On Tue, Apr 23, 2019 at 10:56:37PM +0800, Yue Haibing wrote:
> From: YueHaibing <yuehaibing@xxxxxxxxxx>
>
> KASAN report this:
<snip>
>
> static void walkera0701_detach(struct parport *port)
> {
> struct walkera_dev *w = &w_dev;
>
> - if (!w->pardevice || w->parport->number != port->number)
> + if (!w->parport)
It doesn't look correct. This way the detach function will never know the
port number to which it is attached, and as a result it will try to do
detach() with all the ports in the system.
Please check the attached patch and maybe (if possible) ask Hulk Robot
to verify if it fixes the problem.
--
Regards
Sudip
>From 0338a89a873e7df57707852402f90bb0d6626f12 Mon Sep 17 00:00:00 2001
From: Sudip Mukherjee <sudipm.mukherjee@xxxxxxxxx>
Date: Wed, 16 Oct 2019 16:08:43 +0100
Subject: [PATCH] Input: walkera0701 - Fix possible NULL pointer dereference
If walkera0701_attach() fails and input_dev is made NULL then we are
unregistering the pardevice but it still has the pointer to the dev
which has now been released. And as a result in the walkera0701_detach()
it will now try to do input_unregister_device() with a NULL pointer.
We should mark the pardevice as NULL when it is unregistered.
Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
Reported-by: Yue Haibing <yuehaibing@xxxxxxxxxx>
Fixes: 221bcb24c653 ("Input: walkera0701 - use parallel port device model")
Cc: stable@xxxxxxxxxxxxxxx # v4.4+
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@xxxxxxxxx>
---
drivers/input/joystick/walkera0701.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/input/joystick/walkera0701.c b/drivers/input/joystick/walkera0701.c
index 56abc8c6c763..d8ae1329bf00 100644
--- a/drivers/input/joystick/walkera0701.c
+++ b/drivers/input/joystick/walkera0701.c
@@ -275,6 +275,7 @@ static void walkera0701_attach(struct parport *pp)
input_free_device(w->input_dev);
err_unregister_device:
parport_unregister_device(w->pardevice);
+ w->pardevice = NULL;
}
static void walkera0701_detach(struct parport *port)
--
2.11.0
