mirror of
https://github.com/torvalds/linux.git
synced 2024-12-24 20:01:55 +00:00
91cfe0bbaa
When CONFIG_HID_UCLOGIC=y and CONFIG_KUNIT_ALL_TESTS=y, launch kernel and
then the below user-memory-access bug occurs.
In hid_test_uclogic_params_cleanup_event_hooks(),it call
uclogic_params_ugee_v2_init_event_hooks() with the first arg=NULL, so
when it calls uclogic_params_ugee_v2_has_battery(), the hid_get_drvdata()
will access hdev->dev with hdev=NULL, which will cause below
user-memory-access.
So add a fake_device with quirks member and call hid_set_drvdata()
to assign hdev->dev->driver_data which avoids the null-ptr-def bug
for drvdata->quirks in uclogic_params_ugee_v2_has_battery(). After applying
this patch, the below user-memory-access bug never occurs.
general protection fault, probably for non-canonical address 0xdffffc0000000329: 0000 [#1] PREEMPT SMP KASAN
KASAN: probably user-memory-access in range [0x0000000000001948-0x000000000000194f]
CPU: 5 PID: 2189 Comm: kunit_try_catch Tainted: G B W N 6.6.0-rc2+ #30
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600
Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00
RSP: 0000:ffff88810679fc88 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000
RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0
R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92
R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080
FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0
DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6
DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600
PKRU: 55555554
Call Trace:
<TASK>
? die_addr+0x3d/0xa0
? exc_general_protection+0x144/0x220
? asm_exc_general_protection+0x22/0x30
? uclogic_params_ugee_v2_init_event_hooks+0x87/0x600
? sched_clock_cpu+0x69/0x550
? uclogic_parse_ugee_v2_desc_gen_params+0x70/0x70
? load_balance+0x2950/0x2950
? rcu_trc_cmpxchg_need_qs+0x67/0xa0
hid_test_uclogic_params_cleanup_event_hooks+0x9e/0x1a0
? uclogic_params_ugee_v2_init_event_hooks+0x600/0x600
? __switch_to+0x5cf/0xe60
? migrate_enable+0x260/0x260
? __kthread_parkme+0x83/0x150
? kunit_try_run_case_cleanup+0xe0/0xe0
kunit_generic_run_threadfn_adapter+0x4a/0x90
? kunit_try_catch_throw+0x80/0x80
kthread+0x2b5/0x380
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x2d/0x70
? kthread_complete_and_exit+0x20/0x20
ret_from_fork_asm+0x11/0x20
</TASK>
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 0000000000000000 ]---
RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600
Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00
RSP: 0000:ffff88810679fc88 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000
RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0
R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92
R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080
FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0
DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6
DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 1 seconds..
Fixes: a251d6576d
("HID: uclogic: Handle wireless device reconnection")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Reviewed-by: José Expósito <jose.exposito89@gmail.com>
Link: https://lore.kernel.org/r/20231009064245.3573397-2-ruanjinjie@huawei.com
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
223 lines
5.8 KiB
C
223 lines
5.8 KiB
C
// SPDX-License-Identifier: GPL-2.0+
|
|
|
|
/*
|
|
* HID driver for UC-Logic devices not fully compliant with HID standard
|
|
*
|
|
* Copyright (c) 2022 José Expósito <jose.exposito89@gmail.com>
|
|
*/
|
|
|
|
#include <kunit/test.h>
|
|
#include "./hid-uclogic-params.h"
|
|
#include "./hid-uclogic-rdesc.h"
|
|
|
|
#define MAX_STR_DESC_SIZE 14
|
|
|
|
struct uclogic_parse_ugee_v2_desc_case {
|
|
const char *name;
|
|
int res;
|
|
const __u8 str_desc[MAX_STR_DESC_SIZE];
|
|
size_t str_desc_size;
|
|
const s32 desc_params[UCLOGIC_RDESC_PH_ID_NUM];
|
|
enum uclogic_params_frame_type frame_type;
|
|
};
|
|
|
|
static struct uclogic_parse_ugee_v2_desc_case uclogic_parse_ugee_v2_desc_cases[] = {
|
|
{
|
|
.name = "invalid_str_desc",
|
|
.res = -EINVAL,
|
|
.str_desc = {},
|
|
.str_desc_size = 0,
|
|
.desc_params = {},
|
|
.frame_type = UCLOGIC_PARAMS_FRAME_BUTTONS,
|
|
},
|
|
{
|
|
.name = "resolution_with_value_0",
|
|
.res = 0,
|
|
.str_desc = {
|
|
0x0E, 0x03,
|
|
0x70, 0xB2,
|
|
0x10, 0x77,
|
|
0x08,
|
|
0x00,
|
|
0xFF, 0x1F,
|
|
0x00, 0x00,
|
|
},
|
|
.str_desc_size = 12,
|
|
.desc_params = {
|
|
[UCLOGIC_RDESC_PEN_PH_ID_X_LM] = 0xB270,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_X_PM] = 0,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_Y_LM] = 0x7710,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_Y_PM] = 0,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_PRESSURE_LM] = 0x1FFF,
|
|
[UCLOGIC_RDESC_FRAME_PH_ID_UM] = 0x08,
|
|
},
|
|
.frame_type = UCLOGIC_PARAMS_FRAME_BUTTONS,
|
|
},
|
|
/* XP-PEN Deco L str_desc: Frame with 8 buttons */
|
|
{
|
|
.name = "frame_type_buttons",
|
|
.res = 0,
|
|
.str_desc = {
|
|
0x0E, 0x03,
|
|
0x70, 0xB2,
|
|
0x10, 0x77,
|
|
0x08,
|
|
0x00,
|
|
0xFF, 0x1F,
|
|
0xD8, 0x13,
|
|
},
|
|
.str_desc_size = 12,
|
|
.desc_params = {
|
|
[UCLOGIC_RDESC_PEN_PH_ID_X_LM] = 0xB270,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_X_PM] = 0x2320,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_Y_LM] = 0x7710,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_Y_PM] = 0x1770,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_PRESSURE_LM] = 0x1FFF,
|
|
[UCLOGIC_RDESC_FRAME_PH_ID_UM] = 0x08,
|
|
},
|
|
.frame_type = UCLOGIC_PARAMS_FRAME_BUTTONS,
|
|
},
|
|
/* PARBLO A610 PRO str_desc: Frame with 9 buttons and dial */
|
|
{
|
|
.name = "frame_type_dial",
|
|
.res = 0,
|
|
.str_desc = {
|
|
0x0E, 0x03,
|
|
0x96, 0xC7,
|
|
0xF9, 0x7C,
|
|
0x09,
|
|
0x01,
|
|
0xFF, 0x1F,
|
|
0xD8, 0x13,
|
|
},
|
|
.str_desc_size = 12,
|
|
.desc_params = {
|
|
[UCLOGIC_RDESC_PEN_PH_ID_X_LM] = 0xC796,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_X_PM] = 0x2749,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_Y_LM] = 0x7CF9,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_Y_PM] = 0x1899,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_PRESSURE_LM] = 0x1FFF,
|
|
[UCLOGIC_RDESC_FRAME_PH_ID_UM] = 0x09,
|
|
},
|
|
.frame_type = UCLOGIC_PARAMS_FRAME_DIAL,
|
|
},
|
|
/* XP-PEN Deco Pro S str_desc: Frame with 8 buttons and mouse */
|
|
{
|
|
.name = "frame_type_mouse",
|
|
.res = 0,
|
|
.str_desc = {
|
|
0x0E, 0x03,
|
|
0xC8, 0xB3,
|
|
0x34, 0x65,
|
|
0x08,
|
|
0x02,
|
|
0xFF, 0x1F,
|
|
0xD8, 0x13,
|
|
},
|
|
.str_desc_size = 12,
|
|
.desc_params = {
|
|
[UCLOGIC_RDESC_PEN_PH_ID_X_LM] = 0xB3C8,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_X_PM] = 0x2363,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_Y_LM] = 0x6534,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_Y_PM] = 0x13EC,
|
|
[UCLOGIC_RDESC_PEN_PH_ID_PRESSURE_LM] = 0x1FFF,
|
|
[UCLOGIC_RDESC_FRAME_PH_ID_UM] = 0x08,
|
|
},
|
|
.frame_type = UCLOGIC_PARAMS_FRAME_MOUSE,
|
|
},
|
|
};
|
|
|
|
static void uclogic_parse_ugee_v2_desc_case_desc(struct uclogic_parse_ugee_v2_desc_case *t,
|
|
char *desc)
|
|
{
|
|
strscpy(desc, t->name, KUNIT_PARAM_DESC_SIZE);
|
|
}
|
|
|
|
KUNIT_ARRAY_PARAM(uclogic_parse_ugee_v2_desc, uclogic_parse_ugee_v2_desc_cases,
|
|
uclogic_parse_ugee_v2_desc_case_desc);
|
|
|
|
static void hid_test_uclogic_parse_ugee_v2_desc(struct kunit *test)
|
|
{
|
|
int res;
|
|
s32 desc_params[UCLOGIC_RDESC_PH_ID_NUM];
|
|
enum uclogic_params_frame_type frame_type;
|
|
const struct uclogic_parse_ugee_v2_desc_case *params = test->param_value;
|
|
|
|
res = uclogic_params_parse_ugee_v2_desc(params->str_desc,
|
|
params->str_desc_size,
|
|
desc_params,
|
|
ARRAY_SIZE(desc_params),
|
|
&frame_type);
|
|
KUNIT_ASSERT_EQ(test, res, params->res);
|
|
|
|
if (res)
|
|
return;
|
|
|
|
KUNIT_EXPECT_EQ(test,
|
|
params->desc_params[UCLOGIC_RDESC_PEN_PH_ID_X_LM],
|
|
desc_params[UCLOGIC_RDESC_PEN_PH_ID_X_LM]);
|
|
KUNIT_EXPECT_EQ(test,
|
|
params->desc_params[UCLOGIC_RDESC_PEN_PH_ID_X_PM],
|
|
desc_params[UCLOGIC_RDESC_PEN_PH_ID_X_PM]);
|
|
KUNIT_EXPECT_EQ(test,
|
|
params->desc_params[UCLOGIC_RDESC_PEN_PH_ID_Y_LM],
|
|
desc_params[UCLOGIC_RDESC_PEN_PH_ID_Y_LM]);
|
|
KUNIT_EXPECT_EQ(test,
|
|
params->desc_params[UCLOGIC_RDESC_PEN_PH_ID_Y_PM],
|
|
desc_params[UCLOGIC_RDESC_PEN_PH_ID_Y_PM]);
|
|
KUNIT_EXPECT_EQ(test,
|
|
params->desc_params[UCLOGIC_RDESC_PEN_PH_ID_PRESSURE_LM],
|
|
desc_params[UCLOGIC_RDESC_PEN_PH_ID_PRESSURE_LM]);
|
|
KUNIT_EXPECT_EQ(test,
|
|
params->desc_params[UCLOGIC_RDESC_FRAME_PH_ID_UM],
|
|
desc_params[UCLOGIC_RDESC_FRAME_PH_ID_UM]);
|
|
KUNIT_EXPECT_EQ(test, params->frame_type, frame_type);
|
|
}
|
|
|
|
struct fake_device {
|
|
unsigned long quirks;
|
|
};
|
|
|
|
static void hid_test_uclogic_params_cleanup_event_hooks(struct kunit *test)
|
|
{
|
|
int res, n;
|
|
struct hid_device *hdev;
|
|
struct fake_device *fake_dev;
|
|
struct uclogic_params p = {0, };
|
|
|
|
hdev = kunit_kzalloc(test, sizeof(struct hid_device), GFP_KERNEL);
|
|
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, hdev);
|
|
|
|
fake_dev = kunit_kzalloc(test, sizeof(struct fake_device), GFP_KERNEL);
|
|
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, fake_dev);
|
|
|
|
hid_set_drvdata(hdev, fake_dev);
|
|
|
|
res = uclogic_params_ugee_v2_init_event_hooks(hdev, &p);
|
|
KUNIT_ASSERT_EQ(test, res, 0);
|
|
|
|
/* Check that the function can be called repeatedly */
|
|
for (n = 0; n < 4; n++) {
|
|
uclogic_params_cleanup_event_hooks(&p);
|
|
KUNIT_EXPECT_PTR_EQ(test, p.event_hooks, NULL);
|
|
}
|
|
}
|
|
|
|
static struct kunit_case hid_uclogic_params_test_cases[] = {
|
|
KUNIT_CASE_PARAM(hid_test_uclogic_parse_ugee_v2_desc,
|
|
uclogic_parse_ugee_v2_desc_gen_params),
|
|
KUNIT_CASE(hid_test_uclogic_params_cleanup_event_hooks),
|
|
{}
|
|
};
|
|
|
|
static struct kunit_suite hid_uclogic_params_test_suite = {
|
|
.name = "hid_uclogic_params_test",
|
|
.test_cases = hid_uclogic_params_test_cases,
|
|
};
|
|
|
|
kunit_test_suite(hid_uclogic_params_test_suite);
|
|
|
|
MODULE_DESCRIPTION("KUnit tests for the UC-Logic driver");
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_AUTHOR("José Expósito <jose.exposito89@gmail.com>");
|