| Message ID | 20180406181242.GA225849@dtor-ws (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Hi, [This is an automated email] This commit has been processed because it contains a -stable tag. The stable tag indicates that it's relevant for the following trees: all The bot has also determined it's probably a bug fixing patch. (score: 97.7389) The bot has tested the following trees: v4.16.1, v4.15.16, v4.14.33, v4.9.93, v4.4.127. v4.16.1: Build OK! v4.15.16: Build OK! v4.14.33: Build OK! v4.9.93: Build OK! v4.4.127: Build OK! Please let us know if you'd like to have this patch included in a stable tree. -- Thanks, Sasha-- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Apr 06, 2018 at 11:12:42AM -0700, Dmitry Torokhov wrote: > UI_SET_LEDBIT ioctl() causes the following KASAN splat when used with > led > LED_CHARGING: > > [ 1274.663418] BUG: KASAN: slab-out-of-bounds in input_leds_connect+0x611/0x730 [input_leds] > [ 1274.663426] Write of size 8 at addr ffff88003377b2c0 by task ckb-next-daemon/5128 > > This happens because we were writing to the led structure before making > sure that it exists. > > Reported-by: Tasos Sahanidis <tasos@tasossah.com> > Tested-by: Tasos Sahanidis <tasos@tasossah.com> > Cc: stable@vger.kernel.org > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Cheers, Peter > --- > drivers/input/input-leds.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/input/input-leds.c b/drivers/input/input-leds.c > index 766bf26601163..5f04b2d946350 100644 > --- a/drivers/input/input-leds.c > +++ b/drivers/input/input-leds.c > @@ -88,6 +88,7 @@ static int input_leds_connect(struct input_handler *handler, > const struct input_device_id *id) > { > struct input_leds *leds; > + struct input_led *led; > unsigned int num_leds; > unsigned int led_code; > int led_no; > @@ -119,14 +120,13 @@ static int input_leds_connect(struct input_handler *handler, > > led_no = 0; > for_each_set_bit(led_code, dev->ledbit, LED_CNT) { > - struct input_led *led = &leds->leds[led_no]; > + if (!input_led_info[led_code].name) > + continue; > > + led = &leds->leds[led_no]; > led->handle = &leds->handle; > led->code = led_code; > > - if (!input_led_info[led_code].name) > - continue; > - > led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s", > dev_name(&dev->dev), > input_led_info[led_code].name); > -- > 2.17.0.484.g0c8726318c-goog -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/input/input-leds.c b/drivers/input/input-leds.c index 766bf26601163..5f04b2d946350 100644 --- a/drivers/input/input-leds.c +++ b/drivers/input/input-leds.c @@ -88,6 +88,7 @@ static int input_leds_connect(struct input_handler *handler, const struct input_device_id *id) { struct input_leds *leds; + struct input_led *led; unsigned int num_leds; unsigned int led_code; int led_no; @@ -119,14 +120,13 @@ static int input_leds_connect(struct input_handler *handler, led_no = 0; for_each_set_bit(led_code, dev->ledbit, LED_CNT) { - struct input_led *led = &leds->leds[led_no]; + if (!input_led_info[led_code].name) + continue; + led = &leds->leds[led_no]; led->handle = &leds->handle; led->code = led_code; - if (!input_led_info[led_code].name) - continue; - led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s", dev_name(&dev->dev), input_led_info[led_code].name);