Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp5769822ybv;
        Tue, 18 Feb 2020 03:38:11 -0800 (PST)
X-Google-Smtp-Source: APXvYqzcJck0Y+9DWYA726QM8rRm2pdV6C7aKFsDZDvtsd/FgLMv+JGhoqvteP79Wefd5XAtwdva
X-Received: by 2002:a9d:20a:: with SMTP id 10mr14928802otb.319.1582025891196;
        Tue, 18 Feb 2020 03:38:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1582025891; cv=none;
        d=google.com; s=arc-20160816;
        b=S8K94QZFGH13QTAr2MOPhzpphpE6Mi864mPQ95r5qgUbIEkad/NgUqkxFnjtLzdtq2
         jirV4bTDsTln/p/4zhqYbGRN16gjys8KddxfMl3TfG585AnKgBTQcIVgZcbe3dQM/Cdz
         HEd9O0ShLtsoDZkZf7kyRYvwatjWiKp+ChpKz+e0E88J5E0ilbj2X2vPr/wPPsIcjXet
         Kci7npDi+U1Qw8C4dUX3uCJDceSjjUCyxCLOEi/S6vqpoRmbpS4qdsavvsmN5J5gl9kT
         4qyIQy5DgvVsYeO33BioqNOVLaeU011VdoncoB9Lt3WfWzmqBPCjCvXnPHDTFZuZ/o7F
         RhUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:references:cc:to:from:subject:dkim-signature;
        bh=P5DWN49D92TYsuLESpqd7fS0a6DhOWs1cg95OmyVKFk=;
        b=q1g6qxkJnTwp5xscYjbebBrPQSXlwnMgS1RCZodYyD8fRKLQsQgAooyNoKTbnhag+g
         kcQLnRAKIQ48dCg/3GJj4YT8MBgW0YLbsp0ImQK45LHDbEvxP5qWcB2OGmHsQ6kO/xHp
         TgrJDwykM+aYR7zyqRkINFo23fVldjk5JsszShSbsDlUhiBSQgTMcy8lXpOXy4N8JN3j
         E5jmJ25b7iquL1lY5M9DIefe/IGTZlPQVrI32ShqX4X/7jCTeCXoTeeU/YR1Gf1MP/RU
         6mdgGHV1Orkop9drFkE4LOaE0I4IelLkYBLY4TWs0wQ8aiUsyNAjpvDBvpAHJ7jCt1XG
         MfIA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@hanno.de header.s=default1911 header.b=oExTkIri;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s6si1602449otq.115.2020.02.18.03.37.57;
        Tue, 18 Feb 2020 03:38:11 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@hanno.de header.s=default1911 header.b=oExTkIri;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726403AbgBRLhw (ORCPT <rfc822;sbrunau@gmail.com> + 99 others);
        Tue, 18 Feb 2020 06:37:52 -0500
Received: from www149.your-server.de ([78.47.15.70]:60150 "EHLO
        www149.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726312AbgBRLhw (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 18 Feb 2020 06:37:52 -0500
X-Greylist: delayed 423 seconds by postgrey-1.27 at vger.kernel.org; Tue, 18 Feb 2020 06:37:51 EST
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hanno.de;
         s=default1911; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:
        MIME-Version:Date:Message-ID:References:Cc:To:From:Subject:Sender:Reply-To:
        Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
        Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
        List-Subscribe:List-Post:List-Owner:List-Archive;
        bh=P5DWN49D92TYsuLESpqd7fS0a6DhOWs1cg95OmyVKFk=; b=oExTkIriDMLNUtj5rHDW6TvTwp
        G7NDOREH8BF/zFec6i+qf2LgUBN1zOqhSKumQ3WwEwTD3gx2qxNPgaSFFkAcp5F6yA+D8UyXJ3GYZ
        FamFZlFda1IspXFWLG92BCUovwYwPkoJaLqfDJqAGxUEjh7sdYRhgg2rUHeS04MEfwpaCgsYdz+AI
        C9p+G64Pz5puMNB3ErmOv7EGHhNis/N/xdmXfTGph1XxF66OizllzlL7Qy2rx7qVeC+tsn+LobSBr
        y4ct/MiDjKg1bOnemO7X9b7TntMriPX5OGMOB69mlbZShtZrJ/MT9jB0O4/Osk7WAS0CfA35q6Gl2
        4XwhMbTw==;
Received: from sslproxy06.your-server.de ([78.46.172.3])
        by www149.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
        (Exim 4.92.3)
        (envelope-from <kontakt@hanno.de>)
        id 1j41CG-0003st-G4; Tue, 18 Feb 2020 12:37:48 +0100
Received: from [2a04:4540:680e:4300:a894:29ae:bca2:b322]
        by sslproxy06.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
        (Exim 4.92)
        (envelope-from <kontakt@hanno.de>)
        id 1j41CG-000Cyl-Cc; Tue, 18 Feb 2020 12:37:48 +0100
Subject: [PATCH v2 1/3] HID: hid-bigbenff: fix general protection fault caused
 by double kfree
From:   Hanno Zulla <kontakt@hanno.de>
To:     Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc:     Jiri Kosina <jikos@kernel.org>,
        "open list:HID CORE LAYER" <linux-input@vger.kernel.org>,
        lkml <linux-kernel@vger.kernel.org>
References: <ae5eee33-9dfc-0609-1bf8-33fd773b9bd5@hanno.de>
 <CAO-hwJJ1sc_RAh4ytWSOmRqfVESi2dvB_Ao_Vn+6XXixxVyxrA@mail.gmail.com>
 <74d73ebc-0cff-768d-00b7-57bb9b44124f@hanno.de>
Message-ID: <266828ed-d335-d707-56ef-622fd1cc216d@hanno.de>
Date:   Tue, 18 Feb 2020 12:37:47 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <74d73ebc-0cff-768d-00b7-57bb9b44124f@hanno.de>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: kontakt@hanno.de
X-Virus-Scanned: Clear (ClamAV 0.102.1/25726/Mon Feb 17 15:01:07 2020)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

HID: hid-bigbenff: fix general protection fault caused by double kfree

The struct *bigben was allocated via devm_kzalloc() and then used as a
parameter in input_ff_create_memless(). This caused a double kfree
during removal of the device, since both the managed resource API and
ml_ff_destroy() in drivers/input/ff-memless.c would call kfree() on it.

Signed-off-by: Hanno Zulla <kontakt@hanno.de>
---
 drivers/hid/hid-bigbenff.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c
index 3f6abd190df4..f7e85bacb688 100644
--- a/drivers/hid/hid-bigbenff.c
+++ b/drivers/hid/hid-bigbenff.c
@@ -220,10 +220,16 @@ static void bigben_worker(struct work_struct *work)
 static int hid_bigben_play_effect(struct input_dev *dev, void *data,
 			 struct ff_effect *effect)
 {
-	struct bigben_device *bigben = data;
+	struct hid_device *hid = input_get_drvdata(dev);
+	struct bigben_device *bigben = hid_get_drvdata(hid);
 	u8 right_motor_on;
 	u8 left_motor_force;
 
+	if (!bigben) {
+		hid_err(hid, "no device data\n");
+		return 0;
+	}
+
 	if (effect->type != FF_RUMBLE)
 		return 0;
 
@@ -341,7 +347,7 @@ static int bigben_probe(struct hid_device *hid,
 
 	INIT_WORK(&bigben->worker, bigben_worker);
 
-	error = input_ff_create_memless(hidinput->input, bigben,
+	error = input_ff_create_memless(hidinput->input, NULL,
 		hid_bigben_play_effect);
 	if (error)
 		return error;
-- 
2.20.1