On Fri, Apr 14, 2023 at 08:55:47PM +0800, Dongliang Mu wrote: > In xpad_probe(), it does not allocate xpad->dev with input_dev type. > Then, when it invokes dev_warn with 1st argument - &xpad->dev->dev, it > would trigger GPF. What is a call tree for this? Actually I found it from the bug report. drivers/input/joystick/xpad.c 2034 if (error) 2035 dev_warn(&xpad->dev->dev, 2036 "unable to receive magic message: %d\n", 2037 error); 2038 } > > Fix this by allocating xpad->dev, its error handling and cleanup > operations in the remove function. > > Note that this crash does not have any reproducer, so the patch > only passes compilation testing. The xpad->dev = input_dev; already happens in xpad_init_input(). We shouldn't allocate it twice. I think the fix is to just use a different device pointer for the dev_warn(). Why not use &xpad->intf->dev? > > Reported-by: syzbot+a3f758b8d8cb7e49afec@xxxxxxxxxxxxxxxxxxxxxxxxx Could you use a Link tag to link to the bug report? Link: https://groups.google.com/g/syzkaller-bugs/c/iMhTgpGuIbM This needs a Fixes tag. Fixes: db7220c48d8d ("Input: xpad - fix support for some third-party controllers") regards, dan carpenter
