Received: by 2002:a05:6358:53a8:b0:117:f937:c515 with SMTP id z40csp485098rwe; Fri, 14 Apr 2023 06:01:59 -0700 (PDT) X-Google-Smtp-Source: AKy350Y0rPUFc6Lk7JXCbsv44S2yIcTqsDLfEAikJqNvxa/7M4LRVAUzpCwTVGA+4YXA31FDvKl3 X-Received: by 2002:a17:90a:cf02:b0:247:307b:b860 with SMTP id h2-20020a17090acf0200b00247307bb860mr3487587pju.21.1681477319526; Fri, 14 Apr 2023 06:01:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681477319; cv=none; d=google.com; s=arc-20160816; b=JsA3PsQMlonpYp3P4GtGt7IYH67rLDLhJnWZENm1hK8lUsXTp4xAi2ir55A92VpZ57 zFiaESnBkknbOvRyqMeQ+Jqsl8tG82IYP2XV1L2aWxPyiZe9P2DMmL7h1TwKOWEyaoeX 0apQVXNXsqwAkfMmdCiMKtm80QWwTQTn7J1rWCCEmzBnhARaBi9HGIa8yBzgNf6P/5JL RE3NCuO9514gHkTnP+4dvRr5ynoFKt2gDy0BHEubm6gGez2JU70xh/MfEzFFaXuG7Dhn 4WPKL3UplzoJP3+EE5VfTl3esM+aI4Wv44PmAV3OMyNqjGjnmKHmi4FYlszlZe2YgnE0 isww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=/17ciJBHU73isCnDoFc2QsuhHIKpXkAeLYkogCmq7o0=; b=xvBdzmUOfvZ14esoJFsTpha47wpsVq0VanUqaayiqr7+rSRb+Q7jloG12jo5JSWXCJ EYKilwhS3k4CaNnBQq4P/BzuTQnAFcbsSBcK3A3CA6Dg/i37nWpswSaep32jYsIfxX2A DN0OSDe2pCWNIRGgjxStUedsbXXhTrYW7neIK9SD8IVo1yd7ikPm42yUIW/aEhrS6ISY v/pd3DMnrh1PkDwWvAuQ1Z+gdvYEnMGB+r8xPOGBxzlwARpImHHt9S9CxyrQXJG65M0v NIYzWaKW53fGyKAAjsR+HThUlhPZrBHhriiMCiA/s8T3C5pevk6DMaHqvAFBYldc2/z4 vIFg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mp10-20020a17090b190a00b002372f2c4d9dsi6980065pjb.44.2023.04.14.06.01.06; Fri, 14 Apr 2023 06:01:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229907AbjDNNAo (ORCPT + 99 others); Fri, 14 Apr 2023 09:00:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45438 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229820AbjDNNAn (ORCPT ); Fri, 14 Apr 2023 09:00:43 -0400 Received: from hust.edu.cn (mail.hust.edu.cn [202.114.0.240]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9D0FC977C; Fri, 14 Apr 2023 06:00:25 -0700 (PDT) Received: from localhost.localdomain ([172.16.0.254]) (user=dzm91@hust.edu.cn mech=LOGIN bits=0) by mx1.hust.edu.cn with ESMTP id 33ECwwkT018300-33ECwwkW018300 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 14 Apr 2023 20:59:03 +0800 From: Dongliang Mu To: Dmitry Torokhov , Pavel Rojtberg , Vicki Pfau , Nate Yocom , Mattijs Korpershoek , John Butler , Matthias Benkmann , Christopher Crockett , Santosh De Massari Cc: hust-os-kernel-patches@googlegroups.com, Dongliang Mu , syzbot+a3f758b8d8cb7e49afec@syzkaller.appspotmail.com, "Pierre-Loup A. Griffais" , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] Input: xpad - fix GPF in xpad_probe Date: Fri, 14 Apr 2023 20:55:47 +0800 Message-Id: <20230414125603.686123-1-dzm91@hust.edu.cn> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-FEAS-AUTH-USER: dzm91@hust.edu.cn X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In xpad_probe(), it does not allocate xpad->dev with input_dev type. Then, when it invokes dev_warn with 1st argument - &xpad->dev->dev, it would trigger GPF. Fix this by allocating xpad->dev, its error handling and cleanup operations in the remove function. Note that this crash does not have any reproducer, so the patch only passes compilation testing. Reported-by: syzbot+a3f758b8d8cb7e49afec@syzkaller.appspotmail.com Signed-off-by: Dongliang Mu --- drivers/input/joystick/xpad.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c index 66a92691a047..2e077b52f46a 100644 --- a/drivers/input/joystick/xpad.c +++ b/drivers/input/joystick/xpad.c @@ -1944,6 +1944,7 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id { struct usb_device *udev = interface_to_usbdev(intf); struct usb_xpad *xpad; + struct input_dev *input_dev; struct usb_endpoint_descriptor *ep_irq_in, *ep_irq_out; int i, error; @@ -1957,9 +1958,13 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id } xpad = kzalloc(sizeof(struct usb_xpad), GFP_KERNEL); - if (!xpad) - return -ENOMEM; + input_dev = input_allocate_device(); + if (!xpad || !input_dev) { + error = -ENOMEM; + goto err_free_mem; + } + xpad->dev = input_dev; usb_make_path(udev, xpad->phys, sizeof(xpad->phys)); strlcat(xpad->phys, "/input0", sizeof(xpad->phys)); @@ -2134,6 +2139,7 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id err_free_idata: usb_free_coherent(udev, XPAD_PKT_LEN, xpad->idata, xpad->idata_dma); err_free_mem: + input_free_device(input_dev); kfree(xpad); return error; } @@ -2159,6 +2165,7 @@ static void xpad_disconnect(struct usb_interface *intf) usb_free_coherent(xpad->udev, XPAD_PKT_LEN, xpad->idata, xpad->idata_dma); + input_free_device(xpad->dev); kfree(xpad); usb_set_intfdata(intf, NULL); -- 2.39.2