This is a note to let you know that I've just added the patch titled HID: rmi: Check that the RMI_STARTED bit is set before unregistering the RMI transport device to the 5.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: hid-rmi-check-that-the-rmi_started-bit-is-set-before.patch and it can be found in the queue-5.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 1739196f83c3b045d9da11591bf41d3b957e7287 Author: Andrew Duggan <aduggan@xxxxxxxxxxxxx> Date: Wed Oct 23 01:24:03 2019 +0000 HID: rmi: Check that the RMI_STARTED bit is set before unregistering the RMI transport device [ Upstream commit 8725aa4fa7ded30211ebd28bb1c9bae806eb3841 ] In the event that the RMI device is unreachable, the calls to rmi_set_mode() or rmi_set_page() will fail before registering the RMI transport device. When the device is removed, rmi_remove() will call rmi_unregister_transport_device() which will attempt to access the rmi_dev pointer which was not set. This patch adds a check of the RMI_STARTED bit before calling rmi_unregister_transport_device(). The RMI_STARTED bit is only set after rmi_register_transport_device() completes successfully. The kernel oops was reported in this message: https://www.spinics.net/lists/linux-input/msg58433.html [jkosina@xxxxxxx: reworded changelog as agreed with Andrew] Signed-off-by: Andrew Duggan <aduggan@xxxxxxxxxxxxx> Reported-by: Federico Cerutti <federico@xxxxxxxxxx> Signed-off-by: Jiri Kosina <jkosina@xxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c index 7c6abd7e0979..9ce22acdfaca 100644 --- a/drivers/hid/hid-rmi.c +++ b/drivers/hid/hid-rmi.c @@ -744,7 +744,8 @@ static void rmi_remove(struct hid_device *hdev) { struct rmi_data *hdata = hid_get_drvdata(hdev); - if (hdata->device_flags & RMI_DEVICE) { + if ((hdata->device_flags & RMI_DEVICE) + && test_bit(RMI_STARTED, &hdata->flags)) { clear_bit(RMI_STARTED, &hdata->flags); cancel_work_sync(&hdata->reset_work); rmi_unregister_transport_device(&hdata->xport);