[syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in steam_input_open

19 views
Skip to first unread message

syzbot

unread,
Feb 22, 2025, 12:01:24 PM2/22/25
to ben...@kernel.org, ji...@kernel.org, jko...@suse.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com, v...@endrift.com
Hello,

syzbot found the following issue on:

HEAD commit: 0a86e49acfbb dt-bindings: usb: samsung,exynos-dwc3 Add exy..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=172e5ae4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f429368eda610a89
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162ca7f8580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c02ba4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f73104f0e203/disk-0a86e49a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fba41561bd74/vmlinux-0a86e49a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a82f1679cfc5/bzImage-0a86e49a.xz

The issue was bisected to:

commit 79504249d7e27cad4a3eeb9afc6386e418728ce0
Author: Vicki Pfau <v...@endrift.com>
Date: Wed Feb 5 03:55:27 2025 +0000

HID: hid-steam: Move hidraw input (un)registering to work

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12f69fdf980000
final oops: https://syzkaller.appspot.com/x/report.txt?x=11f69fdf980000
console output: https://syzkaller.appspot.com/x/log.txt?x=16f69fdf980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0154da...@syzkaller.appspotmail.com
Fixes: 79504249d7e2 ("HID: hid-steam: Move hidraw input (un)registering to work")

==================================================================
BUG: KASAN: slab-use-after-free in steam_input_open+0x14d/0x160 drivers/hid/hid-steam.c:604
Read of size 8 at addr ffff88810df35930 by task udevd/2958

CPU: 0 UID: 0 PID: 2958 Comm: udevd Not tainted 6.14.0-rc3-syzkaller-00036-g0a86e49acfbb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:489
kasan_report+0xd9/0x110 mm/kasan/report.c:602
steam_input_open+0x14d/0x160 drivers/hid/hid-steam.c:604
input_open_device+0x230/0x390 drivers/input/input.c:600
evdev_open_device drivers/input/evdev.c:391 [inline]
evdev_open+0x52d/0x690 drivers/input/evdev.c:478
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6cb/0x1390 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f48428969a4
Code: 24 20 48 8d 44 24 30 48 89 44 24 28 64 8b 04 25 18 00 00 00 85 c0 75 2c 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 60 48 8b 15 55 a4 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffcc9566fe0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f48428969a4
RDX: 0000000000080000 RSI: 00005564b5753fd0 RDI: 00000000ffffff9c
RBP: 00005564b5753fd0 R08: 00005564b5708ed8 R09: 00007f4842971b10
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000080000
R13: 00007ffcc95671a8 R14: 0000000000000000 R15: 00005564ab4c5ed5
</TASK>

Allocated by task 2986:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4294 [inline]
__kmalloc_node_track_caller_noprof+0x20b/0x4c0 mm/slub.c:4313
alloc_dr drivers/base/devres.c:119 [inline]
devm_kmalloc+0xa5/0x260 drivers/base/devres.c:843
devm_kzalloc include/linux/device.h:328 [inline]
steam_probe+0x132/0x1060 drivers/hid/hid-steam.c:1241
__hid_device_probe drivers/hid/hid-core.c:2713 [inline]
hid_device_probe+0x349/0x700 drivers/hid/hid-core.c:2750
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x114b/0x1a70 drivers/base/core.c:3665
hid_add_device+0x374/0xa60 drivers/hid/hid-core.c:2896
usbhid_probe+0xd32/0x1400 drivers/hid/usbhid/hid-core.c:1431
usb_probe_interface+0x300/0x9c0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x114b/0x1a70 drivers/base/core.c:3665
usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x114b/0x1a70 drivers/base/core.c:3665
usb_new_device+0xd09/0x1a20 drivers/usb/core/hub.c:2663
hub_port_connect drivers/usb/core/hub.c:5533 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5673 [inline]
port_event drivers/usb/core/hub.c:5833 [inline]
hub_event+0x2e58/0x4f40 drivers/usb/core/hub.c:5915
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 2986:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x37/0x50 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4609 [inline]
kfree+0x294/0x480 mm/slub.c:4757
release_nodes+0x11e/0x240 drivers/base/devres.c:506
devres_release_group+0x1be/0x2a0 drivers/base/devres.c:689
hid_device_remove+0x107/0x260 drivers/hid/hid-core.c:2774
device_remove+0xc8/0x170 drivers/base/dd.c:567
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
hid_remove_device drivers/hid/hid-core.c:2953 [inline]
hid_destroy_device+0x19c/0x240 drivers/hid/hid-core.c:2975
usbhid_disconnect+0xa0/0xe0 drivers/hid/usbhid/hid-core.c:1458
usb_unbind_interface+0x1e2/0x960 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x122/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2316
hub_port_connect drivers/usb/core/hub.c:5373 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5673 [inline]
port_event drivers/usb/core/hub.c:5833 [inline]
hub_event+0x1bed/0x4f40 drivers/usb/core/hub.c:5915
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0x9b/0xb0 mm/kasan/generic.c:548
insert_work+0x36/0x230 kernel/workqueue.c:2183
__queue_work+0x97e/0x1080 kernel/workqueue.c:2339
queue_work_on+0x11a/0x140 kernel/workqueue.c:2390
hid_hw_close+0xaf/0xe0 drivers/hid/hid-core.c:2415
drop_ref+0x2c8/0x390 drivers/hid/hidraw.c:346
hidraw_disconnect+0x4b/0x60 drivers/hid/hidraw.c:642
hid_disconnect+0x13e/0x1b0 drivers/hid/hid-core.c:2325
hid_hw_stop+0x16/0x80 drivers/hid/hid-core.c:2370
steam_remove+0x1af/0x220 drivers/hid/hid-steam.c:1326
hid_device_remove+0xce/0x260 drivers/hid/hid-core.c:2769
device_remove+0xc8/0x170 drivers/base/dd.c:567
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
hid_remove_device drivers/hid/hid-core.c:2953 [inline]
hid_destroy_device+0x19c/0x240 drivers/hid/hid-core.c:2975
steam_remove+0xf0/0x220 drivers/hid/hid-steam.c:1334
hid_device_remove+0xce/0x260 drivers/hid/hid-core.c:2769
device_remove+0xc8/0x170 drivers/base/dd.c:567
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
hid_remove_device drivers/hid/hid-core.c:2953 [inline]
hid_destroy_device+0x19c/0x240 drivers/hid/hid-core.c:2975
usbhid_disconnect+0xa0/0xe0 drivers/hid/usbhid/hid-core.c:1458
usb_unbind_interface+0x1e2/0x960 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x122/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2316
hub_port_connect drivers/usb/core/hub.c:5373 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5673 [inline]
port_event drivers/usb/core/hub.c:5833 [inline]
hub_event+0x1bed/0x4f40 drivers/usb/core/hub.c:5915
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Second to last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0x9b/0xb0 mm/kasan/generic.c:548
insert_work+0x36/0x230 kernel/workqueue.c:2183
__queue_work+0x97e/0x1080 kernel/workqueue.c:2339
queue_work_on+0x11a/0x140 kernel/workqueue.c:2390
queue_work include/linux/workqueue.h:662 [inline]
schedule_work include/linux/workqueue.h:723 [inline]
steam_client_ll_open+0xab/0xf0 drivers/hid/hid-steam.c:1146
hid_hw_open+0xe2/0x170 drivers/hid/hid-core.c:2392
hidraw_open+0x274/0x7e0 drivers/hid/hidraw.c:308
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6cb/0x1390 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88810df35800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 304 bytes inside of
freed 1024-byte region [ffff88810df35800, ffff88810df35c00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10df30
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888100041dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 0200000000000040 ffff888100041dc0 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 0200000000000003 ffffea000437cc01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2964, tgid 2964 (kworker/0:4), ts 65532168704, free_ts 64378220826
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1551
prep_new_page mm/page_alloc.c:1559 [inline]
get_page_from_freelist+0xe76/0x2b90 mm/page_alloc.c:3477
__alloc_frozen_pages_noprof+0x21c/0x2290 mm/page_alloc.c:4739
alloc_pages_mpol+0xe7/0x410 mm/mempolicy.c:2270
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab mm/slub.c:2587 [inline]
new_slab+0x23d/0x330 mm/slub.c:2640
___slab_alloc+0xc41/0x1670 mm/slub.c:3826
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3916
__slab_alloc_node mm/slub.c:3991 [inline]
slab_alloc_node mm/slub.c:4152 [inline]
__do_kmalloc_node mm/slub.c:4293 [inline]
__kmalloc_node_track_caller_noprof+0x157/0x4c0 mm/slub.c:4313
alloc_dr drivers/base/devres.c:119 [inline]
devm_kmalloc+0xa5/0x260 drivers/base/devres.c:843
devm_kzalloc include/linux/device.h:328 [inline]
steam_probe+0x132/0x1060 drivers/hid/hid-steam.c:1241
__hid_device_probe drivers/hid/hid-core.c:2713 [inline]
hid_device_probe+0x349/0x700 drivers/hid/hid-core.c:2750
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:462
page last free pid 2959 tgid 2959 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_frozen_pages+0x653/0xde0 mm/page_alloc.c:2660
__put_partials+0x14c/0x170 mm/slub.c:3153
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x4e/0x70 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4115 [inline]
slab_alloc_node mm/slub.c:4164 [inline]
kmem_cache_alloc_noprof+0x154/0x3b0 mm/slub.c:4171
skb_clone+0x190/0x3f0 net/core/skbuff.c:2084
do_one_broadcast net/netlink/af_netlink.c:1453 [inline]
netlink_broadcast_filtered+0xb11/0xef0 net/netlink/af_netlink.c:1531
netlink_broadcast+0x39/0x50 net/netlink/af_netlink.c:1555
uevent_net_broadcast_untagged lib/kobject_uevent.c:331 [inline]
kobject_uevent_net_broadcast lib/kobject_uevent.c:410 [inline]
kobject_uevent_env+0xc69/0x1870 lib/kobject_uevent.c:608
device_add+0x10e0/0x1a70 drivers/base/core.c:3646
usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800

Memory state around the buggy address:
ffff88810df35800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810df35880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810df35900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810df35980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810df35a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Hillf Danton

unread,
Feb 22, 2025, 7:28:00 PM2/22/25
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Sat, 22 Feb 2025 09:01:23 -0800
> syzbot found the following issue on:
>
> HEAD commit: 0a86e49acfbb dt-bindings: usb: samsung,exynos-dwc3 Add exy..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c02ba4580000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/drivers/hid/hid-steam.c
+++ y/drivers/hid/hid-steam.c
@@ -1086,15 +1086,14 @@ static void steam_work_unregister_cb(str
connected = steam->connected;
spin_unlock_irqrestore(&steam->lock, flags);

+ if (opened) {
+ steam_sensors_unregister(steam);
+ steam_input_unregister(steam);
+ }
if (connected) {
- if (opened) {
- steam_sensors_unregister(steam);
- steam_input_unregister(steam);
- } else {
- steam_set_lizard_mode(steam, lizard_mode);
- steam_input_register(steam);
- steam_sensors_register(steam);
- }
+ steam_set_lizard_mode(steam, lizard_mode);
+ steam_input_register(steam);
+ steam_sensors_register(steam);
}
}

--

syzbot

unread,
Feb 22, 2025, 8:24:05 PM2/22/25
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: ODEBUG bug in release_nodes

hid-steam 0003:28DE:1102.012F: Steam Controller 'XXXXXXXXXX' disconnected
------------[ cut here ]------------
ODEBUG: free active (active state 0) object: ffff88811f475b00 object type: work_struct hint: steam_work_unregister_cb+0x0/0x180 drivers/hid/hid-steam.c:868
WARNING: CPU: 1 PID: 24 at lib/debugobjects.c:612 debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612
Modules linked in:
CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0 Not tainted 6.14.0-rc3-syzkaller-00293-g5cf80612d3f7-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: usb_hub_wq hub_event
RIP: 0010:debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 54 48 8b 14 dd c0 d4 47 87 41 56 4c 89 e6 48 c7 c7 40 c9 47 87 e8 df e1 c0 fe 90 <0f> 0b 90 90 58 83 05 f6 7f d8 07 01 48 83 c4 18 5b 5d 41 5c 41 5d
RSP: 0018:ffffc9000019f208 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff813f4dd9
RDX: ffff888101e90000 RSI: ffffffff813f4de6 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8747cfe0
R13: ffffffff87274240 R14: ffffffff85a7aab0 R15: ffffc9000019f318
FS: 0000000000000000(0000) GS:ffff8881f5900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c007c44020 CR3: 0000000108ff0000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
debug_check_no_obj_freed+0x4b7/0x600 lib/debugobjects.c:1129
slab_free_hook mm/slub.c:2284 [inline]
slab_free mm/slub.c:4609 [inline]
kfree+0x2e1/0x480 mm/slub.c:4757
</TASK>


Tested on:

commit: 5cf80612 Merge tag 'x86-urgent-2025-02-22' of git://gi..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=13a7b498580000
kernel config: https://syzkaller.appspot.com/x/.config?x=28127f006c1c31ee
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16745fdf980000

Hillf Danton

unread,
Feb 22, 2025, 9:54:36 PM2/22/25
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Sat, 22 Feb 2025 09:01:23 -0800
> syzbot found the following issue on:
>
> HEAD commit: 0a86e49acfbb dt-bindings: usb: samsung,exynos-dwc3 Add exy..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c02ba4580000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/drivers/hid/hid-steam.c
+++ y/drivers/hid/hid-steam.c
@@ -1086,15 +1086,14 @@ static void steam_work_unregister_cb(str
connected = steam->connected;
spin_unlock_irqrestore(&steam->lock, flags);

+ if (opened) {
+ steam_sensors_unregister(steam);
+ steam_input_unregister(steam);
+ }
if (connected) {
- if (opened) {
- steam_sensors_unregister(steam);
- steam_input_unregister(steam);
- } else {
- steam_set_lizard_mode(steam, lizard_mode);
- steam_input_register(steam);
- steam_sensors_register(steam);
- }
+ steam_set_lizard_mode(steam, lizard_mode);
+ steam_input_register(steam);
+ steam_sensors_register(steam);
}
}

@@ -1340,6 +1339,7 @@ static void steam_remove(struct hid_devi
hid_hw_close(hdev);
hid_hw_stop(hdev);
steam_unregister(steam);
+ disable_work_sync(&steam->unregister_work);
}

static void steam_do_connect_event(struct steam_device *steam, bool connected)
--

syzbot

unread,
Feb 22, 2025, 10:47:05 PM2/22/25
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in steam_input_close

==================================================================
BUG: KASAN: slab-use-after-free in steam_input_close+0x13b/0x150 drivers/hid/hid-steam.c:621
Read of size 8 at addr ffff888135dc7130 by task acpid/2828

CPU: 0 UID: 0 PID: 2828 Comm: acpid Not tainted 6.14.0-rc3-syzkaller-00293-g5cf80612d3f7-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xd9/0x110 mm/kasan/report.c:634
steam_input_close+0x13b/0x150 drivers/hid/hid-steam.c:621
input_close_device+0x21f/0x290 drivers/input/input.c:654
evdev_close_device drivers/input/evdev.c:405 [inline]
evdev_release+0x350/0x400 drivers/input/evdev.c:447
__fput+0x3ff/0xb70 fs/file_table.c:464
__fput_sync+0xa1/0xc0 fs/file_table.c:550
__do_sys_close fs/open.c:1580 [inline]
__se_sys_close fs/open.c:1565 [inline]
__x64_sys_close+0x86/0x100 fs/open.c:1565
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f31902de0a8
Code: 48 8b 05 83 9d 0d 00 64 c7 00 16 00 00 00 83 c8 ff 48 83 c4 20 5b c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 5b 48 8b 15 51 9d 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007fff1432be88 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 00007fff1432c118 RCX: 00007f31902de0a8
RDX: 0000000000000000 RSI: 000000000000001e RDI: 000000000000000a
RBP: 000000000000000a R08: 0000000000000008 R09: 00007fff1432bff8
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff1432bff8
R13: 0000000000000040 R14: 00007fff1432c0f8 R15: 00007fff1432bff8
</TASK>

Allocated by task 2803:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4294 [inline]
__kmalloc_node_track_caller_noprof+0x20b/0x4c0 mm/slub.c:4313
alloc_dr drivers/base/devres.c:119 [inline]
devm_kmalloc+0xa5/0x260 drivers/base/devres.c:843
devm_kzalloc include/linux/device.h:328 [inline]
steam_probe+0x132/0x1060 drivers/hid/hid-steam.c:1240
hub_port_connect drivers/usb/core/hub.c:5533 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5673 [inline]
port_event drivers/usb/core/hub.c:5833 [inline]
hub_event+0x2e58/0x4f40 drivers/usb/core/hub.c:5915
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 2803:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x37/0x50 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4609 [inline]
kfree+0x294/0x480 mm/slub.c:4757
Last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0x9b/0xb0 mm/kasan/generic.c:548
insert_work+0x36/0x230 kernel/workqueue.c:2183
__queue_work+0x97e/0x1080 kernel/workqueue.c:2339
queue_work_on+0x11a/0x140 kernel/workqueue.c:2390
hid_hw_close+0xaf/0xe0 drivers/hid/hid-core.c:2415
drop_ref+0x186/0x390 drivers/hid/hidraw.c:360
hidraw_release+0x3e6/0x560 drivers/hid/hidraw.c:384
__fput+0x3ff/0xb70 fs/file_table.c:464
task_work_run+0x14e/0x250 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x24e/0x260 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Second to last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0x9b/0xb0 mm/kasan/generic.c:548
insert_work+0x36/0x230 kernel/workqueue.c:2183
__queue_work+0x97e/0x1080 kernel/workqueue.c:2339
queue_work_on+0x11a/0x140 kernel/workqueue.c:2390
queue_work include/linux/workqueue.h:662 [inline]
schedule_work include/linux/workqueue.h:723 [inline]
steam_client_ll_open+0xab/0xf0 drivers/hid/hid-steam.c:1145
hid_hw_open+0xe2/0x170 drivers/hid/hid-core.c:2392
hidraw_open+0x274/0x7e0 drivers/hid/hidraw.c:308
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6cb/0x1390 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888135dc7000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 304 bytes inside of
freed 1024-byte region [ffff888135dc7000, ffff888135dc7400)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x135dc0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888100041dc0 ffffea000460f200 dead000000000002
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 0200000000000040 ffff888100041dc0 ffffea000460f200 dead000000000002
head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 0200000000000003 ffffea0004d77001 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3037, tgid 3037 (syz-executor), ts 50506887177, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1551
prep_new_page mm/page_alloc.c:1559 [inline]
get_page_from_freelist+0xe76/0x2b90 mm/page_alloc.c:3477
__alloc_frozen_pages_noprof+0x21c/0x2290 mm/page_alloc.c:4739
alloc_pages_mpol+0xe7/0x410 mm/mempolicy.c:2270
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab mm/slub.c:2587 [inline]
new_slab+0x23d/0x330 mm/slub.c:2640
___slab_alloc+0xc41/0x1670 mm/slub.c:3826
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3916
__slab_alloc_node mm/slub.c:3991 [inline]
slab_alloc_node mm/slub.c:4152 [inline]
__do_kmalloc_node mm/slub.c:4293 [inline]
__kmalloc_noprof+0x154/0x4d0 mm/slub.c:4306
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
ip6t_alloc_initial_table+0x6c/0x7b0 net/ipv6/netfilter/ip6_tables.c:40
ip6table_filter_table_init+0x1c/0xa0 net/ipv6/netfilter/ip6table_filter.c:41
xt_find_table_lock+0x2dc/0x520 net/netfilter/x_tables.c:1260
xt_request_find_table_lock+0x28/0xf0 net/netfilter/x_tables.c:1285
get_info+0x13d/0x490 net/ipv6/netfilter/ip6_tables.c:979
do_ip6t_get_ctl+0x176/0x10b0 net/ipv6/netfilter/ip6_tables.c:1668
nf_getsockopt+0x79/0xe0 net/netfilter/nf_sockopt.c:116
ipv6_getsockopt+0x1f7/0x280 net/ipv6/ipv6_sockglue.c:1493
page_owner free stack trace missing

Memory state around the buggy address:
ffff888135dc7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888135dc7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888135dc7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888135dc7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888135dc7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: 5cf80612 Merge tag 'x86-urgent-2025-02-22' of git://gi..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14d87498580000
kernel config: https://syzkaller.appspot.com/x/.config?x=28127f006c1c31ee
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14ea5fdf980000

Hillf Danton

unread,
Feb 23, 2025, 2:30:27 AM2/23/25
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Sat, 22 Feb 2025 09:01:23 -0800
> syzbot found the following issue on:
>
> HEAD commit: 0a86e49acfbb dt-bindings: usb: samsung,exynos-dwc3 Add exy..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c02ba4580000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/drivers/hid/hid-steam.c
+++ y/drivers/hid/hid-steam.c
@@ -618,6 +618,8 @@ static void steam_input_close(struct inp
unsigned long flags;
bool set_lizard_mode;

+ if (dev->going_away)
+ return;
if (!(steam->quirks & STEAM_QUIRK_DECK)) {
spin_lock_irqsave(&steam->lock, flags);
set_lizard_mode = !steam->client_opened && lizard_mode;
@@ -1086,6 +1088,11 @@ static void steam_work_unregister_cb(str
connected = steam->connected;
spin_unlock_irqrestore(&steam->lock, flags);

+ if (opened) {
+ steam_sensors_unregister(steam);
+ steam_input_unregister(steam);
+ opened = false;
+ }
if (connected) {
if (opened) {
steam_sensors_unregister(steam);
--

syzbot

unread,
Feb 23, 2025, 2:52:04 AM2/23/25
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: ODEBUG bug in release_nodes

------------[ cut here ]------------
ODEBUG: free active (active state 0) object: ffff888112274300 object type: work_struct hint: steam_work_unregister_cb+0x0/0x180 drivers/hid/hid-steam.c:870
WARNING: CPU: 1 PID: 36 at lib/debugobjects.c:612 debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612
Modules linked in:
CPU: 1 UID: 0 PID: 36 Comm: kworker/1:1 Not tainted 6.14.0-rc3-syzkaller-00295-g27102b38b8ca-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: usb_hub_wq hub_event
RIP: 0010:debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 54 48 8b 14 dd c0 d4 47 87 41 56 4c 89 e6 48 c7 c7 40 c9 47 87 e8 df e1 c0 fe 90 <0f> 0b 90 90 58 83 05 f6 7f d8 07 01 48 83 c4 18 5b 5d 41 5c 41 5d
RSP: 0018:ffffc90000267208 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff813f4dd9
RDX: ffff888102ed57c0 RSI: ffffffff813f4de6 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8747cfe0
R13: ffffffff87274240 R14: ffffffff85a7ab00 R15: ffffc90000267318
FS: 0000000000000000(0000) GS:ffff8881f5900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8542fc7bac CR3: 0000000116b54000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
debug_check_no_obj_freed+0x4b7/0x600 lib/debugobjects.c:1129
slab_free_hook mm/slub.c:2284 [inline]
slab_free mm/slub.c:4609 [inline]
kfree+0x2e1/0x480 mm/slub.c:4757
</TASK>


Tested on:

commit: 27102b38 Merge tag 'v6.14-rc3-smb3-client-fix-part2' o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=142d5fdf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=28127f006c1c31ee
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=170157f8580000

Hillf Danton

unread,
Feb 23, 2025, 4:04:17 AM2/23/25
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Sat, 22 Feb 2025 09:01:23 -0800
> syzbot found the following issue on:
>
> HEAD commit: 0a86e49acfbb dt-bindings: usb: samsung,exynos-dwc3 Add exy..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c02ba4580000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/drivers/hid/hid-steam.c
+++ y/drivers/hid/hid-steam.c
@@ -618,6 +618,8 @@ static void steam_input_close(struct inp
unsigned long flags;
bool set_lizard_mode;

+ if (dev->going_away)
+ return;
if (!(steam->quirks & STEAM_QUIRK_DECK)) {
spin_lock_irqsave(&steam->lock, flags);
set_lizard_mode = !steam->client_opened && lizard_mode;
@@ -1086,6 +1088,11 @@ static void steam_work_unregister_cb(str
connected = steam->connected;
spin_unlock_irqrestore(&steam->lock, flags);

+ if (opened) {
+ steam_sensors_unregister(steam);
+ steam_input_unregister(steam);
+ opened = false;
+ }
if (connected) {
if (opened) {
steam_sensors_unregister(steam);
@@ -1340,6 +1347,7 @@ static void steam_remove(struct hid_devi

syzbot

unread,
Feb 23, 2025, 4:17:03 AM2/23/25
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in steam_input_open

==================================================================
BUG: KASAN: slab-use-after-free in steam_input_open+0x14d/0x160 drivers/hid/hid-steam.c:604
Read of size 8 at addr ffff8881063ff130 by task udevd/6832

CPU: 0 UID: 0 PID: 6832 Comm: udevd Not tainted 6.14.0-rc3-syzkaller-00295-g27102b38b8ca-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xd9/0x110 mm/kasan/report.c:634
steam_input_open+0x14d/0x160 drivers/hid/hid-steam.c:604
input_open_device+0x230/0x390 drivers/input/input.c:600
evdev_open_device drivers/input/evdev.c:391 [inline]
evdev_open+0x52d/0x690 drivers/input/evdev.c:478
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6cb/0x1390 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb8155fa9a4
Code: 24 20 48 8d 44 24 30 48 89 44 24 28 64 8b 04 25 18 00 00 00 85 c0 75 2c 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 60 48 8b 15 55 a4 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007fffe256d960 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb8155fa9a4
RDX: 0000000000080000 RSI: 000055674c828210 RDI: 00000000ffffff9c
RBP: 000055674c828210 R08: 000055674c851628 R09: fffffffffffffe98
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000080000
R13: 00007fffe256db28 R14: 0000000000000000 R15: 0000556737a63ed5
</TASK>

Allocated by task 24:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4294 [inline]
__kmalloc_node_track_caller_noprof+0x20b/0x4c0 mm/slub.c:4313
alloc_dr drivers/base/devres.c:119 [inline]
devm_kmalloc+0xa5/0x260 drivers/base/devres.c:843
devm_kzalloc include/linux/device.h:328 [inline]
steam_probe+0x132/0x1060 drivers/hid/hid-steam.c:1248
hub_port_connect drivers/usb/core/hub.c:5533 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5673 [inline]
port_event drivers/usb/core/hub.c:5833 [inline]
hub_event+0x2e58/0x4f40 drivers/usb/core/hub.c:5915
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 24:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x37/0x50 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4609 [inline]
kfree+0x294/0x480 mm/slub.c:4757
steam_client_ll_open+0xab/0xf0 drivers/hid/hid-steam.c:1153
hid_hw_open+0xe2/0x170 drivers/hid/hid-core.c:2392
hidraw_open+0x274/0x7e0 drivers/hid/hidraw.c:308
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6cb/0x1390 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8881063ff000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 304 bytes inside of
freed 1024-byte region [ffff8881063ff000, ffff8881063ff400)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8881063ff800 pfn:0x1063f8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888100041dc0 ffffea00044cca00 dead000000000003
raw: ffff8881063ff800 000000000010000e 00000000f5000000 0000000000000000
head: 0200000000000040 ffff888100041dc0 ffffea00044cca00 dead000000000003
head: ffff8881063ff800 000000000010000e 00000000f5000000 0000000000000000
head: 0200000000000003 ffffea000418fe01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 1, tgid 1 (swapper/0), ts 7397750427, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1551
prep_new_page mm/page_alloc.c:1559 [inline]
get_page_from_freelist+0xe76/0x2b90 mm/page_alloc.c:3477
__alloc_frozen_pages_noprof+0x21c/0x2290 mm/page_alloc.c:4739
alloc_slab_page mm/slub.c:2425 [inline]
allocate_slab mm/slub.c:2587 [inline]
new_slab+0x94/0x330 mm/slub.c:2640
___slab_alloc+0xc41/0x1670 mm/slub.c:3826
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3916
__slab_alloc_node mm/slub.c:3991 [inline]
slab_alloc_node mm/slub.c:4152 [inline]
__kmalloc_cache_node_noprof+0x21b/0x3f0 mm/slub.c:4333
kmalloc_node_noprof include/linux/slab.h:924 [inline]
blk_mq_alloc_hctx block/blk-mq.c:3945 [inline]
blk_mq_alloc_and_init_hctx+0x639/0x11b0 block/blk-mq.c:4448
blk_mq_realloc_hw_ctxs+0x8e0/0xbe0 block/blk-mq.c:4481
blk_mq_init_allocated_queue+0x39e/0x11f0 block/blk-mq.c:4535
blk_mq_alloc_queue+0x1c3/0x290 block/blk-mq.c:4348
scsi_alloc_sdev+0x890/0xd80 drivers/scsi/scsi_scan.c:338
scsi_probe_and_add_lun+0x525/0x7b0 drivers/scsi/scsi_scan.c:1209
__scsi_scan_target+0x1e6/0x4e0 drivers/scsi/scsi_scan.c:1774
scsi_scan_channel drivers/scsi/scsi_scan.c:1862 [inline]
scsi_scan_channel+0x149/0x1e0 drivers/scsi/scsi_scan.c:1838
scsi_scan_host_selected+0x2ae/0x370 drivers/scsi/scsi_scan.c:1891
page_owner free stack trace missing

Memory state around the buggy address:
ffff8881063ff000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881063ff080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881063ff100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881063ff180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881063ff200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: 27102b38 Merge tag 'v6.14-rc3-smb3-client-fix-part2' o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=17cec7a4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=28127f006c1c31ee
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=158553b8580000

Edward Adam Davis

unread,
Feb 23, 2025, 4:23:05 AM2/23/25
to syzbot+0154da...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test

diff --git a/drivers/input/input.c b/drivers/input/input.c
index c9e3ac64bcd0..75d273630ce4 100644
--- a/drivers/input/input.c
+++ b/drivers/input/input.c
@@ -579,7 +579,7 @@ int input_open_device(struct input_handle *handle)
struct input_dev *dev = handle->dev;
int error;

- scoped_cond_guard(mutex_intr, return -EINTR, &dev->mutex) {
+ scoped_cond_guard(mutex_intr, return -EINTR, &input_mutex) {
if (dev->going_away)
return -ENODEV;


syzbot

unread,
Feb 23, 2025, 4:51:03 AM2/23/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

ource [io 0x0000-0x0cf7 window]
[ 3.463325][ T1] pci_bus 0000:00: root bus resource [io 0x0d00-0xffff window]
[ 3.465986][ T1] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]
[ 3.469157][ T1] pci_bus 0000:00: root bus resource [mem 0xc0000000-0xfebfefff window]
[ 3.472205][ T1] pci_bus 0000:00: root bus resource [bus 00-ff]
[ 3.473782][ T1] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000 conventional PCI endpoint
[ 3.484482][ T1] pci 0000:00:01.0: [8086:7110] type 00 class 0x060100 conventional PCI endpoint
[ 3.498697][ T1] pci 0000:00:01.3: [8086:7113] type 00 class 0x068000 conventional PCI endpoint
[ 3.509581][ T1] pci 0000:00:01.3: quirk: [io 0xb000-0xb03f] claimed by PIIX4 ACPI
[ 3.517550][ T1] pci 0000:00:03.0: [1af4:1004] type 00 class 0x000000 conventional PCI endpoint
[ 3.535057][ T1] pci 0000:00:03.0: BAR 0 [io 0xc000-0xc03f]
[ 3.537097][ T1] pci 0000:00:03.0: BAR 1 [mem 0xfe800000-0xfe80007f]
[ 3.544872][ T1] pci 0000:00:04.0: [1af4:1000] type 00 class 0x020000 conventional PCI endpoint
[ 3.561393][ T1] pci 0000:00:04.0: BAR 0 [io 0xc040-0xc07f]
[ 3.563343][ T1] pci 0000:00:04.0: BAR 1 [mem 0xfe801000-0xfe80107f]
[ 3.570338][ T1] pci 0000:00:05.0: [1ae0:a002] type 00 class 0x030000 conventional PCI endpoint
[ 3.585610][ T1] pci 0000:00:05.0: BAR 0 [mem 0xfe000000-0xfe7fffff]
[ 3.588960][ T1] pci 0000:00:05.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]
[ 3.597791][ T1] pci 0000:00:06.0: [1af4:1002] type 00 class 0x00ff00 conventional PCI endpoint
[ 3.611209][ T1] pci 0000:00:06.0: BAR 0 [io 0xc080-0xc09f]
[ 3.617655][ T1] pci 0000:00:07.0: [1af4:1005] type 00 class 0x00ff00 conventional PCI endpoint
[ 3.632109][ T1] pci 0000:00:07.0: BAR 0 [io 0xc0a0-0xc0bf]
[ 3.635623][ T1] pci 0000:00:07.0: BAR 1 [mem 0xfe802000-0xfe80203f]
[ 3.669511][ T1] ACPI: PCI: Interrupt link LNKA configured for IRQ 10
[ 3.677322][ T1] ACPI: PCI: Interrupt link LNKB configured for IRQ 10
[ 3.687243][ T1] ACPI: PCI: Interrupt link LNKC configured for IRQ 11
[ 3.696353][ T1] ACPI: PCI: Interrupt link LNKD configured for IRQ 11
[ 3.702587][ T1] ACPI: PCI: Interrupt link LNKS configured for IRQ 9
[ 3.721105][ T1] iommu: Default domain type: Translated
[ 3.722975][ T1] iommu: DMA domain TLB invalidation policy: lazy mode
[ 3.727197][ T1] SCSI subsystem initialized
[ 3.745508][ T1] ACPI: bus type USB registered
[ 3.747961][ T1] usbcore: registered new interface driver usbfs
[ 3.750545][ T1] usbcore: registered new interface driver hub
[ 3.752997][ T1] usbcore: registered new device driver usb
[ 3.755635][ T1] mc: Linux media interface: v0.10
[ 3.757897][ T1] videodev: Linux video capture interface: v2.00
[ 3.761166][ T1] pps_core: LinuxPPS API ver. 1 registered
[ 3.763309][ T1] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giom...@linux.it>
[ 3.767164][ T1] PTP clock support registered
[ 3.784211][ T1] EDAC MC: Ver: 3.0.0
[ 3.807359][ T1] Advanced Linux Sound Architecture Driver Initialized.
[ 3.817665][ T1] Bluetooth: Core ver 2.22
[ 3.819562][ T1] NET: Registered PF_BLUETOOTH protocol family
[ 3.821239][ T1] Bluetooth: HCI device and connection manager initialized
[ 3.822978][ T1] Bluetooth: HCI socket layer initialized
[ 3.823341][ T1] Bluetooth: L2CAP socket layer initialized
[ 3.824795][ T1] Bluetooth: SCO socket layer initialized
[ 3.826338][ T1] NET: Registered PF_ATMPVC protocol family
[ 3.827830][ T1] NET: Registered PF_ATMSVC protocol family
[ 3.829620][ T1] NetLabel: Initializing
[ 3.830990][ T1] NetLabel: domain hash size = 128
[ 3.833307][ T1] NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO
[ 3.836266][ T1] NetLabel: unlabeled traffic allowed by default
[ 3.843290][ T1] nfc: nfc_init: NFC Core ver 0.1
[ 3.843801][ T1] NET: Registered PF_NFC protocol family
[ 3.846041][ T1] PCI: Using ACPI for IRQ routing
[ 3.849665][ T1] pci 0000:00:05.0: vgaarb: setting as boot VGA device
[ 3.852568][ T1] pci 0000:00:05.0: vgaarb: bridge control possible
[ 3.853287][ T1] pci 0000:00:05.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none
[ 3.863312][ T1] vgaarb: loaded
[ 3.918207][ T1] clocksource: Switched to clocksource kvm-clock
[ 3.932462][ T1] VFS: Disk quotas dquot_6.6.0
[ 3.934309][ T1] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 3.941793][ T1] pnp: PnP ACPI init
[ 3.966334][ T1] pnp: PnP ACPI: found 7 devices
[ 4.022143][ T1] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
[ 4.026722][ T1] NET: Registered PF_INET protocol family
[ 4.029726][ T1] IP idents hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[ 4.057661][ T1] tcp_listen_portaddr_hash hash table entries: 4096 (order: 6, 294912 bytes, linear)
[ 4.061945][ T1] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
[ 4.065306][ T1] TCP established hash table entries: 65536 (order: 7, 524288 bytes, linear)
[ 4.079908][ T1] TCP bind hash table entries: 65536 (order: 11, 9437184 bytes, vmalloc hugepage)
[ 4.095435][ T1] TCP: Hash tables configured (established 65536 bind 65536)
[ 4.099377][ T1] UDP hash table entries: 4096 (order: 8, 1048576 bytes, linear)
[ 4.103973][ T1] UDP-Lite hash table entries: 4096 (order: 8, 1048576 bytes, linear)
[ 4.109358][ T1] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 4.115024][ T1] RPC: Registered named UNIX socket transport module.
[ 4.117573][ T1] RPC: Registered udp transport module.
[ 4.119562][ T1] RPC: Registered tcp transport module.
[ 4.121568][ T1] RPC: Registered tcp-with-tls transport module.
[ 4.123951][ T1] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 4.132788][ T1] pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window]
[ 4.135225][ T1] pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window]
[ 4.137681][ T1] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[ 4.140403][ T1] pci_bus 0000:00: resource 7 [mem 0xc0000000-0xfebfefff window]
[ 4.144591][ T1] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 4.147415][ T1] PCI: CLS 0 bytes, default 64
[ 4.149454][ T1] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[ 4.152150][ T1] software IO TLB: mapped [mem 0x00000000bbffd000-0x00000000bfffd000] (64MB)
[ 4.162476][ T1] RAPL PMU: API unit is 2^-32 Joules, 0 fixed counters, 10737418240 ms ovfl timer
[ 4.165933][ T1] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x1fb63109b96, max_idle_ns: 440795265316 ns
[ 4.194080][ T1] clocksource: Switched to clocksource tsc
[ 4.198133][ T47] kworker/u8:0 (47) used greatest stack depth: 27904 bytes left
[ 4.427818][ T57] kworker/u8:0 (57) used greatest stack depth: 27872 bytes left
[ 4.443204][ T62] kworker/u8:0 (62) used greatest stack depth: 26864 bytes left
[ 7.013884][ T1] Initialise system trusted keyrings
[ 7.016895][ T1] workingset: timestamp_bits=40 max_order=21 bucket_order=0
[ 7.023563][ T1] NFS: Registering the id_resolver key type
[ 7.025658][ T1] Key type id_resolver registered
[ 7.027644][ T1] Key type id_legacy registered
[ 7.030687][ T1] 9p: Installing v9fs 9p2000 file system support
[ 7.074583][ T1] Key type asymmetric registered
[ 7.075691][ T1] Asymmetric key parser 'x509' registered
[ 7.077398][ T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 246)
[ 7.080437][ T1] io scheduler mq-deadline registered
[ 7.082146][ T1] io scheduler kyber registered
[ 7.088789][ T1] usbcore: registered new interface driver udlfb
[ 7.093006][ T1] usbcore: registered new interface driver smscufx
[ 7.097895][ T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 7.101275][ T1]
[ 7.101676][ T1] ============================================
[ 7.103134][ T1] WARNING: possible recursive locking detected
[ 7.105147][ T1] 6.14.0-rc3-syzkaller-00037-gc749f058b437-dirty #0 Not tainted
[ 7.108027][ T1] --------------------------------------------
[ 7.109536][ T1] swapper/0/1 is trying to acquire lock:
[ 7.111185][ T1] ffffffff89be7b08 (input_mutex){+.+.}-{4:4}, at: input_open_device+0x47/0x370
[ 7.111185][ T1]
[ 7.111185][ T1] but task is already holding lock:
[ 7.111185][ T1] ffffffff89be7b08 (input_mutex){+.+.}-{4:4}, at: input_register_device+0x98a/0x1130
[ 7.111185][ T1]
[ 7.111185][ T1] other info that might help us debug this:
[ 7.111185][ T1] Possible unsafe locking scenario:
[ 7.111185][ T1]
[ 7.111185][ T1] CPU0
[ 7.111185][ T1] ----
[ 7.111185][ T1] lock(input_mutex);
[ 7.111185][ T1] lock(input_mutex);
[ 7.111185][ T1]
[ 7.111185][ T1] *** DEADLOCK ***
[ 7.111185][ T1]
[ 7.111185][ T1] May be due to missing lock nesting notation
[ 7.111185][ T1]
[ 7.111185][ T1] 2 locks held by swapper/0/1:
[ 7.111185][ T1] #0: ffff888106ab3348 (&dev->mutex){....}-{4:4}, at: __driver_attach+0x278/0x580
[ 7.111185][ T1] #1: ffffffff89be7b08 (input_mutex){+.+.}-{4:4}, at: input_register_device+0x98a/0x1130
[ 7.111185][ T1]
[ 7.111185][ T1] stack backtrace:
[ 7.111185][ T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc3-syzkaller-00037-gc749f058b437-dirty #0
[ 7.111185][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 7.111185][ T1] Call Trace:
[ 7.111185][ T1] <TASK>
[ 7.111185][ T1] dump_stack_lvl+0x116/0x1f0
[ 7.111185][ T1] print_deadlock_bug+0x2e3/0x410
[ 7.111185][ T1] __lock_acquire+0x2117/0x3c40
[ 7.111185][ T1] ? __pfx___lock_acquire+0x10/0x10
[ 7.111185][ T1] lock_acquire.part.0+0x11b/0x380
[ 7.111185][ T1] ? input_open_device+0x47/0x370
[ 7.111185][ T1] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 7.111185][ T1] ? rcu_is_watching+0x12/0xc0
[ 7.111185][ T1] ? trace_lock_acquire+0x14e/0x1f0
[ 7.111185][ T1] ? input_register_handle+0x22f/0x5f0
[ 7.111185][ T1] ? input_open_device+0x47/0x370
[ 7.111185][ T1] ? lock_acquire+0x2f/0xb0
[ 7.111185][ T1] ? input_open_device+0x47/0x370
[ 7.111185][ T1] __mutex_lock+0x19b/0xb10
[ 7.111185][ T1] ? input_open_device+0x47/0x370
[ 7.111185][ T1] ? input_open_device+0x47/0x370
[ 7.111185][ T1] ? __pfx___mutex_lock+0x10/0x10
[ 7.111185][ T1] ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 7.111185][ T1] ? __pfx___might_resched+0x10/0x10
[ 7.111185][ T1] ? input_open_device+0x47/0x370
[ 7.111185][ T1] input_open_device+0x47/0x370
[ 7.111185][ T1] kbd_connect+0x103/0x160
[ 7.111185][ T1] input_attach_handler.isra.0+0x181/0x260
[ 7.111185][ T1] input_register_device+0xa84/0x1130
[ 7.111185][ T1] acpi_button_add+0x57a/0xb70
[ 7.111185][ T1] ? __pfx_acpi_button_notify+0x10/0x10
[ 7.111185][ T1] ? __pfx_acpi_button_add+0x10/0x10
[ 7.111185][ T1] acpi_device_probe+0xc6/0x330
[ 7.111185][ T1] ? driver_sysfs_add+0xa5/0x2d0
[ 7.111185][ T1] ? __pfx_acpi_device_probe+0x10/0x10
[ 7.111185][ T1] really_probe+0x23e/0xa90
[ 7.111185][ T1] __driver_probe_device+0x1de/0x440
[ 7.111185][ T1] driver_probe_device+0x4c/0x1b0
[ 7.111185][ T1] __driver_attach+0x283/0x580
[ 7.111185][ T1] ? __pfx___driver_attach+0x10/0x10
[ 7.111185][ T1] bus_for_each_dev+0x13c/0x1d0
[ 7.111185][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 7.111185][ T1] bus_add_driver+0x2e9/0x690
[ 7.111185][ T1] driver_register+0x15c/0x4b0
[ 7.111185][ T1] __acpi_bus_register_driver+0xdf/0x130
[ 7.111185][ T1] ? __pfx_acpi_button_driver_init+0x10/0x10
[ 7.111185][ T1] acpi_button_driver_init+0x82/0x110
[ 7.111185][ T1] do_one_initcall+0x128/0x700
[ 7.111185][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 7.111185][ T1] ? __kmalloc_noprof+0x22b/0x4d0
[ 7.111185][ T1] ? __asan_register_globals+0x1c/0x80
[ 7.111185][ T1] kernel_init_freeable+0x5c7/0x900
[ 7.111185][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.111185][ T1] kernel_init+0x1c/0x2b0
[ 7.111185][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.111185][ T1] ret_from_fork+0x45/0x80
[ 7.111185][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.111185][ T1] ret_from_fork_asm+0x1a/0x30
[ 7.111185][ T1] </TASK>
[ 311.073116][ T11] kworker/u8:0 (11) used greatest stack depth: 25856 bytes left


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/tool...@v0.0.1-go1.23.6.linux-amd64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/tool...@v0.0.1-go1.23.6.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.6'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3073680802=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at b257a9b754
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b257a9b7546c59d44cd69160b5a65a1bf1f050eb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250219-145244'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b257a9b7546c59d44cd69160b5a65a1bf1f050eb\"
/usr/bin/ld: /tmp/ccycsKnp.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=176ba7a4580000


Tested on:

commit: c749f058 USB: core: Add eUSB2 descriptor and parsing i..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
kernel config: https://syzkaller.appspot.com/x/.config?x=f429368eda610a89
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15535fdf980000

Hillf Danton

unread,
Feb 23, 2025, 6:40:09 AM2/23/25
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Sat, 22 Feb 2025 09:01:23 -0800
> syzbot found the following issue on:
>
> HEAD commit: 0a86e49acfbb dt-bindings: usb: samsung,exynos-dwc3 Add exy..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c02ba4580000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/drivers/hid/hid-steam.c
+++ y/drivers/hid/hid-steam.c
@@ -618,6 +618,8 @@ static void steam_input_close(struct inp
unsigned long flags;
bool set_lizard_mode;

+ if (dev->going_away)
+ return;
if (!(steam->quirks & STEAM_QUIRK_DECK)) {
spin_lock_irqsave(&steam->lock, flags);
set_lizard_mode = !steam->client_opened && lizard_mode;
@@ -1086,6 +1088,11 @@ static void steam_work_unregister_cb(str
connected = steam->connected;
spin_unlock_irqrestore(&steam->lock, flags);

+ if (opened) {
+ steam_sensors_unregister(steam);
+ steam_input_unregister(steam);
+ opened = false;
+ }
if (connected) {
if (opened) {
steam_sensors_unregister(steam);
@@ -1330,7 +1337,6 @@ static void steam_remove(struct hid_devi
cancel_delayed_work_sync(&steam->mode_switch);
cancel_work_sync(&steam->work_connect);
cancel_work_sync(&steam->rumble_work);
- cancel_work_sync(&steam->unregister_work);
hid_destroy_device(steam->client_hdev);
steam->client_hdev = NULL;
steam->client_opened = 0;
@@ -1340,6 +1346,7 @@ static void steam_remove(struct hid_devi
hid_hw_close(hdev);
hid_hw_stop(hdev);
steam_unregister(steam);
+ flush_work(&steam->unregister_work);

syzbot

unread,
Feb 23, 2025, 6:56:04 AM2/23/25
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in steam_input_open

==================================================================
BUG: KASAN: slab-use-after-free in steam_input_open+0x14d/0x160 drivers/hid/hid-steam.c:604
Read of size 8 at addr ffff88811f37a930 by task udevd/6864

CPU: 1 UID: 0 PID: 6864 Comm: udevd Not tainted 6.14.0-rc3-syzkaller-00295-g27102b38b8ca-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0033:0x7fe1dcd049a4
Code: 24 20 48 8d 44 24 30 48 89 44 24 28 64 8b 04 25 18 00 00 00 85 c0 75 2c 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 60 48 8b 15 55 a4 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007fffc6b23b20 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe1dcd049a4
RDX: 0000000000080000 RSI: 00005565a6e265d0 RDI: 00000000ffffff9c
RBP: 00005565a6e265d0 R08: 00005565a6e264f8 R09: fffffffffffffe98
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000080000
R13: 00007fffc6b23ce8 R14: 0000000000000000 R15: 000055658f591ed5
Freed by task 1076:
The buggy address belongs to the object at ffff88811f37a800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 304 bytes inside of
freed 1024-byte region [ffff88811f37a800, ffff88811f37ac00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f378
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888100041dc0 0000000000000000 0000000000000001
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 0200000000000040 ffff888100041dc0 0000000000000000 0000000000000001
head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 0200000000000003 ffffea00047cde01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3205, tgid 3205 (kworker/u8:2), ts 50125018848, free_ts 50111173019
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1551
prep_new_page mm/page_alloc.c:1559 [inline]
get_page_from_freelist+0xe76/0x2b90 mm/page_alloc.c:3477
__alloc_frozen_pages_noprof+0x21c/0x2290 mm/page_alloc.c:4739
alloc_pages_mpol+0xe7/0x410 mm/mempolicy.c:2270
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab mm/slub.c:2587 [inline]
new_slab+0x23d/0x330 mm/slub.c:2640
___slab_alloc+0xc41/0x1670 mm/slub.c:3826
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3916
__slab_alloc_node mm/slub.c:3991 [inline]
slab_alloc_node mm/slub.c:4152 [inline]
__do_kmalloc_node mm/slub.c:4293 [inline]
__kmalloc_noprof+0x154/0x4d0 mm/slub.c:4306
kmalloc_noprof include/linux/slab.h:905 [inline]
load_elf_phdrs+0x103/0x210 fs/binfmt_elf.c:532
load_elf_binary+0x14eb/0x4f00 fs/binfmt_elf.c:961
search_binary_handler fs/exec.c:1775 [inline]
exec_binprm fs/exec.c:1807 [inline]
bprm_execve fs/exec.c:1859 [inline]
bprm_execve+0x8dd/0x1680 fs/exec.c:1835
kernel_execve+0x2ef/0x3b0 fs/exec.c:2026
call_usermodehelper_exec_async+0x255/0x4c0 kernel/umh.c:109
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page last free pid 3204 tgid 3204 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_frozen_pages+0x653/0xde0 mm/page_alloc.c:2660
__put_partials+0x14c/0x170 mm/slub.c:3153
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x4e/0x70 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4115 [inline]
slab_alloc_node mm/slub.c:4164 [inline]
kmem_cache_alloc_noprof+0x154/0x3b0 mm/slub.c:4171
getname_flags.part.0+0x4c/0x550 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8d/0xe0 fs/namei.c:223
do_sys_openat2+0x104/0x1e0 fs/open.c:1422
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
ffff88811f37a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88811f37a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88811f37a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88811f37a980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88811f37aa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: 27102b38 Merge tag 'v6.14-rc3-smb3-client-fix-part2' o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1725c7a4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=28127f006c1c31ee
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16d353b8580000

Edward Adam Davis

unread,
Feb 23, 2025, 8:25:51 AM2/23/25
to syzbot+0154da...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test

diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
index c9e65e9088b3..4a70ca5eeb1a 100644
--- a/drivers/hid/hid-steam.c
+++ b/drivers/hid/hid-steam.c
@@ -1086,6 +1086,7 @@ static void steam_work_unregister_cb(struct work_struct *work)
connected = steam->connected;
spin_unlock_irqrestore(&steam->lock, flags);

+ printk("steam: %p, opened: %d, connected: %d, %s\n", steam, opened, connected, __func__);
if (connected) {
if (opened) {
steam_sensors_unregister(steam);
@@ -1153,11 +1154,10 @@ static void steam_client_ll_close(struct hid_device *hdev)
struct steam_device *steam = hdev->driver_data;

unsigned long flags;
- bool connected;

spin_lock_irqsave(&steam->lock, flags);
- steam->client_opened--;
- connected = steam->connected && !steam->client_opened;
+ if (steam->client_opened > 0)
+ steam->client_opened--;
spin_unlock_irqrestore(&steam->lock, flags);

schedule_work(&steam->unregister_work);
@@ -1322,6 +1322,7 @@ static void steam_remove(struct hid_device *hdev)
{
struct steam_device *steam = hid_get_drvdata(hdev);

+ printk("steam: %p, hid device is group steam %d, %s\n", steam, hdev->group == HID_GROUP_STEAM, __func__);
if (!steam || hdev->group == HID_GROUP_STEAM) {
hid_hw_stop(hdev);
return;

syzbot

unread,
Feb 23, 2025, 8:43:05 AM2/23/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in steam_input_open

==================================================================
BUG: KASAN: slab-use-after-free in steam_input_open+0x14d/0x160 drivers/hid/hid-steam.c:604
Read of size 8 at addr ffff88811e7c6930 by task udevd/6848

CPU: 0 UID: 0 PID: 6848 Comm: udevd Not tainted 6.14.0-rc3-syzkaller-00037-gc749f058b437-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:489
kasan_report+0xd9/0x110 mm/kasan/report.c:602
steam_input_open+0x14d/0x160 drivers/hid/hid-steam.c:604
input_open_device+0x230/0x390 drivers/input/input.c:600
evdev_open_device drivers/input/evdev.c:391 [inline]
evdev_open+0x52d/0x690 drivers/input/evdev.c:478
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6cb/0x1390 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f87db4859a4
Code: 24 20 48 8d 44 24 30 48 89 44 24 28 64 8b 04 25 18 00 00 00 85 c0 75 2c 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 60 48 8b 15 55 a4 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffce2f0fe00 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f87db4859a4
RDX: 0000000000080000 RSI: 000055dee6545680 RDI: 00000000ffffff9c
RBP: 000055dee6545680 R08: 000055dee6552b38 R09: fffffffffffffe98
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000080000
R13: 00007ffce2f0ffc8 R14: 0000000000000000 R15: 000055deae26bed5
</TASK>

Allocated by task 8:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4294 [inline]
__kmalloc_node_track_caller_noprof+0x20b/0x4c0 mm/slub.c:4313
alloc_dr drivers/base/devres.c:119 [inline]
devm_kmalloc+0xa5/0x260 drivers/base/devres.c:843
devm_kzalloc include/linux/device.h:328 [inline]
steam_probe+0x132/0x1060 drivers/hid/hid-steam.c:1241
Freed by task 36:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x37/0x50 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4609 [inline]
kfree+0x294/0x480 mm/slub.c:4757
release_nodes+0x11e/0x240 drivers/base/devres.c:506
devres_release_group+0x1be/0x2a0 drivers/base/devres.c:689
hid_device_remove+0x107/0x260 drivers/hid/hid-core.c:2774
device_remove+0xc8/0x170 drivers/base/dd.c:567
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
hid_remove_device drivers/hid/hid-core.c:2953 [inline]
hid_destroy_device+0x19c/0x240 drivers/hid/hid-core.c:2975
usbhid_disconnect+0xa0/0xe0 drivers/hid/usbhid/hid-core.c:1458
usb_unbind_interface+0x1da/0x9a0 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x122/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
usb_disable_device+0x368/0x7e0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2316
hub_port_connect drivers/usb/core/hub.c:5373 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5673 [inline]
port_event drivers/usb/core/hub.c:5833 [inline]
hub_event+0x1bed/0x4f40 drivers/usb/core/hub.c:5915
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0x9b/0xb0 mm/kasan/generic.c:548
insert_work+0x36/0x230 kernel/workqueue.c:2183
__queue_work+0x97e/0x1080 kernel/workqueue.c:2339
queue_work_on+0x11a/0x140 kernel/workqueue.c:2390
queue_work include/linux/workqueue.h:662 [inline]
schedule_work include/linux/workqueue.h:723 [inline]
steam_client_ll_open+0xab/0xf0 drivers/hid/hid-steam.c:1147
hid_hw_open+0xe2/0x170 drivers/hid/hid-core.c:2392
hidraw_open+0x274/0x7e0 drivers/hid/hidraw.c:308
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6cb/0x1390 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Second to last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0x9b/0xb0 mm/kasan/generic.c:548
insert_work+0x36/0x230 kernel/workqueue.c:2183
__queue_work+0x97e/0x1080 kernel/workqueue.c:2339
queue_work_on+0x11a/0x140 kernel/workqueue.c:2390
hid_hw_close+0xaf/0xe0 drivers/hid/hid-core.c:2415
drop_ref+0x186/0x390 drivers/hid/hidraw.c:360
hidraw_release+0x3e6/0x560 drivers/hid/hidraw.c:384
__fput+0x3ff/0xb70 fs/file_table.c:464
task_work_run+0x14e/0x250 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x24e/0x260 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88811e7c6800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 304 bytes inside of
freed 1024-byte region [ffff88811e7c6800, ffff88811e7c6c00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e7c0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888100041dc0 ffffea0004d0ba00 dead000000000003
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 0200000000000040 ffff888100041dc0 ffffea0004d0ba00 dead000000000003
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 0200000000000003 ffffea000479f001 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3150, tgid 3150 (kworker/u8:8), ts 53335618281, free_ts 53325317945
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1551
prep_new_page mm/page_alloc.c:1559 [inline]
get_page_from_freelist+0xe76/0x2b90 mm/page_alloc.c:3477
__alloc_frozen_pages_noprof+0x21c/0x2290 mm/page_alloc.c:4739
alloc_pages_mpol+0xe7/0x410 mm/mempolicy.c:2270
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab mm/slub.c:2587 [inline]
new_slab+0x23d/0x330 mm/slub.c:2640
___slab_alloc+0xc41/0x1670 mm/slub.c:3826
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3916
__slab_alloc_node mm/slub.c:3991 [inline]
slab_alloc_node mm/slub.c:4152 [inline]
__do_kmalloc_node mm/slub.c:4293 [inline]
__kmalloc_noprof+0x154/0x4d0 mm/slub.c:4306
kmalloc_noprof include/linux/slab.h:905 [inline]
load_elf_phdrs+0x103/0x210 fs/binfmt_elf.c:532
load_elf_binary+0x1f8/0x4f00 fs/binfmt_elf.c:861
search_binary_handler fs/exec.c:1775 [inline]
exec_binprm fs/exec.c:1807 [inline]
bprm_execve fs/exec.c:1859 [inline]
bprm_execve+0x8dd/0x1680 fs/exec.c:1835
kernel_execve+0x2ef/0x3b0 fs/exec.c:2026
call_usermodehelper_exec_async+0x255/0x4c0 kernel/umh.c:109
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page last free pid 3149 tgid 3149 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_frozen_pages+0x653/0xde0 mm/page_alloc.c:2660
__put_partials+0x14c/0x170 mm/slub.c:3153
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x4e/0x70 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4115 [inline]
slab_alloc_node mm/slub.c:4164 [inline]
kmem_cache_alloc_noprof+0x154/0x3b0 mm/slub.c:4171
getname_flags.part.0+0x4c/0x550 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8d/0xe0 fs/namei.c:223
do_sys_openat2+0x104/0x1e0 fs/open.c:1422
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
ffff88811e7c6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88811e7c6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88811e7c6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88811e7c6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88811e7c6a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: c749f058 USB: core: Add eUSB2 descriptor and parsing i..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=16c867a4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f429368eda610a89
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=102757f8580000

Edward Adam Davis

unread,
Feb 23, 2025, 9:16:06 AM2/23/25
to syzbot+0154da...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test

diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
index c9e65e9088b3..2317c3f7e037 100644
--- a/drivers/hid/hid-steam.c
+++ b/drivers/hid/hid-steam.c
@@ -596,6 +596,7 @@ static int steam_input_open(struct input_dev *dev)
unsigned long flags;
bool set_lizard_mode;

+ printk("steam: %p, %s\n", steam, __func__);
/*
* Disabling lizard mode automatically is only done on the Steam
* Controller. On the Steam Deck, this is toggled manually by holding
@@ -1086,6 +1087,10 @@ static void steam_work_unregister_cb(struct work_struct *work)
connected = steam->connected;
spin_unlock_irqrestore(&steam->lock, flags);

+ printk("steam: %p, client_hdev: %p, opened: %d, connected: %d, input: %p, %s\n", steam, steam->client_hdev, opened, connected, input, __func__);
+ if (!steam->client_hdev)
+ return;
+
if (connected) {
if (opened) {
steam_sensors_unregister(steam);
@@ -1153,11 +1158,10 @@ static void steam_client_ll_close(struct hid_device *hdev)
struct steam_device *steam = hdev->driver_data;

unsigned long flags;
- bool connected;

spin_lock_irqsave(&steam->lock, flags);
- steam->client_opened--;
- connected = steam->connected && !steam->client_opened;
+ if (steam->client_opened > 0)
+ steam->client_opened--;
spin_unlock_irqrestore(&steam->lock, flags);

schedule_work(&steam->unregister_work);
@@ -1322,6 +1326,7 @@ static void steam_remove(struct hid_device *hdev)

syzbot

unread,
Feb 23, 2025, 9:27:04 AM2/23/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

drivers/hid/hid-steam.c:1090:136: error: 'input' undeclared (first use in this function); did you mean 'iput'?


Tested on:

commit: c749f058 USB: core: Add eUSB2 descriptor and parsing i..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
kernel config: https://syzkaller.appspot.com/x/.config?x=f429368eda610a89
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=147acdb0580000

Edward Adam Davis

unread,
Feb 23, 2025, 9:31:34 AM2/23/25
to syzbot+0154da...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test

diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
index c9e65e9088b3..cf7a74343454 100644
--- a/drivers/hid/hid-steam.c
+++ b/drivers/hid/hid-steam.c
@@ -596,6 +596,7 @@ static int steam_input_open(struct input_dev *dev)
unsigned long flags;
bool set_lizard_mode;

+ printk("steam: %p, %s\n", steam, __func__);
/*
* Disabling lizard mode automatically is only done on the Steam
* Controller. On the Steam Deck, this is toggled manually by holding
@@ -1086,6 +1087,10 @@ static void steam_work_unregister_cb(struct work_struct *work)
connected = steam->connected;
spin_unlock_irqrestore(&steam->lock, flags);

+ printk("steam: %p, client_hdev: %p, opened: %d, connected: %d, %s\n", steam, steam->client_hdev, opened, connected, __func__);

syzbot

unread,
Feb 23, 2025, 9:48:04 AM2/23/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: ODEBUG bug in release_nodes

hid-steam 0003:28DE:1102.0023: Steam Controller 'XXXXXXXXXX' disconnected
------------[ cut here ]------------
ODEBUG: free active (active state 0) object: ffff88811b79fb00 object type: work_struct hint: steam_work_unregister_cb+0x0/0x230 drivers/hid/hid-steam.c:869
WARNING: CPU: 1 PID: 6885 at lib/debugobjects.c:612 debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612
Modules linked in:
CPU: 1 UID: 0 PID: 6885 Comm: kworker/1:5 Not tainted 6.14.0-rc3-syzkaller-00037-gc749f058b437-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: usb_hub_wq hub_event
RIP: 0010:debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 54 48 8b 14 dd 80 d2 47 87 41 56 4c 89 e6 48 c7 c7 00 c7 47 87 e8 ff e7 c0 fe 90 <0f> 0b 90 90 58 83 05 16 85 d8 07 01 48 83 c4 18 5b 5d 41 5c 41 5d
RSP: 0018:ffffc9000174f208 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff813f4dd9
RDX: ffff8881086a8000 RSI: ffffffff813f4de6 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000009 R12: ffffffff8747cda0
R13: ffffffff87274220 R14: ffffffff85a7ad40 R15: ffffc9000174f318
FS: 0000000000000000(0000) GS:ffff8881f5900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6532f71ed8 CR3: 00000001171be000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
debug_check_no_obj_freed+0x4b7/0x600 lib/debugobjects.c:1129
slab_free_hook mm/slub.c:2284 [inline]
slab_free mm/slub.c:4609 [inline]
kfree+0x2e1/0x480 mm/slub.c:4757
</TASK>


Tested on:

commit: c749f058 USB: core: Add eUSB2 descriptor and parsing i..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=1780d3b8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f429368eda610a89
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1746cdb0580000

Hillf Danton

unread,
Feb 23, 2025, 11:54:30 PM2/23/25
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Sat, 22 Feb 2025 09:01:23 -0800
> syzbot found the following issue on:
>
> HEAD commit: 0a86e49acfbb dt-bindings: usb: samsung,exynos-dwc3 Add exy..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c02ba4580000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/drivers/hid/hid-steam.c
+++ y/drivers/hid/hid-steam.c
@@ -314,6 +314,7 @@ struct steam_device {
u16 rumble_right;
unsigned int sensor_timestamp_us;
struct work_struct unregister_work;
+ struct work_struct unregister_work2;
};

static int steam_recv_report(struct steam_device *steam,
@@ -618,6 +619,8 @@ static void steam_input_close(struct inp
unsigned long flags;
bool set_lizard_mode;

+ if (dev->going_away)
+ return;
if (!(steam->quirks & STEAM_QUIRK_DECK)) {
spin_lock_irqsave(&steam->lock, flags);
set_lizard_mode = !steam->client_opened && lizard_mode;
@@ -1077,25 +1080,17 @@ static void steam_work_unregister_cb(str
{
struct steam_device *steam = container_of(work, struct steam_device,
unregister_work);
- unsigned long flags;
- bool connected;
- bool opened;
-
- spin_lock_irqsave(&steam->lock, flags);
- opened = steam->client_opened;
- connected = steam->connected;
- spin_unlock_irqrestore(&steam->lock, flags);
+ steam_sensors_unregister(steam);
+ steam_input_unregister(steam);
+}

- if (connected) {
- if (opened) {
- steam_sensors_unregister(steam);
- steam_input_unregister(steam);
- } else {
- steam_set_lizard_mode(steam, lizard_mode);
- steam_input_register(steam);
- steam_sensors_register(steam);
- }
- }
+static void steam_work_unregister_cb2(struct work_struct *work)
+{
+ struct steam_device *steam = container_of(work, struct steam_device,
+ unregister_work2);
+ steam_set_lizard_mode(steam, lizard_mode);
+ steam_input_register(steam);
+ steam_sensors_register(steam);
}

static bool steam_is_valve_interface(struct hid_device *hdev)
@@ -1160,7 +1155,7 @@ static void steam_client_ll_close(struct
connected = steam->connected && !steam->client_opened;
spin_unlock_irqrestore(&steam->lock, flags);

- schedule_work(&steam->unregister_work);
+ schedule_work(&steam->unregister_work2);
}

static int steam_client_ll_raw_request(struct hid_device *hdev,
@@ -1253,6 +1248,7 @@ static int steam_probe(struct hid_device
INIT_WORK(&steam->rumble_work, steam_haptic_rumble_cb);
steam->sensor_timestamp_us = 0;
INIT_WORK(&steam->unregister_work, steam_work_unregister_cb);
+ INIT_WORK(&steam->unregister_work2, steam_work_unregister_cb2);

/*
* With the real steam controller interface, do not connect hidraw.
@@ -1314,6 +1310,7 @@ err_cancel_work:
cancel_delayed_work_sync(&steam->mode_switch);
cancel_work_sync(&steam->rumble_work);
cancel_work_sync(&steam->unregister_work);
+ cancel_work_sync(&steam->unregister_work2);

return ret;
}
@@ -1330,7 +1327,6 @@ static void steam_remove(struct hid_devi
cancel_delayed_work_sync(&steam->mode_switch);
cancel_work_sync(&steam->work_connect);
cancel_work_sync(&steam->rumble_work);
- cancel_work_sync(&steam->unregister_work);
hid_destroy_device(steam->client_hdev);
steam->client_hdev = NULL;
steam->client_opened = 0;
@@ -1340,6 +1336,8 @@ static void steam_remove(struct hid_devi
hid_hw_close(hdev);
hid_hw_stop(hdev);
steam_unregister(steam);
+ flush_work(&steam->unregister_work);
+ flush_work(&steam->unregister_work2);

syzbot

unread,
Feb 24, 2025, 12:21:04 AM2/24/25
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in steam_input_close

==================================================================
BUG: KASAN: slab-use-after-free in steam_input_close+0x187/0x1a0 drivers/hid/hid-steam.c:624
Read of size 8 at addr ffff88811f5a0130 by task acpid/2830

CPU: 1 UID: 0 PID: 2830 Comm: acpid Not tainted 6.14.0-rc4-syzkaller-gd082ecbc71e9-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xd9/0x110 mm/kasan/report.c:634
steam_input_close+0x187/0x1a0 drivers/hid/hid-steam.c:624
input_close_device+0x21f/0x290 drivers/input/input.c:654
evdev_close_device drivers/input/evdev.c:405 [inline]
evdev_release+0x350/0x400 drivers/input/evdev.c:447
__fput+0x3ff/0xb70 fs/file_table.c:464
__fput_sync+0xa1/0xc0 fs/file_table.c:550
__do_sys_close fs/open.c:1580 [inline]
__se_sys_close fs/open.c:1565 [inline]
__x64_sys_close+0x86/0x100 fs/open.c:1565
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe0a26660a8
Code: 48 8b 05 83 9d 0d 00 64 c7 00 16 00 00 00 83 c8 ff 48 83 c4 20 5b c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 5b 48 8b 15 51 9d 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007fff48ef2008 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 00007fff48ef2278 RCX: 00007fe0a26660a8
RDX: 0000000000000000 RSI: 000000000000001e RDI: 000000000000000a
RBP: 000000000000000a R08: 0000000000000008 R09: 00007fff48ef2178
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff48ef2178
R13: 0000000000000040 R14: 00007fff48ef2278 R15: 00007fff48ef2178
</TASK>

Allocated by task 24:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4294 [inline]
__kmalloc_node_track_caller_noprof+0x20b/0x4c0 mm/slub.c:4313
alloc_dr drivers/base/devres.c:119 [inline]
devm_kmalloc+0xa5/0x260 drivers/base/devres.c:843
devm_kzalloc include/linux/device.h:328 [inline]
steam_probe+0x132/0x1190 drivers/hid/hid-steam.c:1236
hub_port_connect drivers/usb/core/hub.c:5533 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5673 [inline]
port_event drivers/usb/core/hub.c:5833 [inline]
hub_event+0x2e58/0x4f40 drivers/usb/core/hub.c:5915
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 8:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x37/0x50 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4609 [inline]
kfree+0x294/0x480 mm/slub.c:4757
release_nodes+0x11e/0x240 drivers/base/devres.c:506
devres_release_group+0x1be/0x2a0 drivers/base/devres.c:689
hid_device_remove+0x107/0x260 drivers/hid/hid-core.c:2774
device_remove+0xc8/0x170 drivers/base/dd.c:567
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
hid_remove_device drivers/hid/hid-core.c:2953 [inline]
hid_destroy_device+0x19c/0x240 drivers/hid/hid-core.c:2975
usbhid_disconnect+0xa0/0xe0 drivers/hid/usbhid/hid-core.c:1458
usb_unbind_interface+0x1e2/0x960 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x122/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2316
hub_port_connect drivers/usb/core/hub.c:5373 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5673 [inline]
port_event drivers/usb/core/hub.c:5833 [inline]
hub_event+0x1bed/0x4f40 drivers/usb/core/hub.c:5915
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0x9b/0xb0 mm/kasan/generic.c:548
insert_work+0x36/0x230 kernel/workqueue.c:2183
__queue_work+0x97e/0x1080 kernel/workqueue.c:2339
queue_work_on+0x11a/0x140 kernel/workqueue.c:2390
hid_hw_close+0xaf/0xe0 drivers/hid/hid-core.c:2415
drop_ref+0x186/0x390 drivers/hid/hidraw.c:360
hidraw_release+0x3e6/0x560 drivers/hid/hidraw.c:384
__fput+0x3ff/0xb70 fs/file_table.c:464
task_work_run+0x14e/0x250 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x24e/0x260 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Second to last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0x9b/0xb0 mm/kasan/generic.c:548
insert_work+0x36/0x230 kernel/workqueue.c:2183
__queue_work+0x97e/0x1080 kernel/workqueue.c:2339
queue_work_on+0x11a/0x140 kernel/workqueue.c:2390
queue_work include/linux/workqueue.h:662 [inline]
schedule_work include/linux/workqueue.h:723 [inline]
steam_client_ll_open+0xab/0xf0 drivers/hid/hid-steam.c:1141
hid_hw_open+0xe2/0x170 drivers/hid/hid-core.c:2392
hidraw_open+0x274/0x7e0 drivers/hid/hidraw.c:308
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6cb/0x1390 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88811f5a0000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 304 bytes inside of
freed 1024-byte region [ffff88811f5a0000, ffff88811f5a0400)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88811f5a7800 pfn:0x11f5a0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888100041dc0 ffffea00046a3400 0000000000000002
raw: ffff88811f5a7800 000000008010000d 00000000f5000000 0000000000000000
head: 0200000000000040 ffff888100041dc0 ffffea00046a3400 0000000000000002
head: ffff88811f5a7800 000000008010000d 00000000f5000000 0000000000000000
head: 0200000000000003 ffffea00047d6801 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6261, tgid 6261 (kworker/u8:2), ts 138508866510, free_ts 138420548355
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1551
prep_new_page mm/page_alloc.c:1559 [inline]
get_page_from_freelist+0xe76/0x2b90 mm/page_alloc.c:3477
__alloc_frozen_pages_noprof+0x21c/0x2290 mm/page_alloc.c:4739
alloc_pages_mpol+0xe7/0x410 mm/mempolicy.c:2270
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab mm/slub.c:2587 [inline]
new_slab+0x23d/0x330 mm/slub.c:2640
___slab_alloc+0xc41/0x1670 mm/slub.c:3826
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3916
__slab_alloc_node mm/slub.c:3991 [inline]
slab_alloc_node mm/slub.c:4152 [inline]
__do_kmalloc_node mm/slub.c:4293 [inline]
__kmalloc_noprof+0x154/0x4d0 mm/slub.c:4306
kmalloc_noprof include/linux/slab.h:905 [inline]
load_elf_phdrs+0x103/0x210 fs/binfmt_elf.c:532
load_elf_binary+0x14eb/0x4f00 fs/binfmt_elf.c:961
search_binary_handler fs/exec.c:1775 [inline]
exec_binprm fs/exec.c:1807 [inline]
bprm_execve fs/exec.c:1859 [inline]
bprm_execve+0x8dd/0x1680 fs/exec.c:1835
kernel_execve+0x2ef/0x3b0 fs/exec.c:2026
call_usermodehelper_exec_async+0x255/0x4c0 kernel/umh.c:109
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page last free pid 6255 tgid 6255 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_frozen_pages+0x653/0xde0 mm/page_alloc.c:2660
__put_partials+0x14c/0x170 mm/slub.c:3153
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x4e/0x70 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4115 [inline]
slab_alloc_node mm/slub.c:4164 [inline]
kmem_cache_alloc_noprof+0x154/0x3b0 mm/slub.c:4171
vm_area_alloc+0x1f/0x1f0 kernel/fork.c:472
__mmap_new_vma mm/vma.c:2341 [inline]
__mmap_region+0xfc8/0x2620 mm/vma.c:2457
mmap_region+0x1ab/0x3f0 mm/vma.c:2535
do_mmap+0xd8d/0x11b0 mm/mmap.c:561
vm_mmap_pgoff+0x203/0x390 mm/util.c:575
ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:607
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
__x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
ffff88811f5a0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88811f5a0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88811f5a0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88811f5a0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88811f5a0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: d082ecbc Linux 6.14-rc4
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14be86e4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=df3b9ace9c853c8d
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14d8e7a4580000

Hillf Danton

unread,
Feb 24, 2025, 5:41:34 AM2/24/25
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Sat, 22 Feb 2025 09:01:23 -0800
> syzbot found the following issue on:
>
> HEAD commit: 0a86e49acfbb dt-bindings: usb: samsung,exynos-dwc3 Add exy..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c02ba4580000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/drivers/hid/hid-steam.c
+++ y/drivers/hid/hid-steam.c
@@ -313,6 +313,7 @@ struct steam_device {
u16 rumble_left;
u16 rumble_right;
unsigned int sensor_timestamp_us;
+ unsigned int dead;
struct work_struct unregister_work;
};

@@ -618,6 +619,8 @@ static void steam_input_close(struct inp
unsigned long flags;
bool set_lizard_mode;

+ if (dev->going_away)
+ return;
if (!(steam->quirks & STEAM_QUIRK_DECK)) {
spin_lock_irqsave(&steam->lock, flags);
set_lizard_mode = !steam->client_opened && lizard_mode;
@@ -1140,6 +1143,10 @@ static int steam_client_ll_open(struct h
unsigned long flags;

spin_lock_irqsave(&steam->lock, flags);
+ if (steam->dead) {
+ spin_unlock_irqrestore(&steam->lock, flags);
+ return -ENODEV;
+ }
steam->client_opened++;
spin_unlock_irqrestore(&steam->lock, flags);

@@ -1156,6 +1163,10 @@ static void steam_client_ll_close(struct
bool connected;

spin_lock_irqsave(&steam->lock, flags);
+ if (steam->dead) {
+ spin_unlock_irqrestore(&steam->lock, flags);
+ return;
+ }
steam->client_opened--;
connected = steam->connected && !steam->client_opened;
spin_unlock_irqrestore(&steam->lock, flags);
@@ -1321,11 +1332,15 @@ err_cancel_work:
static void steam_remove(struct hid_device *hdev)
{
struct steam_device *steam = hid_get_drvdata(hdev);
+ unsigned long flags;

if (!steam || hdev->group == HID_GROUP_STEAM) {
hid_hw_stop(hdev);
return;
}
+ spin_lock_irqsave(&steam->lock, flags);
+ steam->dead++;
+ spin_unlock_irqrestore(&steam->lock, flags);

cancel_delayed_work_sync(&steam->mode_switch);
cancel_work_sync(&steam->work_connect);
@@ -1350,6 +1365,8 @@ static void steam_do_connect_event(struc
spin_lock_irqsave(&steam->lock, flags);
changed = steam->connected != connected;
steam->connected = connected;
+ if (steam->dead)
+ changed = false;
spin_unlock_irqrestore(&steam->lock, flags);

if (changed && schedule_work(&steam->work_connect) == 0)
--

Vicki Pfau

unread,
Feb 24, 2025, 5:45:24 AM2/24/25
to syzbot, ben...@kernel.org, ji...@kernel.org, jko...@suse.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
Hi
This was reported internally a few days ago and I've been debugging this in the meantime. I have a tentative patch that I will submit in a day or two after we make sure it correctly fixes the issue. Though I'd previously tried getting it to reproduce in KASAN, I didn't have any luck; getting one of these backtraces was the final piece of the puzzle I was missing, so hopefully the fix is correct.

Vicki

syzbot

unread,
Feb 24, 2025, 6:47:03 AM2/24/25
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+0154da...@syzkaller.appspotmail.com
Tested-by: syzbot+0154da...@syzkaller.appspotmail.com

Tested on:

commit: d082ecbc Linux 6.14-rc4
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=164046e4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=df3b9ace9c853c8d
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=114b2db0580000

Note: testing is done by a robot and is best-effort only.

Edward Adam Davis

unread,
Feb 24, 2025, 7:04:52 AM2/24/25
to syzbot+0154da...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test

diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
index c9e65e9088b3..12ad00be57bc 100644
--- a/drivers/hid/hid-steam.c
+++ b/drivers/hid/hid-steam.c
@@ -1139,6 +1139,9 @@ static int steam_client_ll_open(struct hid_device *hdev)
struct steam_device *steam = hdev->driver_data;
unsigned long flags;

+ if (!steam->client_hdev)
+ return;
+
spin_lock_irqsave(&steam->lock, flags);
steam->client_opened++;
spin_unlock_irqrestore(&steam->lock, flags);
@@ -1153,11 +1156,12 @@ static void steam_client_ll_close(struct hid_device *hdev)
struct steam_device *steam = hdev->driver_data;

unsigned long flags;
- bool connected;
+
+ if (!steam->client_hdev)
+ return;

spin_lock_irqsave(&steam->lock, flags);
steam->client_opened--;
- connected = steam->connected && !steam->client_opened;
spin_unlock_irqrestore(&steam->lock, flags);

schedule_work(&steam->unregister_work);

syzbot

unread,
Feb 24, 2025, 7:19:04 AM2/24/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

drivers/hid/hid-steam.c:1143:17: error: 'return' with no value, in function returning non-void [-Werror=return-type]


Tested on:

commit: c749f058 USB: core: Add eUSB2 descriptor and parsing i..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
kernel config: https://syzkaller.appspot.com/x/.config?x=f429368eda610a89
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15f137f8580000

Edward Adam Davis

unread,
Feb 24, 2025, 7:24:25 AM2/24/25
to syzbot+0154da...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test

diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
index c9e65e9088b3..1d43e4dce14e 100644
--- a/drivers/hid/hid-steam.c
+++ b/drivers/hid/hid-steam.c
@@ -1139,6 +1139,9 @@ static int steam_client_ll_open(struct hid_device *hdev)
struct steam_device *steam = hdev->driver_data;
unsigned long flags;

+ if (!steam->client_hdev)
+ return -ENODEV;

syzbot

unread,
Feb 24, 2025, 7:44:03 AM2/24/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in steam_input_register

input: Steam Controller as /devices/platform/dummy_hcd.5/usb6/6-1/6-1:0.0/0003:28DE:1102.0090/input/input94
kobject: kobject_add_internal failed for event5 (error: -2 parent: input94)
input: failed to attach handler evdev to device input94, error: -2
==================================================================
BUG: KASAN: slab-use-after-free in steam_input_register+0x131f/0x14a0 drivers/hid/hid-steam.c:832
Write of size 8 at addr ffff8881026cf120 by task kworker/1:4/6877

CPU: 1 UID: 0 PID: 6877 Comm: kworker/1:4 Not tainted 6.14.0-rc3-syzkaller-00037-gc749f058b437-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: events steam_work_unregister_cb
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:489
kasan_report+0xd9/0x110 mm/kasan/report.c:602
steam_input_register+0x131f/0x14a0 drivers/hid/hid-steam.c:832
steam_work_unregister_cb+0x127/0x190 drivers/hid/hid-steam.c:1095
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Allocated by task 9:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4294 [inline]
__kmalloc_node_track_caller_noprof+0x20b/0x4c0 mm/slub.c:4313
alloc_dr drivers/base/devres.c:119 [inline]
devm_kmalloc+0xa5/0x260 drivers/base/devres.c:843
devm_kzalloc include/linux/device.h:328 [inline]
steam_probe+0x132/0x1060 drivers/hid/hid-steam.c:1245
Freed by task 9:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x37/0x50 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4609 [inline]
kfree+0x294/0x480 mm/slub.c:4757
release_nodes+0x11e/0x240 drivers/base/devres.c:506
devres_release_group+0x1be/0x2a0 drivers/base/devres.c:689
hid_device_remove+0x107/0x260 drivers/hid/hid-core.c:2774
device_remove+0xc8/0x170 drivers/base/dd.c:567
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
hid_remove_device drivers/hid/hid-core.c:2953 [inline]
hid_destroy_device+0x19c/0x240 drivers/hid/hid-core.c:2975
usbhid_disconnect+0xa0/0xe0 drivers/hid/usbhid/hid-core.c:1458
usb_unbind_interface+0x1da/0x9a0 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x122/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
usb_disable_device+0x368/0x7e0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2316
hub_port_connect drivers/usb/core/hub.c:5373 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5673 [inline]
port_event drivers/usb/core/hub.c:5833 [inline]
hub_event+0x1bed/0x4f40 drivers/usb/core/hub.c:5915
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0x9b/0xb0 mm/kasan/generic.c:548
insert_work+0x36/0x230 kernel/workqueue.c:2183
__queue_work+0x97e/0x1080 kernel/workqueue.c:2339
queue_work_on+0x11a/0x140 kernel/workqueue.c:2390
queue_work include/linux/workqueue.h:662 [inline]
schedule_work include/linux/workqueue.h:723 [inline]
steam_client_ll_close+0xd6/0x120 drivers/hid/hid-steam.c:1167
hid_hw_close+0xaf/0xe0 drivers/hid/hid-core.c:2415
drop_ref+0x2c8/0x390 drivers/hid/hidraw.c:346
hidraw_disconnect+0x4b/0x60 drivers/hid/hidraw.c:642
hid_disconnect+0x13e/0x1b0 drivers/hid/hid-core.c:2325
hid_hw_stop+0x16/0x80 drivers/hid/hid-core.c:2370
steam_remove+0x1af/0x220 drivers/hid/hid-steam.c:1330
hid_device_remove+0xce/0x260 drivers/hid/hid-core.c:2769
device_remove+0xc8/0x170 drivers/base/dd.c:567
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
hid_remove_device drivers/hid/hid-core.c:2953 [inline]
hid_destroy_device+0x19c/0x240 drivers/hid/hid-core.c:2975
steam_remove+0xf0/0x220 drivers/hid/hid-steam.c:1338
hid_device_remove+0xce/0x260 drivers/hid/hid-core.c:2769
device_remove+0xc8/0x170 drivers/base/dd.c:567
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
hid_remove_device drivers/hid/hid-core.c:2953 [inline]
hid_destroy_device+0x19c/0x240 drivers/hid/hid-core.c:2975
usbhid_disconnect+0xa0/0xe0 drivers/hid/usbhid/hid-core.c:1458
usb_unbind_interface+0x1da/0x9a0 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x122/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3854
usb_disable_device+0x368/0x7e0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2316
hub_port_connect drivers/usb/core/hub.c:5373 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5673 [inline]
port_event drivers/usb/core/hub.c:5833 [inline]
hub_event+0x1bed/0x4f40 drivers/usb/core/hub.c:5915
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Second to last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0x9b/0xb0 mm/kasan/generic.c:548
insert_work+0x36/0x230 kernel/workqueue.c:2183
__queue_work+0x97e/0x1080 kernel/workqueue.c:2339
queue_work_on+0x11a/0x140 kernel/workqueue.c:2390
queue_work include/linux/workqueue.h:662 [inline]
schedule_work include/linux/workqueue.h:723 [inline]
steam_client_ll_open+0xe0/0x140 drivers/hid/hid-steam.c:1149
hid_hw_open+0xe2/0x170 drivers/hid/hid-core.c:2392
hidraw_open+0x274/0x7e0 drivers/hid/hidraw.c:308
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6cb/0x1390 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8881026cf000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 288 bytes inside of
freed 1024-byte region [ffff8881026cf000, ffff8881026cf400)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026c8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888100041dc0 ffffea0004c74a00 dead000000000002
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 0200000000000040 ffff888100041dc0 ffffea0004c74a00 dead000000000002
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 0200000000000003 ffffea000409b201 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2755554857, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1551
prep_new_page mm/page_alloc.c:1559 [inline]
get_page_from_freelist+0xe76/0x2b90 mm/page_alloc.c:3477
__alloc_frozen_pages_noprof+0x21c/0x2290 mm/page_alloc.c:4739
alloc_pages_mpol+0xe7/0x410 mm/mempolicy.c:2270
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab mm/slub.c:2587 [inline]
new_slab+0x23d/0x330 mm/slub.c:2640
___slab_alloc+0xc41/0x1670 mm/slub.c:3826
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3916
__slab_alloc_node mm/slub.c:3991 [inline]
slab_alloc_node mm/slub.c:4152 [inline]
__kmalloc_cache_noprof+0x217/0x3e0 mm/slub.c:4320
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
bus_register+0x4f/0x6a0 drivers/base/bus.c:863
faux_bus_init+0x36/0xc0 drivers/base/faux.c:216
driver_init+0x33/0x60 drivers/base/init.c:35
do_basic_setup init/main.c:1351 [inline]
kernel_init_freeable+0x3d0/0x900 init/main.c:1568
kernel_init+0x1c/0x2b0 init/main.c:1457
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page_owner free stack trace missing

Memory state around the buggy address:
ffff8881026cf000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881026cf080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881026cf100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881026cf180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881026cf200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: c749f058 USB: core: Add eUSB2 descriptor and parsing i..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=11ef2db0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f429368eda610a89
dashboard link: https://syzkaller.appspot.com/bug?extid=0154da2d403396b2bd59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1305a7a4580000

Reply all
Reply to author
Forward
0 new messages