lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250630-mtk-pmic-keys-fix-crash-v1-1-e47351fa9d1f@collabora.com>
Date: Mon, 30 Jun 2025 16:03:44 +0200
From: Louis-Alexis Eyraud <louisalexis.eyraud@...labora.com>
To: Dmitry Torokhov <dmitry.torokhov@...il.com>, 
 Matthias Brugger <matthias.bgg@...il.com>, 
 AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>
Cc: kernel@...labora.com, linux-input@...r.kernel.org, 
 linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, 
 linux-mediatek@...ts.infradead.org, 
 Louis-Alexis Eyraud <louisalexis.eyraud@...labora.com>
Subject: [PATCH] Input: mtk-pmic-keys: Fix null pointer dereference when no
 compatible data

In mtk_pmic_keys_probe function, the of_match_device function is
called to retrieve the compatible platform device info but its return
data pointer is not checked. It can lead to a null pointer deference
later when accessing the data field, if of_match_device returned a null
pointer. So, add a pointer check after calling of_match_device function
and return an EINVAL error in null case.

Signed-off-by: Louis-Alexis Eyraud <louisalexis.eyraud@...labora.com>
---
This patch fixes a NULL pointer dereference that occurs during the
mtk_pmic_keys driver probe and observed at least on Mediatek Genio
1200-EVK board with a kernel based on linux-next (tag: 20250630),
when it is configured to have mtk_pmic_keys driver as builtin
(CONFIG_KEYBOARD_MTK_PMIC=y):
```
Unable to handle kernel NULL pointer dereference at virtual address
  00000000000000c0
Mem abort info:
  ESR = 0x0000000096000004
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x04: level 0 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[00000000000000c0] user address but active_mm is swapper
Internal error: Oops: 0000000096000004 [#1]  SMP
Modules linked in:
CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 
  6.16.0-rc4-next-20250630-00001-gea99c662a089 #145 PREEMPT 
Hardware name: MediaTek Genio 1200 EVK-P1V2-EMMC (DT)
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mtk_pmic_keys_probe+0x94/0x500
lr : mtk_pmic_keys_probe+0x78/0x500
sp : ffff80008275bb30
x29: ffff80008275bb70 x28: ffff80008202bbb0 x27: ffff800081df00b0
x26: ffff800081ef9060 x25: ffff0000c6fcf400 x24: 0000000000000000
x23: 0000000000000000 x22: ffff0000c6fcf410 x21: ffff0000c09f8480
x20: ffff0000c09f4b80 x19: 0000000000000000 x18: 00000000ffffffff
x17: ffff8000824cb228 x16: 00000000d7fcbc9e x15: ffff0000c0a2b274
x14: ffff80008275bad0 x13: ffff0000c0a2ba1c x12: 786d692d696d6373
x11: 0000000000000040 x10: 0000000000000001 x9 : 0000000000000000
x8 : ffff0000c09f8500 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : ffff0000c6fcf410 x3 : ffff0000c6fcf6c0
x2 : ffff0000c09f8400 x1 : ffff0000c36da000 x0 : ffff0000c6fcf410
Call trace:
 mtk_pmic_keys_probe+0x94/0x500 (P)
 platform_probe+0x68/0xdc
 really_probe+0xbc/0x2c0
 __driver_probe_device+0x78/0x120
 driver_probe_device+0x3c/0x154
 __driver_attach+0x90/0x1a0
 bus_for_each_dev+0x7c/0xdc
 driver_attach+0x24/0x30
 bus_add_driver+0xe4/0x208
 driver_register+0x68/0x130
 __platform_driver_register+0x24/0x30
 pmic_keys_pdrv_init+0x1c/0x28
 do_one_initcall+0x60/0x1d4
 kernel_init_freeable+0x24c/0x2b4
 kernel_init+0x20/0x140
 ret_from_fork+0x10/0x20
Code: aa1603e0 f90006b6 f9400681 f9000aa1 (f9406261) 
---[ end trace 0000000000000000 ]---
```
---
 drivers/input/keyboard/mtk-pmic-keys.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/input/keyboard/mtk-pmic-keys.c b/drivers/input/keyboard/mtk-pmic-keys.c
index 061d48350df661dd26832b307e1460ee8b8fd535..42fb93086db308ad87a276be4b53e9725a3a701b 100644
--- a/drivers/input/keyboard/mtk-pmic-keys.c
+++ b/drivers/input/keyboard/mtk-pmic-keys.c
@@ -316,6 +316,9 @@ static int mtk_pmic_keys_probe(struct platform_device *pdev)
 	const struct of_device_id *of_id =
 		of_match_device(of_mtk_pmic_keys_match_tbl, &pdev->dev);
 
+	if (!of_id)
+		return -EINVAL;
+
 	keys = devm_kzalloc(&pdev->dev, sizeof(*keys), GFP_KERNEL);
 	if (!keys)
 		return -ENOMEM;

---
base-commit: c6a68d8f7b81a6ce8962885408cc2d0c1f8b9470
change-id: 20250630-mtk-pmic-keys-fix-crash-42b55af280ef

Best regards,
-- 
Louis-Alexis Eyraud <louisalexis.eyraud@...labora.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ