[PATCH] Input: mtk-pmic-keys: Fix null pointer dereference when no compatible data

Mon Jun 30 07:06:53 PDT 2025

Il 30/06/25 16:03, Louis-Alexis Eyraud ha scritto:
> In mtk_pmic_keys_probe function, the of_match_device function is
> called to retrieve the compatible platform device info but its return
> data pointer is not checked. It can lead to a null pointer deference
> later when accessing the data field, if of_match_device returned a null
> pointer. So, add a pointer check after calling of_match_device function
> and return an EINVAL error in null case.
> 
> Signed-off-by: Louis-Alexis Eyraud <louisalexis.eyraud at collabora.com>
> ---
> This patch fixes a NULL pointer dereference that occurs during the
> mtk_pmic_keys driver probe and observed at least on Mediatek Genio
> 1200-EVK board with a kernel based on linux-next (tag: 20250630),
> when it is configured to have mtk_pmic_keys driver as builtin
> (CONFIG_KEYBOARD_MTK_PMIC=y):
> ```
> Unable to handle kernel NULL pointer dereference at virtual address
>    00000000000000c0
> Mem abort info:
>    ESR = 0x0000000096000004
>    EC = 0x25: DABT (current EL), IL = 32 bits
>    SET = 0, FnV = 0
>    EA = 0, S1PTW = 0
>    FSC = 0x04: level 0 translation fault
> Data abort info:
>    ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
>    CM = 0, WnR = 0, TnD = 0, TagAccess = 0
>    GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> [00000000000000c0] user address but active_mm is swapper
> Internal error: Oops: 0000000096000004 [#1]  SMP
> Modules linked in:
> CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted
>    6.16.0-rc4-next-20250630-00001-gea99c662a089 #145 PREEMPT
> Hardware name: MediaTek Genio 1200 EVK-P1V2-EMMC (DT)
> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : mtk_pmic_keys_probe+0x94/0x500
> lr : mtk_pmic_keys_probe+0x78/0x500
> sp : ffff80008275bb30
> x29: ffff80008275bb70 x28: ffff80008202bbb0 x27: ffff800081df00b0
> x26: ffff800081ef9060 x25: ffff0000c6fcf400 x24: 0000000000000000
> x23: 0000000000000000 x22: ffff0000c6fcf410 x21: ffff0000c09f8480
> x20: ffff0000c09f4b80 x19: 0000000000000000 x18: 00000000ffffffff
> x17: ffff8000824cb228 x16: 00000000d7fcbc9e x15: ffff0000c0a2b274
> x14: ffff80008275bad0 x13: ffff0000c0a2ba1c x12: 786d692d696d6373
> x11: 0000000000000040 x10: 0000000000000001 x9 : 0000000000000000
> x8 : ffff0000c09f8500 x7 : 0000000000000000 x6 : 000000000000003f
> x5 : 0000000000000040 x4 : ffff0000c6fcf410 x3 : ffff0000c6fcf6c0
> x2 : ffff0000c09f8400 x1 : ffff0000c36da000 x0 : ffff0000c6fcf410
> Call trace:
>   mtk_pmic_keys_probe+0x94/0x500 (P)
>   platform_probe+0x68/0xdc
>   really_probe+0xbc/0x2c0
>   __driver_probe_device+0x78/0x120
>   driver_probe_device+0x3c/0x154
>   __driver_attach+0x90/0x1a0
>   bus_for_each_dev+0x7c/0xdc
>   driver_attach+0x24/0x30
>   bus_add_driver+0xe4/0x208
>   driver_register+0x68/0x130
>   __platform_driver_register+0x24/0x30
>   pmic_keys_pdrv_init+0x1c/0x28
>   do_one_initcall+0x60/0x1d4
>   kernel_init_freeable+0x24c/0x2b4
>   kernel_init+0x20/0x140
>   ret_from_fork+0x10/0x20
> Code: aa1603e0 f90006b6 f9400681 f9000aa1 (f9406261)
> ---[ end trace 0000000000000000 ]---
> ```
> ---
>   drivers/input/keyboard/mtk-pmic-keys.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/input/keyboard/mtk-pmic-keys.c b/drivers/input/keyboard/mtk-pmic-keys.c
> index 061d48350df661dd26832b307e1460ee8b8fd535..42fb93086db308ad87a276be4b53e9725a3a701b 100644
> --- a/drivers/input/keyboard/mtk-pmic-keys.c
> +++ b/drivers/input/keyboard/mtk-pmic-keys.c
> @@ -316,6 +316,9 @@ static int mtk_pmic_keys_probe(struct platform_device *pdev)
>   	const struct of_device_id *of_id =
>   		of_match_device(of_mtk_pmic_keys_match_tbl, &pdev->dev);
>   
> +	if (!of_id)
> +		return -EINVAL;

Please, change this to `return -ENODEV;`

after which:

Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno at collabora.com>