tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Input: cros_ec_keyb - fix an invalid memory access

If cros_ec_keyb_register_matrix() isn't called (due to
`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains
NULL. An invalid memory access is observed in cros_ec_keyb_process()
when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()
in such case.

Unable to handle kernel read from unreadable memory at virtual address 0000000000000028
...
x3 : 0000000000000000 x2 : 0000000000000000
x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
input_event
cros_ec_keyb_work
blocking_notifier_call_chain
ec_irq_thread

It's still unknown about why the kernel receives such malformed event,
in any cases, the kernel shouldn't access `ckdev->idev` and friends if
the driver doesn't intend to initialize them.

Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://patch.msgid.link/20251104070310.3212712-1-tzungbi@kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

authored by

Tzung-Bi Shih and committed by
Dmitry Torokhov e08969c4 d83f1512

+6
+6
drivers/input/keyboard/cros_ec_keyb.c
··· 261 261 case EC_MKBP_EVENT_KEY_MATRIX: 262 262 pm_wakeup_event(ckdev->dev, 0); 263 263 264 + if (!ckdev->idev) { 265 + dev_warn_once(ckdev->dev, 266 + "Unexpected key matrix event\n"); 267 + return NOTIFY_OK; 268 + } 269 + 264 270 if (ckdev->ec->event_size != ckdev->cols) { 265 271 dev_err(ckdev->dev, 266 272 "Discarded incomplete key matrix event.\n");