Commit 8725aa4f authored Oct 23, 2019 by Andrew Duggan Committed by Jiri Kosina Nov 18, 2019

HID: rmi: Check that the RMI_STARTED bit is set before unregistering the RMI transport device

In the event that the RMI device is unreachable, the calls to rmi_set_mode() or
rmi_set_page() will fail before registering the RMI transport device. When the
device is removed, rmi_remove() will call rmi_unregister_transport_device()
which will attempt to access the rmi_dev pointer which was not set.
This patch adds a check of the RMI_STARTED bit before calling
rmi_unregister_transport_device().  The RMI_STARTED bit is only set
after rmi_register_transport_device() completes successfully.

The kernel oops was reported in this message:
https://www.spinics.net/lists/linux-input/msg58433.html



[jkosina@suse.cz: reworded changelog as agreed with Andrew]
Signed-off-by: Andrew Duggan <aduggan@synaptics.com>
Reported-by: Federico Cerutti <federico@ceres-c.it>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

parent fd70466d

drivers/hid/hid-rmi.c

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -744,7 +744,8 @@ static void rmi_remove(struct hid_device *hdev)
	{		{
	struct rmi_data *hdata = hid_get_drvdata(hdev);		struct rmi_data *hdata = hid_get_drvdata(hdev);

	if (hdata->device_flags & RMI_DEVICE) {		if ((hdata->device_flags & RMI_DEVICE)
			&& test_bit(RMI_STARTED, &hdata->flags)) {
	clear_bit(RMI_STARTED, &hdata->flags);		clear_bit(RMI_STARTED, &hdata->flags);
	cancel_work_sync(&hdata->reset_work);		cancel_work_sync(&hdata->reset_work);
	rmi_unregister_transport_device(&hdata->xport);		rmi_unregister_transport_device(&hdata->xport);

Admin message