lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAOU40uCCXozxrKH4cXyNbb255SJ6fRS=doRysPiZ-XDpSF__rw@mail.gmail.com>
Date: Tue, 18 Nov 2025 16:51:49 +0800
From: Xianying Wang <wangxianying546@...il.com>
To: luis.hernandez093@...il.com
Cc: maddy@...ux.ibm.com, rbm@...e.com, linuxppc-dev@...ts.ozlabs.org, 
	linux-kernel@...r.kernel.org
Subject: [BUG] general protection fault in input_unregister_device

Hi,

I am running syzkaller on a KASAN-enabled x86_64 kernel based on Linux
6.17.0/6.18-rc2, and I hit a reproducible general protection fault in
input_unregister_device() which seems to be triggered by concurrent
writes to the dev.mac_hid.mouse_button_emulation sysctl.

>From the stack trace, the faulting instruction in
input_unregister_device() is reached from the mac_hid emulated mouse
teardown path in drivers/macintosh/mac_hid.c.

The mac_hid driver keeps a global struct input_dev * for the emulated
mouse, and the sysctl handler for dev.mac_hid.mouse_button_emulation
toggles that device between “created” and “destroyed” states. The
teardown helper calls input_unregister_device() on the global pointer
and then sets the pointer to NULL.

However, there may has no proper synchronization around this global
pointer in the sysctl handler.

The sysctl handler can end up calling input_unregister_device()
multiple times on the same device (or on a stale pointer) under
concurrent updates.

This issue can be reproduced on both v6.18-rc2 and v6.17.0.

This can be reproduced on:

HEAD commit:

e5f0a698b34ed76002dc5cff3804a61c80233a7a

6fab32bb6508abbb8b7b1c5498e44f0c32320ed5

report: https://pastebin.com/raw/Fxc8KiiH

console output : https://pastebin.com/raw/trZpGBDe

kernel config : https://pastebin.com/raw/1grwrT16

C reproducer :https://pastebin.com/raw/sdxjzABJ

Let me know if you need more details or testing.

Best regards,

Xianying

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ