UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/drivers/hid
History
Olivier Sobrie 60dc4ee042 HID: amd_sfh: free driver_data after destroying hid device 
[ Upstream commit 97155021ae17b86985121b33cf8098bcde00d497 ]

HID driver callbacks aren't called anymore once hid_destroy_device() has
been called. Hence, hid driver_data should be freed only after the
hid_destroy_device() function returned as driver_data is used in several
callbacks.

I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling
KASAN to debug memory allocation, I got this output:

  [   13.050438] ==================================================================
  [   13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh]
  [   13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3
  [   13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479

  [   13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0
  [   13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024
  [   13.067860] Call Trace:
  [   13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8
  [   13.071486]  <TASK>
  [   13.071492]  dump_stack_lvl+0x5d/0x80
  [   13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002)
  [   13.078296]  ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
  [   13.082199]  print_report+0x174/0x505
  [   13.085776]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
  [   13.089367]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.093255]  ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
  [   13.097464]  kasan_report+0xc8/0x150
  [   13.101461]  ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
  [   13.105802]  amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
  [   13.110303]  amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
  [   13.114879]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.119450]  sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]
  [   13.124097]  hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
  [   13.127404]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.131925]  ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
  [   13.136455]  ? _raw_spin_lock_irqsave+0x96/0xf0
  [   13.140197]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
  [   13.143602]  ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]
  [   13.147234]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.150446]  ? __devm_add_action+0x167/0x1d0
  [   13.155061]  hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
  [   13.158581]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.161814]  platform_probe+0xa2/0x150
  [   13.165029]  really_probe+0x1e3/0x8a0
  [   13.168243]  __driver_probe_device+0x18c/0x370
  [   13.171500]  driver_probe_device+0x4a/0x120
  [   13.175000]  __driver_attach+0x190/0x4a0
  [   13.178521]  ? __pfx___driver_attach+0x10/0x10
  [   13.181771]  bus_for_each_dev+0x106/0x180
  [   13.185033]  ? __pfx__raw_spin_lock+0x10/0x10
  [   13.188229]  ? __pfx_bus_for_each_dev+0x10/0x10
  [   13.191446]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.194382]  bus_add_driver+0x29e/0x4d0
  [   13.197328]  driver_register+0x1a5/0x360
  [   13.200283]  ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
  [   13.203362]  do_one_initcall+0xa7/0x380
  [   13.206432]  ? __pfx_do_one_initcall+0x10/0x10
  [   13.210175]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.213211]  ? kasan_unpoison+0x44/0x70
  [   13.216688]  do_init_module+0x238/0x750
  [   13.219696]  load_module+0x5011/0x6af0
  [   13.223096]  ? kasan_save_stack+0x30/0x50
  [   13.226743]  ? kasan_save_track+0x14/0x30
  [   13.230080]  ? kasan_save_free_info+0x3b/0x60
  [   13.233323]  ? poison_slab_object+0x109/0x180
  [   13.236778]  ? __pfx_load_module+0x10/0x10
  [   13.239703]  ? poison_slab_object+0x109/0x180
  [   13.243070]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.245924]  ? init_module_from_file+0x13d/0x150
  [   13.248745]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.251503]  ? init_module_from_file+0xdf/0x150
  [   13.254198]  init_module_from_file+0xdf/0x150
  [   13.256826]  ? __pfx_init_module_from_file+0x10/0x10
  [   13.259428]  ? kasan_save_track+0x14/0x30
  [   13.261959]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.264471]  ? kasan_save_free_info+0x3b/0x60
  [   13.267026]  ? poison_slab_object+0x109/0x180
  [   13.269494]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.271949]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.274324]  ? _raw_spin_lock+0x85/0xe0
  [   13.276671]  ? __pfx__raw_spin_lock+0x10/0x10
  [   13.278963]  ? __rseq_handle_notify_resume+0x1a6/0xad0
  [   13.281193]  idempotent_init_module+0x23b/0x650
  [   13.283420]  ? __pfx_idempotent_init_module+0x10/0x10
  [   13.285619]  ? __pfx___seccomp_filter+0x10/0x10
  [   13.287714]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.289828]  ? __fget_light+0x57/0x420
  [   13.291870]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.293880]  ? security_capable+0x74/0xb0
  [   13.295820]  __x64_sys_finit_module+0xbe/0x130
  [   13.297874]  do_syscall_64+0x82/0x190
  [   13.299898]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.301905]  ? irqtime_account_irq+0x3d/0x1f0
  [   13.303877]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.305753]  ? __irq_exit_rcu+0x4e/0x130
  [   13.307577]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.309489]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
  [   13.311371] RIP: 0033:0x7a21f96ade9d
  [   13.313234] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 63 de 0c 00 f7 d8 64 89 01 48
  [   13.317051] RSP: 002b:00007ffeae934e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
  [   13.319024] RAX: ffffffffffffffda RBX: 00005987276bfcf0 RCX: 00007a21f96ade9d
  [   13.321100] RDX: 0000000000000004 RSI: 00007a21f8eda376 RDI: 000000000000001c
  [   13.323314] RBP: 00007a21f8eda376 R08: 0000000000000001 R09: 00007ffeae934ec0
  [   13.325505] R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000
  [   13.327637] R13: 00005987276c1250 R14: 0000000000000000 R15: 00005987276c4530
  [   13.329737]  </TASK>

  [   13.333945] Allocated by task 139:
  [   13.336111]  kasan_save_stack+0x30/0x50
  [   13.336121]  kasan_save_track+0x14/0x30
  [   13.336125]  __kasan_kmalloc+0xaa/0xb0
  [   13.336129]  amdtp_hid_probe+0xb1/0x440 [amd_sfh]
  [   13.336138]  amd_sfh_hid_client_init+0xb8a/0x10f0 [amd_sfh]
  [   13.336144]  sfh_init_work+0x47/0x120 [amd_sfh]
  [   13.336150]  process_one_work+0x673/0xeb0
  [   13.336155]  worker_thread+0x795/0x1250
  [   13.336160]  kthread+0x290/0x350
  [   13.336164]  ret_from_fork+0x34/0x70
  [   13.336169]  ret_from_fork_asm+0x1a/0x30

  [   13.338175] Freed by task 139:
  [   13.340064]  kasan_save_stack+0x30/0x50
  [   13.340072]  kasan_save_track+0x14/0x30
  [   13.340076]  kasan_save_free_info+0x3b/0x60
  [   13.340081]  poison_slab_object+0x109/0x180
  [   13.340085]  __kasan_slab_free+0x32/0x50
  [   13.340089]  kfree+0xe5/0x310
  [   13.340094]  amdtp_hid_remove+0xb2/0x160 [amd_sfh]
  [   13.340102]  amd_sfh_hid_client_deinit+0x324/0x640 [amd_sfh]
  [   13.340107]  amd_sfh_hid_client_init+0x94a/0x10f0 [amd_sfh]
  [   13.340113]  sfh_init_work+0x47/0x120 [amd_sfh]
  [   13.340118]  process_one_work+0x673/0xeb0
  [   13.340123]  worker_thread+0x795/0x1250
  [   13.340127]  kthread+0x290/0x350
  [   13.340132]  ret_from_fork+0x34/0x70
  [   13.340136]  ret_from_fork_asm+0x1a/0x30

  [   13.342482] The buggy address belongs to the object at ffff88813152f400
                  which belongs to the cache kmalloc-64 of size 64
  [   13.347357] The buggy address is located 8 bytes inside of
                  freed 64-byte region [ffff88813152f400, ffff88813152f440)

  [   13.347367] The buggy address belongs to the physical page:
  [   13.355409] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13152f
  [   13.355416] anon flags: 0x2ffff8000000000(node=0|zone=2|lastcpupid=0x1ffff)
  [   13.355423] page_type: 0xffffefff(slab)
  [   13.355429] raw: 02ffff8000000000 ffff8881000428c0 ffffea0004c43a00 0000000000000005
  [   13.355435] raw: 0000000000000000 0000000000200020 00000001ffffefff 0000000000000000
  [   13.355439] page dumped because: kasan: bad access detected

  [   13.357295] Memory state around the buggy address:
  [   13.357299]  ffff88813152f300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
  [   13.357303]  ffff88813152f380: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
  [   13.357306] >ffff88813152f400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
  [   13.357309]                       ^
  [   13.357311]  ffff88813152f480: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
  [   13.357315]  ffff88813152f500: 00 00 00 00 00 00 00 06 fc fc fc fc fc fc fc fc
  [   13.357318] ==================================================================
  [   13.357405] Disabling lock debugging due to kernel taint
  [   13.383534] Oops: general protection fault, probably for non-canonical address 0xe0a1bc4140000013: 0000 [#1] PREEMPT SMP KASAN NOPTI
  [   13.383544] KASAN: maybe wild-memory-access in range [0x050e020a00000098-0x050e020a0000009f]
  [   13.383551] CPU: 3 PID: 479 Comm: (udev-worker) Tainted: G    B              6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0
  [   13.383561] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024
  [   13.383565] RIP: 0010:amd_sfh_get_report+0x81/0x530 [amd_sfh]
  [   13.383580] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 78 03 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 08 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 1a 03 00 00 45 8b 74 24 10 45
  [   13.383585] RSP: 0018:ffff8881261f7388 EFLAGS: 00010212
  [   13.383592] RAX: dffffc0000000000 RBX: ffff88813152f400 RCX: 0000000000000002
  [   13.383597] RDX: 00a1c04140000013 RSI: 0000000000000008 RDI: 050e020a0000009b
  [   13.383600] RBP: ffff88814d010000 R08: 0000000000000002 R09: fffffbfff3ddb8c0
  [   13.383604] R10: ffffffff9eedc607 R11: ffff88810ce98000 R12: 050e020a0000008b
  [   13.383607] R13: ffff88814d010000 R14: dffffc0000000000 R15: 0000000000000004
  [   13.383611] FS:  00007a21f94d0880(0000) GS:ffff8887e7d80000(0000) knlGS:0000000000000000
  [   13.383615] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [   13.383618] CR2: 00007e0014c438f0 CR3: 000000012614c000 CR4: 0000000000f50ef0
  [   13.383622] PKRU: 55555554
  [   13.383625] Call Trace:
  [   13.383629]  <TASK>
  [   13.383632]  ? __die_body.cold+0x19/0x27
  [   13.383644]  ? die_addr+0x46/0x70
  [   13.383652]  ? exc_general_protection+0x150/0x240
  [   13.383664]  ? asm_exc_general_protection+0x26/0x30
  [   13.383674]  ? amd_sfh_get_report+0x81/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
  [   13.383686]  ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
  [   13.383697]  amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
  [   13.383706]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.383713]  sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]
  [   13.383727]  hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
  [   13.383739]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.383745]  ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
  [   13.383753]  ? _raw_spin_lock_irqsave+0x96/0xf0
  [   13.383762]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
  [   13.383768]  ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]
  [   13.383790]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.383795]  ? __devm_add_action+0x167/0x1d0
  [   13.383806]  hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
  [   13.383818]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.383826]  platform_probe+0xa2/0x150
  [   13.383832]  really_probe+0x1e3/0x8a0
  [   13.383838]  __driver_probe_device+0x18c/0x370
  [   13.383844]  driver_probe_device+0x4a/0x120
  [   13.383851]  __driver_attach+0x190/0x4a0
  [   13.383857]  ? __pfx___driver_attach+0x10/0x10
  [   13.383863]  bus_for_each_dev+0x106/0x180
  [   13.383868]  ? __pfx__raw_spin_lock+0x10/0x10
  [   13.383874]  ? __pfx_bus_for_each_dev+0x10/0x10
  [   13.383880]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.383887]  bus_add_driver+0x29e/0x4d0
  [   13.383895]  driver_register+0x1a5/0x360
  [   13.383902]  ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
  [   13.383910]  do_one_initcall+0xa7/0x380
  [   13.383919]  ? __pfx_do_one_initcall+0x10/0x10
  [   13.383927]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.383933]  ? kasan_unpoison+0x44/0x70
  [   13.383943]  do_init_module+0x238/0x750
  [   13.383955]  load_module+0x5011/0x6af0
  [   13.383962]  ? kasan_save_stack+0x30/0x50
  [   13.383968]  ? kasan_save_track+0x14/0x30
  [   13.383973]  ? kasan_save_free_info+0x3b/0x60
  [   13.383980]  ? poison_slab_object+0x109/0x180
  [   13.383993]  ? __pfx_load_module+0x10/0x10
  [   13.384007]  ? poison_slab_object+0x109/0x180
  [   13.384012]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.384018]  ? init_module_from_file+0x13d/0x150
  [   13.384025]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.384032]  ? init_module_from_file+0xdf/0x150
  [   13.384037]  init_module_from_file+0xdf/0x150
  [   13.384044]  ? __pfx_init_module_from_file+0x10/0x10
  [   13.384050]  ? kasan_save_track+0x14/0x30
  [   13.384055]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.384060]  ? kasan_save_free_info+0x3b/0x60
  [   13.384066]  ? poison_slab_object+0x109/0x180
  [   13.384071]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.384080]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.384085]  ? _raw_spin_lock+0x85/0xe0
  [   13.384091]  ? __pfx__raw_spin_lock+0x10/0x10
  [   13.384096]  ? __rseq_handle_notify_resume+0x1a6/0xad0
  [   13.384106]  idempotent_init_module+0x23b/0x650
  [   13.384114]  ? __pfx_idempotent_init_module+0x10/0x10
  [   13.384120]  ? __pfx___seccomp_filter+0x10/0x10
  [   13.384129]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.384135]  ? __fget_light+0x57/0x420
  [   13.384142]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.384147]  ? security_capable+0x74/0xb0
  [   13.384157]  __x64_sys_finit_module+0xbe/0x130
  [   13.384164]  do_syscall_64+0x82/0x190
  [   13.384174]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.384179]  ? irqtime_account_irq+0x3d/0x1f0
  [   13.384188]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.384193]  ? __irq_exit_rcu+0x4e/0x130
  [   13.384201]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.384206]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
  [   13.384212] RIP: 0033:0x7a21f96ade9d
  [   13.384263] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 63 de 0c 00 f7 d8 64 89 01 48
  [   13.384267] RSP: 002b:00007ffeae934e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
  [   13.384273] RAX: ffffffffffffffda RBX: 00005987276bfcf0 RCX: 00007a21f96ade9d
  [   13.384277] RDX: 0000000000000004 RSI: 00007a21f8eda376 RDI: 000000000000001c
  [   13.384280] RBP: 00007a21f8eda376 R08: 0000000000000001 R09: 00007ffeae934ec0
  [   13.384284] R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000
  [   13.384288] R13: 00005987276c1250 R14: 0000000000000000 R15: 00005987276c4530
  [   13.384297]  </TASK>
  [   13.384299] Modules linked in: soundwire_amd(+) hid_sensor_gyro_3d(+) hid_sensor_magn_3d hid_sensor_accel_3d soundwire_generic_allocation amdxcp hid_sensor_trigger drm_exec industrialio_triggered_buffer soundwire_bus gpu_sched kvm_amd kfifo_buf qmi_helpers joydev drm_buddy hid_sensor_iio_common mousedev snd_soc_core industrialio i2c_algo_bit mac80211 snd_compress drm_suballoc_helper kvm snd_hda_intel drm_ttm_helper ac97_bus snd_pcm_dmaengine snd_intel_dspcfg ttm thinkpad_acpi(+) snd_intel_sdw_acpi hid_sensor_hub snd_rpl_pci_acp6x drm_display_helper snd_hda_codec hid_multitouch libarc4 snd_acp_pci platform_profile think_lmi(+) hid_generic firmware_attributes_class wmi_bmof cec snd_acp_legacy_common sparse_keymap rapl snd_hda_core psmouse cfg80211 pcspkr snd_pci_acp6x snd_hwdep video snd_pcm snd_pci_acp5x snd_timer snd_rn_pci_acp3x ucsi_acpi snd_acp_config snd sp5100_tco rfkill snd_soc_acpi typec_ucsi thunderbolt amd_sfh k10temp mhi soundcore i2c_piix4 snd_pci_acp3x typec i2c_hid_acpi roles i2c_hid wmi acpi_tad amd_pmc
  [   13.384454]  mac_hid i2c_dev crypto_user loop nfnetlink zram ip_tables x_tables dm_crypt cbc encrypted_keys trusted asn1_encoder tee dm_mod crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic gf128mul ghash_clmulni_intel serio_raw sha512_ssse3 atkbd sha256_ssse3 libps2 sha1_ssse3 vivaldi_fmap nvme aesni_intel crypto_simd nvme_core cryptd ccp xhci_pci i8042 nvme_auth xhci_pci_renesas serio vfat fat btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq
  [   13.384552] ---[ end trace 0000000000000000 ]---

KASAN reports a use-after-free of hid->driver_data in function
amd_sfh_get_report(). The backtrace indicates that the function is called
by amdtp_hid_request() which is one of the callbacks of hid device.
The current make sure that driver_data is freed only once
hid_destroy_device() returned.

Note that I observed the crash both on v6.9.9 and v6.10.0. The
code seems to be as it was from the early days of the driver.

Signed-off-by: Olivier Sobrie <olivier@sobrie.be>
Acked-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2024-09-12 11:11:39 +02:00
..
amd-sfh-hid HID: amd_sfh: free driver_data after destroying hid device 2024-09-12 11:11:39 +02:00
bpf HID: bpf: actually free hdev memory after attaching a HID-BPF program 2024-02-23 09:24:55 +01:00
i2c-hid HID: i2c-hid: elan: fix reset suspend current leakage 2024-06-16 13:47:40 +02:00
intel-ish-hid HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors 2024-06-12 11:11:49 +02:00
surface-hid for-linus-2023022201 2023-02-22 11:24:42 -08:00
usbhid Merge branch 'for-6.3/hid-core' into for-linus 2023-02-22 10:27:57 +01:00
.kunitconfig HID: input: map battery system charging 2022-12-20 15:30:35 +01:00
Kconfig HID: nvidia-shield: Select POWER_SUPPLY Kconfig option 2023-10-04 20:48:20 +02:00
Makefile HID: hid-google-stadiaff: add support for Stadia force feedback 2023-08-14 11:35:37 +02:00
hid-a4tech.c HID: a4tech: use A4_2WHEEL_MOUSE_HACK_B8 for A4TECH NB-95 2021-05-05 14:29:13 +02:00
hid-accutouch.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-alps.c HID: hid-alps: use default remove for hid device 2022-11-21 22:17:10 +01:00
hid-apple.c HID: apple: add Jamesdonkey and A3R to non-apple keyboards list 2023-12-20 17:01:58 +01:00
hid-appleir.c HID: appleir: Use devm_kzalloc() instead of kzalloc() 2020-03-13 17:33:11 +01:00
hid-asus.c hid: asus: asus_report_fixup: fix potential read out of bounds 2024-06-27 13:49:15 +02:00
hid-aureal.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
hid-axff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-belkin.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-betopff.c HID: betop: check shape of output reports 2023-01-18 16:34:35 +01:00
hid-bigbenff.c hid: bigben_probe(): validate report count 2023-02-16 12:00:26 +01:00
hid-cherry.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-chicony.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-cmedia.c HID: cmedia: add support for HS-100B mute button 2021-07-28 11:51:07 +02:00
hid-core.c HID: core: remove unnecessary WARN_ON() in implement() 2024-06-21 14:38:30 +02:00
hid-corsair.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-cougar.c HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup 2024-09-12 11:11:39 +02:00
hid-cp2112.c hid: cp2112: Fix IRQ shutdown stopping polling for all IRQs on chip 2023-11-20 11:59:22 +01:00
hid-creative-sb0540.c HID: sb0540: add support for Creative SB0540 IR receivers 2019-09-03 16:52:04 +02:00
hid-cypress.c HID: cypress: Support Varmilo Keyboards' media hotkeys 2020-10-23 13:23:44 +02:00
hid-debug.c input: Add support for "Do Not Disturb" 2024-07-25 09:50:44 +02:00
hid-dr.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-elan.c HID: hid-elan: use default remove for hid device 2022-11-21 22:17:10 +01:00
hid-elecom.c HID: elecom: add support for TrackBall 056E:011C 2023-01-20 18:44:10 +01:00
hid-elo.c HID: elo: Revert USB reference counting 2022-02-17 14:14:41 +01:00
hid-emsff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-evision.c HID: evision: Add preliminary support for EVision keyboards 2023-02-06 18:17:56 +01:00
hid-ezkey.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-ft260.c HID: ft260: fix 'cast to restricted' kernel CI bot warnings 2022-11-11 11:09:36 +01:00
hid-gaff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-gembird.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-generic.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-gfrm.c HID: do not call hid_set_drvdata(hdev, NULL) in drivers 2019-08-22 17:11:58 +02:00
hid-glorious.c HID: glorious: fix Glorious Model I HID report 2023-12-20 17:01:58 +01:00
hid-google-hammer.c HID: google: add jewel USB id 2023-05-23 15:09:24 +02:00
hid-google-stadiaff.c HID: hid-google-stadiaff: add support for Stadia force feedback 2023-08-14 11:35:37 +02:00
hid-gt683r.c HID: gt683r: add missing MODULE_DEVICE_TABLE 2021-05-27 15:40:34 +02:00
hid-gyration.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-holtek-kbd.c HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event 2023-09-18 17:13:01 +02:00
hid-holtek-mouse.c HID: holtek: fix mouse probing 2021-12-20 11:25:42 +01:00
hid-holtekff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-hyperv.c HID: hyperv: avoid struct memcpy overrun warning 2023-07-09 12:47:37 +02:00
hid-icade.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-ids.h HID: Ignore battery for ELAN touchscreens 2F2C and 4116 2024-07-25 09:50:44 +02:00
hid-input-test.c HID: input: map battery system charging 2022-12-20 15:30:35 +01:00
hid-input.c HID: Ignore battery for ELAN touchscreens 2F2C and 4116 2024-07-25 09:50:44 +02:00
hid-ite.c HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10 2022-11-14 23:55:12 +01:00
hid-jabra.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-kensington.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-keytouch.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-kye.c HID: kye: Fix rdesc for kye tablets 2023-04-13 16:16:04 +02:00
hid-lcpower.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-led.c HID: hid-led: fix maximum brightness for Dream Cheeky 2022-04-21 10:28:49 +02:00
hid-lenovo.c HID: lenovo: Add middleclick_workaround sysfs knob for cptkbd 2024-03-26 18:19:43 -04:00
hid-letsketch.c HID: letsketch: Use hid_is_usb() 2023-01-17 13:44:01 +01:00
hid-lg-g15.c HID: lg-g15: explicitly include linux/leds.h 2023-04-13 17:08:45 +02:00
hid-lg.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-lg.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hid-lg2ff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-lg3ff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-lg4ff.c HID: hid-lg4ff: Add check for empty lbuf 2022-11-14 23:56:52 +01:00
hid-lg4ff.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hid-lgff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-logitech-dj.c HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() 2024-06-21 14:38:31 +02:00
hid-logitech-hidpp.c HID: logitech-hidpp: add support for Logitech G Pro X Superlight 2 2024-03-01 13:34:50 +01:00
hid-macally.c HID: macally: Constify macally_id_table 2020-08-17 11:38:49 +02:00
hid-magicmouse.c HID: magicmouse: Do not set BTN_MOUSE on double report 2022-10-14 10:47:50 +01:00
hid-maltron.c Support for Maltron L90 keyboard media keys 2019-01-14 20:11:01 +01:00
hid-mcp2221.c HID: mcp-2221: cancel delayed_work only when CONFIG_IIO is enabled 2024-06-12 11:11:22 +02:00
hid-megaworld.c HID: Add support for Mega World controller force feedback 2022-05-06 08:29:26 +02:00
hid-mf.c HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube Adapter 2020-11-25 14:30:33 +01:00
hid-microsoft.c HID: microsoft: Add rumble support to latest xbox controllers 2023-06-08 16:09:51 +02:00
hid-monterey.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-multitouch.c HID: Add quirk for Logitech Casa touchpad 2024-06-27 13:49:02 +02:00
hid-nintendo.c HID: nintendo: Prevent divide-by-zero on code 2024-01-20 11:51:45 +01:00
hid-nti.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-ntrig.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-nvidia-shield.c HID: nvidia-shield: Add missing check for input_ff_create_memless 2024-06-21 14:38:26 +02:00
hid-ortek.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-penmount.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-petalynx.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-picolcd.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd_backlight.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd_cir.c media: rc: harmonize infrared durations to microseconds 2020-09-03 16:18:55 +02:00
hid-picolcd_core.c HID: hid-picolcd_core: Remove unused variable 'ret' 2021-04-07 18:46:20 +02:00
hid-picolcd_debugfs.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd_fb.c hid/picolcd: Remove flag FBINFO_FLAG_DEFAULT from fbdev driver 2023-07-24 16:50:39 +02:00
hid-picolcd_lcd.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd_leds.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-pl.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hid-plantronics.c HID: plantronics: Additional PIDs for double volume key presses quirk 2022-12-20 15:35:21 +01:00
hid-playstation.c Merge branch 'for-6.3/sony' into for-linus 2023-02-22 10:40:03 +01:00
hid-primax.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
hid-prodikeys.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-pxrc.c HID: Add driver for PhoenixRC Flight Controller 2022-09-20 11:36:21 +01:00
hid-quirks.c HID: add ALWAYS_POLL quirk for Apple kb 2023-12-20 17:01:59 +01:00
hid-razer.c HID: Add driver for Razer Blackwidow keyboards 2022-02-16 17:12:14 +01:00
hid-redragon.c HID: redragon: fix num lock and caps lock LEDs 2018-06-25 15:23:40 +02:00
hid-retrode.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-rmi.c HID: i2c: let RMI devices decide what constitutes wakeup event 2022-11-21 18:56:20 +01:00
hid-roccat-arvo.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-arvo.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-common.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-common.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-isku.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-isku.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-kone.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-kone.h HID: roccat: Use struct_group() to zero kone_mouse_event 2021-09-25 08:20:48 -07:00
hid-roccat-koneplus.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-koneplus.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-konepure.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-kovaplus.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-kovaplus.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-lua.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-roccat-lua.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-pyra.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-pyra.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-ryos.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-savu.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-savu.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-saitek.c HID: saitek: add madcatz variant of MMO7 mouse device ID 2022-10-18 14:42:45 +02:00
hid-samsung.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-semitek.c HID: semitek: new driver for GK6X series keyboards 2021-05-05 14:21:08 +02:00
hid-sensor-custom.c HID: hid-sensor-custom: Fix buffer overrun in device name 2023-03-24 14:09:29 +01:00
hid-sensor-hub.c HID: sensor-hub: Enable hid core report processing for all devices 2024-01-25 15:35:48 -08:00
hid-sigmamicro.c HID: add SiGma Micro driver 2022-02-02 15:12:22 +01:00
hid-sjoy.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hid-sony.c HID: sony: remove duplicate NULL check before calling usb_free_urb() 2023-10-05 12:50:35 +02:00
hid-speedlink.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-steam.c Merge branch 'for-6.3/steam' into for-linus 2023-02-22 10:41:06 +01:00
hid-steelseries.c HID: steelseries: Fix signedness bug in steelseries_headset_arctis_1_fetch_battery() 2023-09-18 16:44:24 +02:00
hid-sunplus.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-thrustmaster.c HID: thrustmaster: Add sparco wheel and fix array length 2022-08-25 11:38:55 +02:00
hid-tivo.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-tmff.c HID: thrustmaster use swap() to make code cleaner 2021-12-14 10:50:23 +01:00
hid-topre.c HID: topre: Add support for 87 keys Realforce R2 2023-03-10 18:59:51 +01:00
hid-topseed.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-twinhan.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 178 2019-05-30 11:29:19 -07:00
hid-u2fzero.c hwrng: u2fzero - account for high quality RNG 2022-11-25 17:39:19 +08:00
hid-uclogic-core-test.c HID: uclogic: Fix a work->entry not empty bug in __queue_work() 2023-11-20 11:59:22 +01:00
hid-uclogic-core.c HID: uclogic: Correct devm device reference for hidinput input_dev name 2023-08-24 15:57:57 +02:00
hid-uclogic-params-test.c HID: uclogic: Fix user-memory-access bug in uclogic_params_ugee_v2_init_event_hooks() 2023-11-20 11:59:22 +01:00
hid-uclogic-params.c Merge branch 'for-6.3/uclogic' into for-linus 2023-02-22 10:41:39 +01:00
hid-uclogic-params.h HID: uclogic: Handle wireless device reconnection 2023-01-18 09:44:57 +01:00
hid-uclogic-rdesc-test.c HID: uclogic: Use KUNIT_EXPECT_MEMEQ 2023-01-18 09:47:04 +01:00
hid-uclogic-rdesc.c HID: uclogic: Refactor UGEEv2 probe magic data 2023-01-18 09:44:57 +01:00
hid-uclogic-rdesc.h HID: uclogic: Refactor UGEEv2 probe magic data 2023-01-18 09:44:57 +01:00
hid-udraw-ps3.c HID: udraw-ps3: Replace HTTP links with HTTPS ones 2020-07-20 12:24:41 +02:00
hid-viewsonic.c HID: uclogic: Switch to Digitizer usage for styluses 2022-05-11 14:19:27 +02:00
hid-vivaldi-common.c HID: vivaldi: convert to use dev_groups 2022-08-25 11:37:21 +02:00
hid-vivaldi-common.h HID: vivaldi: convert to use dev_groups 2022-08-25 11:37:21 +02:00
hid-vivaldi.c HID: vivaldi: convert to use dev_groups 2022-08-25 11:37:21 +02:00
hid-vrc2.c HID: Add driver for VRC-2 Car Controller 2022-09-20 11:35:00 +01:00
hid-waltop.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-wiimote-core.c treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
hid-wiimote-debug.c HID: hid-wiimote-debug.c: Drop error checking for debugfs_create_file 2023-08-14 11:14:42 +02:00
hid-wiimote-modules.c HID: wiimote: Add support for the DJ Hero turntable 2022-11-04 09:57:16 +01:00
hid-wiimote.h HID: wiimote: Add support for the DJ Hero turntable 2022-11-04 09:57:16 +01:00
hid-xiaomi.c HID: Add support for side buttons of Xiaomi Mi Dual Mode Wireless Mouse Silent 2021-09-22 11:53:07 +02:00
hid-xinmo.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-zpff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-zydacron.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hidraw.c HID: hidraw: fix a problem of memory leak in hidraw_release() 2024-02-05 20:14:34 +00:00
uhid.c HID: uhid: Over-ride the default maximum data buffer value with our own 2023-02-23 11:52:05 +01:00
wacom.h HID: wacom: remove the battery when the EKR is off 2023-08-14 11:43:57 +02:00
wacom_sys.c HID: wacom: Do not register input devices until after hid_hw_start 2024-02-23 09:24:56 +01:00
wacom_wac.c HID: wacom: Defer calculation of resolution until resolution_code is known 2024-08-29 17:33:53 +02:00
wacom_wac.h HID: wacom: struct name cleanup 2023-08-14 11:43:57 +02:00