linux/drivers/media/rc
Sean Young f3f5ba42c5 media: imon: invalid dereference in imon_touch_event
The touch timer is set up in intf1. If the second interface does not exist,
the timer and touch input device are not setup and we get the following
error, when touch events are reported via intf0.

kernel BUG at kernel/time/timer.c:956!
invalid opcode: 0000 [#1] SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc1+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__mod_timer kernel/time/timer.c:956 [inline]
RIP: 0010:__mod_timer kernel/time/timer.c:949 [inline]
RIP: 0010:mod_timer+0x5a2/0xb50 kernel/time/timer.c:1100
Code: 45 10 c7 44 24 14 ff ff ff ff 48 89 44 24 08 48 8d 45 20 48 c7 44 24 18 00 00 00 00 48 89 04 24 e9 5a fc ff ff e8 ae ce 0e 00 <0f> 0b e8 a7 ce 0e 00 4c 89 74 24 20 e9 37 fe ff ff e8 98 ce 0e 00
RSP: 0018:ffff8881db209930 EFLAGS: 00010006
RAX: ffffffff86c2b200 RBX: 00000000ffffa688 RCX: ffffffff83efc583
RDX: 0000000000000100 RSI: ffffffff812f4d82 RDI: ffff8881d2356200
RBP: ffff8881d23561e8 R08: ffffffff86c2b200 R09: ffffed103a46abeb
R10: ffffed103a46abea R11: ffff8881d2355f53 R12: dffffc0000000000
R13: 1ffff1103b64132d R14: ffff8881d2355f50 R15: 0000000000000006
FS:  0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f75e2799000 CR3: 00000001d3b07000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 imon_touch_event drivers/media/rc/imon.c:1348 [inline]
 imon_incoming_packet.isra.0+0x2546/0x2f10 drivers/media/rc/imon.c:1603
 usb_rx_callback_intf0+0x151/0x1e0 drivers/media/rc/imon.c:1734
 __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1654
 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1719
 dummy_timer+0x120f/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1965
 call_timer_fn+0x179/0x650 kernel/time/timer.c:1404
 expire_timers kernel/time/timer.c:1449 [inline]
 __run_timers kernel/time/timer.c:1773 [inline]
 __run_timers kernel/time/timer.c:1740 [inline]
 run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786
 __do_softirq+0x221/0x912 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x178/0x1a0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
 </IRQ>
RIP: 0010:default_idle+0x28/0x2e0 arch/x86/kernel/process.c:581
Code: 90 90 41 56 41 55 65 44 8b 2d 44 3a 8f 7a 41 54 55 53 0f 1f 44 00 00 e8 36 ee d0 fb e9 07 00 00 00 0f 00 2d fa dd 4f 00 fb f4 <65> 44 8b 2d 20 3a 8f 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffffff86c07da8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff86c2b200 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff86c2ba4c
RBP: fffffbfff0d85640 R08: ffffffff86c2b200 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x3b6/0x500 kernel/sched/idle.c:263
 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:355
 start_kernel+0x82a/0x864 init/main.c:784
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
Modules linked in:

Reported-by: syzbot+f49d12d34f2321cf4df2@syzkaller.appspotmail.com
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2019-10-24 18:58:16 -03:00
..
img-ir media: Remove dev_err() usage after platform_get_irq() 2019-08-07 17:08:33 -03:00
keymaps media: rc: add keymap for Tronsmart Vega S95/S96 remote 2019-10-16 11:48:28 -03:00
ati_remote.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
bpf-lirc.c bpf: media: properly use bpf_prog_array api 2019-05-29 15:17:35 +02:00
ene_ir.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
ene_ir.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
fintek-cir.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
fintek-cir.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
gpio-ir-recv.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
gpio-ir-tx.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 122 2019-05-24 17:39:03 +02:00
igorplugusb.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
iguanair.c media: iguanair: add sanity checks 2019-08-04 06:34:14 -03:00
imon_raw.c media: imon_raw: simplify loop 2019-10-16 11:46:38 -03:00
imon.c media: imon: invalid dereference in imon_touch_event 2019-10-24 18:58:16 -03:00
ir-hix5hd2.c media: Remove dev_err() usage after platform_get_irq() 2019-08-07 17:08:33 -03:00
ir-imon-decoder.c media: rc: imon: report mouse events using rc-core's input device 2018-10-05 06:55:08 -04:00
ir-jvc-decoder.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 285 2019-06-05 17:36:37 +02:00
ir-mce_kbd-decoder.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 285 2019-06-05 17:36:37 +02:00
ir-nec-decoder.c media: rc: set timeout to smallest value required by enabled protocols 2018-04-20 09:14:31 -04:00
ir-rc5-decoder.c media: rc: decoders do not need to check for transitions 2018-05-14 07:16:24 -04:00
ir-rc6-decoder.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 285 2019-06-05 17:36:37 +02:00
ir-rcmm-decoder.c media: rc: increase rc-mm tolerance and add debug message 2019-10-07 07:32:41 -03:00
ir-rx51.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
ir-sanyo-decoder.c media: rc: set timeout to smallest value required by enabled protocols 2018-04-20 09:14:31 -04:00
ir-sharp-decoder.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 285 2019-06-05 17:36:37 +02:00
ir-sony-decoder.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 285 2019-06-05 17:36:37 +02:00
ir-spi.c media: spi: IR LED: add missing of table registration 2019-05-22 15:27:37 -04:00
ir-xmp-decoder.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 285 2019-06-05 17:36:37 +02:00
ite-cir.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
ite-cir.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
lirc_dev.c media: rc: IR signal for Panasonic air conditioner too long 2019-06-21 15:33:48 -04:00
Makefile media: rc: rcmm decoder and encoder 2019-02-18 15:39:49 -05:00
mceusb.c media: mceusb: fix out of bounds read in MCE receiver buffer 2019-10-07 07:35:48 -03:00
meson-ir.c media: Remove dev_err() usage after platform_get_irq() 2019-08-07 17:08:33 -03:00
mtk-cir.c media: Remove dev_err() usage after platform_get_irq() 2019-08-07 17:08:33 -03:00
nuvoton-cir.c media: rc: Remove init_ir_raw_event and DEFINE_IR_RAW_EVENT macros 2018-10-04 14:22:27 -04:00
nuvoton-cir.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
pwm-ir-tx.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 122 2019-05-24 17:39:03 +02:00
rc-core-priv.h media: rc: Use the correct style for SPDX License Identifier 2019-10-07 07:44:33 -03:00
rc-ir-raw.c media: rc: fix several typos 2019-03-01 09:39:39 -05:00
rc-loopback.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
rc-main.c media: rc: mark input device as pointing stick 2019-10-07 07:32:11 -03:00
redrat3.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
serial_ir.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
sir_ir.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
st_rc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
streamzap.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
sunxi-cir.c media: Remove dev_err() usage after platform_get_irq() 2019-08-07 17:08:33 -03:00
tango-ir.c media: rc: Use devm_platform_ioremap_resource() in tango_ir_probe() 2019-10-07 07:44:56 -03:00
ttusbir.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
winbond-cir.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
xbox_remote.c media: rc: xbox_remote: add protocol and set timeout 2019-04-22 13:02:53 -04:00
zx-irdec.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00