mirror of
https://github.com/torvalds/linux.git
synced 2024-11-25 13:41:51 +00:00
91cfe0bbaa
When CONFIG_HID_UCLOGIC=y and CONFIG_KUNIT_ALL_TESTS=y, launch kernel and
then the below user-memory-access bug occurs.
In hid_test_uclogic_params_cleanup_event_hooks(),it call
uclogic_params_ugee_v2_init_event_hooks() with the first arg=NULL, so
when it calls uclogic_params_ugee_v2_has_battery(), the hid_get_drvdata()
will access hdev->dev with hdev=NULL, which will cause below
user-memory-access.
So add a fake_device with quirks member and call hid_set_drvdata()
to assign hdev->dev->driver_data which avoids the null-ptr-def bug
for drvdata->quirks in uclogic_params_ugee_v2_has_battery(). After applying
this patch, the below user-memory-access bug never occurs.
general protection fault, probably for non-canonical address 0xdffffc0000000329: 0000 [#1] PREEMPT SMP KASAN
KASAN: probably user-memory-access in range [0x0000000000001948-0x000000000000194f]
CPU: 5 PID: 2189 Comm: kunit_try_catch Tainted: G B W N 6.6.0-rc2+ #30
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600
Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00
RSP: 0000:ffff88810679fc88 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000
RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0
R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92
R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080
FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0
DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6
DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600
PKRU: 55555554
Call Trace:
<TASK>
? die_addr+0x3d/0xa0
? exc_general_protection+0x144/0x220
? asm_exc_general_protection+0x22/0x30
? uclogic_params_ugee_v2_init_event_hooks+0x87/0x600
? sched_clock_cpu+0x69/0x550
? uclogic_parse_ugee_v2_desc_gen_params+0x70/0x70
? load_balance+0x2950/0x2950
? rcu_trc_cmpxchg_need_qs+0x67/0xa0
hid_test_uclogic_params_cleanup_event_hooks+0x9e/0x1a0
? uclogic_params_ugee_v2_init_event_hooks+0x600/0x600
? __switch_to+0x5cf/0xe60
? migrate_enable+0x260/0x260
? __kthread_parkme+0x83/0x150
? kunit_try_run_case_cleanup+0xe0/0xe0
kunit_generic_run_threadfn_adapter+0x4a/0x90
? kunit_try_catch_throw+0x80/0x80
kthread+0x2b5/0x380
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x2d/0x70
? kthread_complete_and_exit+0x20/0x20
ret_from_fork_asm+0x11/0x20
</TASK>
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 0000000000000000 ]---
RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600
Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00
RSP: 0000:ffff88810679fc88 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000
RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0
R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92
R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080
FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0
DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6
DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 1 seconds..
Fixes:
|
||
|---|---|---|
| .. | ||
| amd-sfh-hid | ||
| bpf | ||
| i2c-hid | ||
| intel-ish-hid | ||
| surface-hid | ||
| usbhid | ||
| .kunitconfig | ||
| hid-a4tech.c | ||
| hid-accutouch.c | ||
| hid-alps.c | ||
| hid-apple.c | ||
| hid-appleir.c | ||
| hid-asus.c | ||
| hid-aureal.c | ||
| hid-axff.c | ||
| hid-belkin.c | ||
| hid-betopff.c | ||
| hid-bigbenff.c | ||
| hid-cherry.c | ||
| hid-chicony.c | ||
| hid-cmedia.c | ||
| hid-core.c | ||
| hid-corsair.c | ||
| hid-cougar.c | ||
| hid-cp2112.c | ||
| hid-creative-sb0540.c | ||
| hid-cypress.c | ||
| hid-debug.c | ||
| hid-dr.c | ||
| hid-elan.c | ||
| hid-elecom.c | ||
| hid-elo.c | ||
| hid-emsff.c | ||
| hid-evision.c | ||
| hid-ezkey.c | ||
| hid-ft260.c | ||
| hid-gaff.c | ||
| hid-gembird.c | ||
| hid-generic.c | ||
| hid-gfrm.c | ||
| hid-glorious.c | ||
| hid-google-hammer.c | ||
| hid-google-stadiaff.c | ||
| hid-gt683r.c | ||
| hid-gyration.c | ||
| hid-holtek-kbd.c | ||
| hid-holtek-mouse.c | ||
| hid-holtekff.c | ||
| hid-hyperv.c | ||
| hid-icade.c | ||
| hid-ids.h | ||
| hid-input-test.c | ||
| hid-input.c | ||
| hid-ite.c | ||
| hid-jabra.c | ||
| hid-kensington.c | ||
| hid-keytouch.c | ||
| hid-kye.c | ||
| hid-lcpower.c | ||
| hid-led.c | ||
| hid-lenovo.c | ||
| hid-letsketch.c | ||
| hid-lg2ff.c | ||
| hid-lg3ff.c | ||
| hid-lg4ff.c | ||
| hid-lg4ff.h | ||
| hid-lg-g15.c | ||
| hid-lg.c | ||
| hid-lg.h | ||
| hid-lgff.c | ||
| hid-logitech-dj.c | ||
| hid-logitech-hidpp.c | ||
| hid-macally.c | ||
| hid-magicmouse.c | ||
| hid-maltron.c | ||
| hid-mcp2221.c | ||
| hid-megaworld.c | ||
| hid-mf.c | ||
| hid-microsoft.c | ||
| hid-monterey.c | ||
| hid-multitouch.c | ||
| hid-nintendo.c | ||
| hid-nti.c | ||
| hid-ntrig.c | ||
| hid-nvidia-shield.c | ||
| hid-ortek.c | ||
| hid-penmount.c | ||
| hid-petalynx.c | ||
| hid-picolcd_backlight.c | ||
| hid-picolcd_cir.c | ||
| hid-picolcd_core.c | ||
| hid-picolcd_debugfs.c | ||
| hid-picolcd_fb.c | ||
| hid-picolcd_lcd.c | ||
| hid-picolcd_leds.c | ||
| hid-picolcd.h | ||
| hid-pl.c | ||
| hid-plantronics.c | ||
| hid-playstation.c | ||
| hid-primax.c | ||
| hid-prodikeys.c | ||
| hid-pxrc.c | ||
| hid-quirks.c | ||
| hid-razer.c | ||
| hid-redragon.c | ||
| hid-retrode.c | ||
| hid-rmi.c | ||
| hid-roccat-arvo.c | ||
| hid-roccat-arvo.h | ||
| hid-roccat-common.c | ||
| hid-roccat-common.h | ||
| hid-roccat-isku.c | ||
| hid-roccat-isku.h | ||
| hid-roccat-kone.c | ||
| hid-roccat-kone.h | ||
| hid-roccat-koneplus.c | ||
| hid-roccat-koneplus.h | ||
| hid-roccat-konepure.c | ||
| hid-roccat-kovaplus.c | ||
| hid-roccat-kovaplus.h | ||
| hid-roccat-lua.c | ||
| hid-roccat-lua.h | ||
| hid-roccat-pyra.c | ||
| hid-roccat-pyra.h | ||
| hid-roccat-ryos.c | ||
| hid-roccat-savu.c | ||
| hid-roccat-savu.h | ||
| hid-roccat.c | ||
| hid-saitek.c | ||
| hid-samsung.c | ||
| hid-semitek.c | ||
| hid-sensor-custom.c | ||
| hid-sensor-hub.c | ||
| hid-sigmamicro.c | ||
| hid-sjoy.c | ||
| hid-sony.c | ||
| hid-speedlink.c | ||
| hid-steam.c | ||
| hid-steelseries.c | ||
| hid-sunplus.c | ||
| hid-thrustmaster.c | ||
| hid-tivo.c | ||
| hid-tmff.c | ||
| hid-topre.c | ||
| hid-topseed.c | ||
| hid-twinhan.c | ||
| hid-u2fzero.c | ||
| hid-uclogic-core-test.c | ||
| hid-uclogic-core.c | ||
| hid-uclogic-params-test.c | ||
| hid-uclogic-params.c | ||
| hid-uclogic-params.h | ||
| hid-uclogic-rdesc-test.c | ||
| hid-uclogic-rdesc.c | ||
| hid-uclogic-rdesc.h | ||
| hid-udraw-ps3.c | ||
| hid-viewsonic.c | ||
| hid-vivaldi-common.c | ||
| hid-vivaldi-common.h | ||
| hid-vivaldi.c | ||
| hid-vrc2.c | ||
| hid-waltop.c | ||
| hid-wiimote-core.c | ||
| hid-wiimote-debug.c | ||
| hid-wiimote-modules.c | ||
| hid-wiimote.h | ||
| hid-xiaomi.c | ||
| hid-xinmo.c | ||
| hid-zpff.c | ||
| hid-zydacron.c | ||
| hidraw.c | ||
| Kconfig | ||
| Makefile | ||
| uhid.c | ||
| wacom_sys.c | ||
| wacom_wac.c | ||
| wacom_wac.h | ||
| wacom.h | ||