From patchwork Mon Feb 17 15:25:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hanno Zulla X-Patchwork-Id: 11386681 X-Patchwork-Delegate: jikos@jikos.cz Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DD178159A for ; Mon, 17 Feb 2020 15:25:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BCF80222D9 for ; Mon, 17 Feb 2020 15:25:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=hanno.de header.i=@hanno.de header.b="D2lB239x" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727533AbgBQPZ6 (ORCPT ); Mon, 17 Feb 2020 10:25:58 -0500 Received: from www149.your-server.de ([78.47.15.70]:34078 "EHLO www149.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727329AbgBQPZ6 (ORCPT ); Mon, 17 Feb 2020 10:25:58 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hanno.de; s=default1911; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:References:To:From:Subject:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=P5DWN49D92TYsuLESpqd7fS0a6DhOWs1cg95OmyVKFk=; b=D2lB239xIof0jQmbs+GSHfSNbe CMoDIL7ln0iQ7lJIMnWDjDJmJlzg8vxPAO8N1/n6EqKTVSx1FRDIB9SF5OSc3lFkpPIb3XVMywhIk 2J6E9UFfXCDohvAIJdetYWPzVAAdrZlaVrsNVB0YunW94QPcZdLFyLjOR8fITnEP8W1YsRGFNj0sc DdO/Y3OJRNQxo9P7UvID3Ty9gR8ttOXTto6cDLlsFLmLNdz0wgucfiNd4yUmmcVK5pg+9BToxclTF HrdOY63IXqFjuVYPbhucOAn0L6r1UwTtJ7yB3UL0EEmFSraFoiRwtRnlDbQMvhGbuQnIdH8quq5S1 Zr3xR+bQ==; Received: from sslproxy06.your-server.de ([78.46.172.3]) by www149.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1j3iHS-0004ld-Q4; Mon, 17 Feb 2020 16:25:54 +0100 Received: from [62.96.7.134] (helo=[10.1.0.41]) by sslproxy06.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1j3iHS-00080q-MV; Mon, 17 Feb 2020 16:25:54 +0100 Subject: [PATCH 1/3] HID: hid-bigbenff: fix general protection fault caused by double kfree From: Hanno Zulla To: Jiri Kosina , Benjamin Tissoires , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org References: Message-ID: <798ec119-ce24-e1e3-17c9-b6018b04d75f@hanno.de> Date: Mon, 17 Feb 2020 16:25:54 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-Authenticated-Sender: abos@hanno.de X-Virus-Scanned: Clear (ClamAV 0.102.1/25726/Mon Feb 17 15:01:07 2020) Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org HID: hid-bigbenff: fix general protection fault caused by double kfree The struct *bigben was allocated via devm_kzalloc() and then used as a parameter in input_ff_create_memless(). This caused a double kfree during removal of the device, since both the managed resource API and ml_ff_destroy() in drivers/input/ff-memless.c would call kfree() on it. Signed-off-by: Hanno Zulla --- drivers/hid/hid-bigbenff.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c index 3f6abd190df4..f7e85bacb688 100644 --- a/drivers/hid/hid-bigbenff.c +++ b/drivers/hid/hid-bigbenff.c @@ -220,10 +220,16 @@ static void bigben_worker(struct work_struct *work) static int hid_bigben_play_effect(struct input_dev *dev, void *data, struct ff_effect *effect) { - struct bigben_device *bigben = data; + struct hid_device *hid = input_get_drvdata(dev); + struct bigben_device *bigben = hid_get_drvdata(hid); u8 right_motor_on; u8 left_motor_force; + if (!bigben) { + hid_err(hid, "no device data\n"); + return 0; + } + if (effect->type != FF_RUMBLE) return 0; @@ -341,7 +347,7 @@ static int bigben_probe(struct hid_device *hid, INIT_WORK(&bigben->worker, bigben_worker); - error = input_ff_create_memless(hidinput->input, bigben, + error = input_ff_create_memless(hidinput->input, NULL, hid_bigben_play_effect); if (error) return error; From patchwork Mon Feb 17 15:26:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hanno Zulla X-Patchwork-Id: 11386683 X-Patchwork-Delegate: jikos@jikos.cz Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 462B4924 for ; Mon, 17 Feb 2020 15:26:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 25EBC20801 for ; Mon, 17 Feb 2020 15:26:49 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=hanno.de header.i=@hanno.de header.b="Zn+oCkzU" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727107AbgBQP0s (ORCPT ); Mon, 17 Feb 2020 10:26:48 -0500 Received: from www149.your-server.de ([78.47.15.70]:34788 "EHLO www149.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726397AbgBQP0s (ORCPT ); Mon, 17 Feb 2020 10:26:48 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hanno.de; s=default1911; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:References:To:From:Subject:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Bb4OdgL+FDT36bk2A4nHd/zr93kNst/7y92D3y2OBd0=; b=Zn+oCkzUO5VaWdajzLkIySEex5 BPBHU/QGBcRWeHLwRb5CN9+69ovJuCvgdT9LEBd2m6PXzAoUb51qzltqAkS9hrVA+cLfu4nFKhgQS zzASf8KcJ0YI5Y62ZyFWS4hENFOLVW1HVlNYSe8rdpRkzeX5DgvJOK+NKOcYlwetiAyKG/na26tUu qWpI2jxFzPmBCKr0u8Qkf9X31OTAgJSBLQXAH04ZA534/Eg+D8nn+a/wpfVlOccWt585FiEEq8QVy AKPJlyhz423sUmRiDVp4VhpasDVtXwWSTJHqVdC38O/i9bU5x16nHWh5DQGHJf3Fm0q4wD5xdFhv/ q4kg80zg==; Received: from sslproxy06.your-server.de ([78.46.172.3]) by www149.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1j3iIG-0004oz-CY; Mon, 17 Feb 2020 16:26:44 +0100 Received: from [62.96.7.134] (helo=[10.1.0.41]) by sslproxy06.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1j3iIG-000Bhk-7i; Mon, 17 Feb 2020 16:26:44 +0100 Subject: [PATCH 2/3] HID: hid-bigbenff: call hid_hw_stop() in case of error From: Hanno Zulla To: Jiri Kosina , Benjamin Tissoires , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org References: <798ec119-ce24-e1e3-17c9-b6018b04d75f@hanno.de> Message-ID: <1c355bbe-c0fb-395c-9050-346f87eb324c@hanno.de> Date: Mon, 17 Feb 2020 16:26:43 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <798ec119-ce24-e1e3-17c9-b6018b04d75f@hanno.de> Content-Language: de-DE X-Authenticated-Sender: abos@hanno.de X-Virus-Scanned: Clear (ClamAV 0.102.1/25726/Mon Feb 17 15:01:07 2020) Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org [PATCH 2/3] HID: hid-bigbenff: call hid_hw_stop() in case of error It's required to call hid_hw_stop() once hid_hw_start() was called previously, so error cases need to handle this. Also, hid_hw_close() is not necessary during removal. Signed-off-by: Hanno Zulla --- drivers/hid/hid-bigbenff.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c index f7e85bacb688..f8c552b64a89 100644 --- a/drivers/hid/hid-bigbenff.c +++ b/drivers/hid/hid-bigbenff.c @@ -305,7 +305,6 @@ static void bigben_remove(struct hid_device *hid) struct bigben_device *bigben = hid_get_drvdata(hid); cancel_work_sync(&bigben->worker); - hid_hw_close(hid); hid_hw_stop(hid); } @@ -350,7 +349,7 @@ static int bigben_probe(struct hid_device *hid, error = input_ff_create_memless(hidinput->input, NULL, hid_bigben_play_effect); if (error) - return error; + goto error_hw_stop; name_sz = strlen(dev_name(&hid->dev)) + strlen(":red:bigben#") + 1; @@ -360,8 +359,10 @@ static int bigben_probe(struct hid_device *hid, sizeof(struct led_classdev) + name_sz, GFP_KERNEL ); - if (!led) - return -ENOMEM; + if (!led) { + error = -ENOMEM; + goto error_hw_stop; + } name = (void *)(&led[1]); snprintf(name, name_sz, "%s:red:bigben%d", @@ -375,7 +376,7 @@ static int bigben_probe(struct hid_device *hid, bigben->leds[n] = led; error = devm_led_classdev_register(&hid->dev, led); if (error) - return error; + goto error_hw_stop; } /* initial state: LED1 is on, no rumble effect */ @@ -389,6 +390,10 @@ static int bigben_probe(struct hid_device *hid, hid_info(hid, "LED and force feedback support for BigBen gamepad\n"); return 0; + +error_hw_stop: + hid_hw_stop(hid); + return error; } static __u8 *bigben_report_fixup(struct hid_device *hid, __u8 *rdesc, From patchwork Mon Feb 17 15:27:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hanno Zulla X-Patchwork-Id: 11386685 X-Patchwork-Delegate: jikos@jikos.cz Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9A08117E8 for ; Mon, 17 Feb 2020 15:27:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 79A7D20801 for ; Mon, 17 Feb 2020 15:27:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=hanno.de header.i=@hanno.de header.b="CfA7MMRT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726911AbgBQP1y (ORCPT ); Mon, 17 Feb 2020 10:27:54 -0500 Received: from www149.your-server.de ([78.47.15.70]:35408 "EHLO www149.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726528AbgBQP1x (ORCPT ); Mon, 17 Feb 2020 10:27:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hanno.de; s=default1911; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:References:To:From:Subject:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wcHYCgvIc1V4L4eqgKkfizJKSrtKfmAWPhFBpvyI6bQ=; b=CfA7MMRTU9iH7WaHpY+SpuuLuS wTXycQngxf33BvZiH7nz/WRHkiRUmkZEaSSOzK3Vg82OuD0KXbwIMIono5wT4BCW3bDLmCzcnIWn6 Hw8gmHBlnkak3TwCNcC8bJrVwGhNqakK0nhRHer79drJ0t/2tRGH5Bt3GyzGdO5zOt1x2mM0GYYst qE72AZnmmqGYewTYW1oj/KDOj7mvQdOuO+m7FrCXxBXlIbah6fLIShjejJFIiYNVmb8vtAxfNe2l6 4HGb7wkdGdZT+ovAJbFGOf4coUJ58T4Mb+gG8zy67Gc93LU8YVi/f/NshVFmKVKhHIct4gDsp+R8f f3MstsZQ==; Received: from sslproxy06.your-server.de ([78.46.172.3]) by www149.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1j3iJJ-0004sF-OY; Mon, 17 Feb 2020 16:27:49 +0100 Received: from [62.96.7.134] (helo=[10.1.0.41]) by sslproxy06.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1j3iJJ-000GeY-Jh; Mon, 17 Feb 2020 16:27:49 +0100 Subject: [PATCH 3/3] HID: hid-bigbenff: fix race condition for scheduled work during removal From: Hanno Zulla To: Jiri Kosina , Benjamin Tissoires , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org References: <798ec119-ce24-e1e3-17c9-b6018b04d75f@hanno.de> <1c355bbe-c0fb-395c-9050-346f87eb324c@hanno.de> Message-ID: <782af9b1-b648-bd21-b0f0-b0db22b8c0b7@hanno.de> Date: Mon, 17 Feb 2020 16:27:49 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <1c355bbe-c0fb-395c-9050-346f87eb324c@hanno.de> Content-Language: de-DE X-Authenticated-Sender: abos@hanno.de X-Virus-Scanned: Clear (ClamAV 0.102.1/25726/Mon Feb 17 15:01:07 2020) Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org HID: hid-bigbenff: fix race condition for scheduled work during removal It's possible that there is scheduled work left while the device is already being removed, which can cause a kernel crash. Adding a flag will avoid this. Signed-off-by: Hanno Zulla --- drivers/hid/hid-bigbenff.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c index f8c552b64a89..db6da21ade06 100644 --- a/drivers/hid/hid-bigbenff.c +++ b/drivers/hid/hid-bigbenff.c @@ -174,6 +174,7 @@ static __u8 pid0902_rdesc_fixed[] = { struct bigben_device { struct hid_device *hid; struct hid_report *report; + bool removed; u8 led_state; /* LED1 = 1 .. LED4 = 8 */ u8 right_motor_on; /* right motor off/on 0/1 */ u8 left_motor_force; /* left motor force 0-255 */ @@ -190,6 +191,9 @@ static void bigben_worker(struct work_struct *work) struct bigben_device, worker); struct hid_field *report_field = bigben->report->field[0]; + if (bigben->removed) + return; + if (bigben->work_led) { bigben->work_led = false; report_field->value[0] = 0x01; /* 1 = led message */ @@ -304,6 +308,7 @@ static void bigben_remove(struct hid_device *hid) { struct bigben_device *bigben = hid_get_drvdata(hid); + bigben->removed = true; cancel_work_sync(&bigben->worker); hid_hw_stop(hid); } @@ -324,6 +329,7 @@ static int bigben_probe(struct hid_device *hid, return -ENOMEM; hid_set_drvdata(hid, bigben); bigben->hid = hid; + bigben->removed = false; error = hid_parse(hid); if (error) {