[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-input
Subject:    Re: [PATCH] HID: magicmouse: Fix an error handling path in magicmouse_probe()
From:       Christophe JAILLET <christophe.jaillet () wanadoo ! fr>
Date:       2021-12-29 8:42:44
Message-ID: 26e05a4b-93b3-c38a-3a89-9c56816c63f7 () wanadoo ! fr
[Download RAW message or body]

Le 29/12/2021 à 08:50, José Expósito a écrit  :
> On Tue, Dec 28, 2021 at 10:09:17PM +0100, Christophe JAILLET wrote:
>> If the timer introduced by the commit below is started, then it must be
>> deleted in the error handling of the probe. Otherwise it would trigger
>> once the driver is no more.
>>
>> Fixes: 0b91b4e4dae6 ("HID: magicmouse: Report battery level over USB")
>> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
>> ---
>>   drivers/hid/hid-magicmouse.c | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
>> index eba1e8087bfd..b8b08f0a8c54 100644
>> --- a/drivers/hid/hid-magicmouse.c
>> +++ b/drivers/hid/hid-magicmouse.c
>> @@ -873,6 +873,7 @@ static int magicmouse_probe(struct hid_device *hdev,
>>   
>>   	return 0;
>>   err_stop_hw:
>> +	del_timer_sync(&msc->battery_timer);
>>   	hid_hw_stop(hdev);
>>   	return ret;
>>   }
>> -- 
>> 2.32.0
>>
> 
> My bad, thanks for catching it!
> 
> Tested-by: José Expósito <jose.exposito89@gmail.com>
> 

Hi, just in case, I got a reply from syzbot that this patch fixes:

https://syzkaller.appspot.com/bug?id=ae4e9aaf5651e1d6895071208c7844d4fdfbe30c

If it is the same issue, we can add:
Reported-by: syzbot+a437546ec71b04dfb5ac@syzkaller.appspotmail.com


I've not found it with syzbot, but with a coccinelle script which tries 
to spot things that are in the remove function and should also be in the 
error handling path of the probe.

However, if it help syzbot, I don't care mentioning it.

CJ
[prev in list] [next in list] [prev in thread] [next in thread]