handle page fault for address: 0000000000004710
[ 238.980755] #PF: supervisor read access in kernel mode
[ 238.980760] #PF: error_code(0x0000) - not-present page
...
[ 238.980841] i2c_unregister_device.part.0+0x19/0x60
[ 238.980856] 0xffffffffc0815016
[ 238.980863] i2c_device_remove+0x25/0xb0
[ 238.980869] __device_release_driver+0x180/0x240
[ 238.980876] driver_detach+0xd4/0x120
[ 238.980882] bus_remove_driver+0x5b/0xd0
[ 238.980888] i2c_del_driver+0x44/0x70
While at it also remove the now no longer sensible checks for data
being NULL, iio_priv never returns NULL for an iio_dev with non 0
sized private-data.
Fixes: 5bfb3a4bd8f6 ("iio: accel: bmc150: Check for a second ACPI device for BOSC0200")
Cc: Jeremy Cline <jeremy@...ine.org>
Signed-off-by: Hans de Goede <hdegoede@...hat.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@...il.com>
Cc: <Stable@...r.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@...wei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
drivers/iio/accel/bmc150-accel-core.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
--- a/drivers/iio/accel/bmc150-accel-core.c
+++ b/drivers/iio/accel/bmc150-accel-core.c
@@ -1805,10 +1805,7 @@ EXPORT_SYMBOL_GPL(bmc150_accel_core_prob
struct i2c_client *bmc150_get_second_device(struct i2c_client *client)
{
- struct bmc150_accel_data *data = i2c_get_clientdata(client);
-
- if (!data)
- return NULL;
+ struct bmc150_accel_data *data = iio_priv(i2c_get_clientdata(client));
return data->second_device;
}
@@ -1816,10 +1813,9 @@ EXPORT_SYMBOL_GPL(bmc150_get_second_devi
void bmc150_set_second_device(struct i2c_client *client)
{
- struct bmc150_accel_data *data = i2c_get_clientdata(client);
+ struct bmc150_accel_data *data = iio_priv(i2c_get_clientdata(client));
- if (data)
- data->second_device = client;
+ data->second_device = client;
}
EXPORT_SYMBOL_GPL(bmc150_set_second_device);
Powered by blists - more mailing lists