In xpad_probe(), it does not allocate xpad->dev with input_dev type.
Then, when it invokes dev_warn with 1st argument - &xpad->dev->dev, it
would trigger GPF.
Fix this by allocating xpad->dev, its error handling and cleanup
operations in the remove function.
Note that this crash does not have any reproducer, so the patch
only passes compilation testing.
Reported-by: syzbot+a3f758b8d8cb7e49afec@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Dongliang Mu <dzm91@xxxxxxxxxxx>
---
drivers/input/joystick/xpad.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
index 66a92691a047..2e077b52f46a 100644
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -1944,6 +1944,7 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id
{
struct usb_device *udev = interface_to_usbdev(intf);
struct usb_xpad *xpad;
+ struct input_dev *input_dev;
struct usb_endpoint_descriptor *ep_irq_in, *ep_irq_out;
int i, error;
@@ -1957,9 +1958,13 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id
}
xpad = kzalloc(sizeof(struct usb_xpad), GFP_KERNEL);
- if (!xpad)
- return -ENOMEM;
+ input_dev = input_allocate_device();
+ if (!xpad || !input_dev) {
+ error = -ENOMEM;
+ goto err_free_mem;
+ }
+ xpad->dev = input_dev;
usb_make_path(udev, xpad->phys, sizeof(xpad->phys));
strlcat(xpad->phys, "/input0", sizeof(xpad->phys));
@@ -2134,6 +2139,7 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id
err_free_idata:
usb_free_coherent(udev, XPAD_PKT_LEN, xpad->idata, xpad->idata_dma);
err_free_mem:
+ input_free_device(input_dev);
kfree(xpad);
return error;
}
@@ -2159,6 +2165,7 @@ static void xpad_disconnect(struct usb_interface *intf)
usb_free_coherent(xpad->udev, XPAD_PKT_LEN,
xpad->idata, xpad->idata_dma);
+ input_free_device(xpad->dev);
kfree(xpad);
usb_set_intfdata(intf, NULL);
--
2.39.2
