lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <26e05a4b-93b3-c38a-3a89-9c56816c63f7@wanadoo.fr>
Date:   Wed, 29 Dec 2021 09:42:44 +0100
From:   Christophe JAILLET <christophe.jaillet@...adoo.fr>
To:     José Expósito <jose.exposito89@...il.com>
Cc:     jikos@...nel.org, benjamin.tissoires@...hat.com,
        linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
        kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] HID: magicmouse: Fix an error handling path in
 magicmouse_probe()

Le 29/12/2021 à 08:50, José Expósito a écrit :
> On Tue, Dec 28, 2021 at 10:09:17PM +0100, Christophe JAILLET wrote:
>> If the timer introduced by the commit below is started, then it must be
>> deleted in the error handling of the probe. Otherwise it would trigger
>> once the driver is no more.
>>
>> Fixes: 0b91b4e4dae6 ("HID: magicmouse: Report battery level over USB")
>> Signed-off-by: Christophe JAILLET <christophe.jaillet@...adoo.fr>
>> ---
>>   drivers/hid/hid-magicmouse.c | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
>> index eba1e8087bfd..b8b08f0a8c54 100644
>> --- a/drivers/hid/hid-magicmouse.c
>> +++ b/drivers/hid/hid-magicmouse.c
>> @@ -873,6 +873,7 @@ static int magicmouse_probe(struct hid_device *hdev,
>>   
>>   	return 0;
>>   err_stop_hw:
>> +	del_timer_sync(&msc->battery_timer);
>>   	hid_hw_stop(hdev);
>>   	return ret;
>>   }
>> -- 
>> 2.32.0
>>
> 
> My bad, thanks for catching it!
> 
> Tested-by: José Expósito <jose.exposito89@...il.com>
> 

Hi, just in case, I got a reply from syzbot that this patch fixes:

https://syzkaller.appspot.com/bug?id=ae4e9aaf5651e1d6895071208c7844d4fdfbe30c

If it is the same issue, we can add:
Reported-by: syzbot+a437546ec71b04dfb5ac@...kaller.appspotmail.com


I've not found it with syzbot, but with a coccinelle script which tries 
to spot things that are in the remove function and should also be in the 
error handling path of the probe.

However, if it help syzbot, I don't care mentioning it.

CJ

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ