From fd75f3694b1dd5070408ea4a58ca7f8e0a3fcbcd Mon Sep 17 00:00:00 2001 From: Geert Uytterhoeven Date: Tue, 2 May 2023 09:41:46 -0700 Subject: Input: tests - fix use-after-free and refcount underflow in input_test_exit() With CONFIG_DEBUG_SLAB=y: # Subtest: input_core 1..3 input: Test input device as /devices/virtual/input/input1 8<--- cut here --- Unable to handle kernel paging request at virtual address 6b6b6dd7 when read ... __lock_acquire from lock_acquire+0x26c/0x300 lock_acquire from _raw_spin_lock_irqsave+0x50/0x64 _raw_spin_lock_irqsave from devres_remove+0x20/0x7c devres_remove from devres_destroy+0x8/0x24 devres_destroy from input_free_device+0x2c/0x60 input_free_device from kunit_try_run_case+0x70/0x94 [kunit] Without CONFIG_DEBUG_SLAB=y: KTAP version 1 # Subtest: input_core 1..3 input: Test input device as /devices/virtual/input/input1 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 694 at lib/refcount.c:28 refcount_warn_saturate+0x54/0x100 refcount_t: underflow; use-after-free. ... Call Trace: [<0037cad4>] dump_stack+0xc/0x10 [<00377614>] __warn+0x7e/0xb4 [<0037768c>] warn_slowpath_fmt+0x42/0x62 [<001eee1c>] refcount_warn_saturate+0x54/0x100 [<000b1d34>] kfree_const+0x0/0x20 [<0036290a>] __kobject_del+0x0/0x6e [<001eee1c>] refcount_warn_saturate+0x54/0x100 [<00362a1a>] kobject_put+0xa2/0xb6 [<11965770>] kunit_generic_run_threadfn_adapter+0x0/0x1c [kunit] As per the comments for input_allocate_device() and input_register_device(), input_free_device() must be called only to free devices that have not been registered. input_unregister_device() already calls input_put_device(), thus leading to a use-after-free. Moreover, the kunit_suite.exit() method is called after every test case, even on failures. As the test itself already does cleanups in its failure paths, this may lead to a second use-after-free. Fix the first issue by dropping the call to input_allocate_device() from input_test_exit(). Fix the second issue by making the cleanup code conditional on a successful test. Fixes: fdefcbdd6f361841 ("Input: Add KUnit tests for some of the input core helper functions") Signed-off-by: Geert Uytterhoeven Reviewed-by: Javier Martinez Canillas Link: https://lore.kernel.org/r/957b3b309a44d39fb6e38b2a526b250f69ea3d2c.1683022164.git.geert+renesas@glider.be Signed-off-by: Dmitry Torokhov --- drivers/input/tests/input_test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/input/tests/input_test.c') diff --git a/drivers/input/tests/input_test.c b/drivers/input/tests/input_test.c index e5a6c1ad2167..8b8ac3412a70 100644 --- a/drivers/input/tests/input_test.c +++ b/drivers/input/tests/input_test.c @@ -43,8 +43,8 @@ static void input_test_exit(struct kunit *test) { struct input_dev *input_dev = test->priv; - input_unregister_device(input_dev); - input_free_device(input_dev); + if (input_dev) + input_unregister_device(input_dev); } static void input_test_poll(struct input_dev *input) { } -- cgit v1.2.3 From c73b4db076faf827d0656665ef5e97b76926b60f Mon Sep 17 00:00:00 2001 From: Dmitry Torokhov Date: Fri, 5 May 2023 11:16:29 -0700 Subject: Input: tests - fix input_test_match_device_id test Properly initialize input_device_id structure in input_test_match_device_id test to make sure it contains no garbage causing the test to randomly fail. Fixes: fdefcbdd6f36 ("Input: Add KUnit tests for some of the input core helper functions") Reported-by: Geert Uytterhoeven Tested-by: Geert Uytterhoeven Reviewed-by: Javier Martinez Canillas Link: https://lore.kernel.org/r/ZFLI7T2qZTGJ1UUK@google.com Signed-off-by: Dmitry Torokhov --- drivers/input/tests/input_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/input/tests/input_test.c') diff --git a/drivers/input/tests/input_test.c b/drivers/input/tests/input_test.c index 8b8ac3412a70..0540225f0288 100644 --- a/drivers/input/tests/input_test.c +++ b/drivers/input/tests/input_test.c @@ -87,7 +87,7 @@ static void input_test_timestamp(struct kunit *test) static void input_test_match_device_id(struct kunit *test) { struct input_dev *input_dev = test->priv; - struct input_device_id id; + struct input_device_id id = { 0 }; /* * Must match when the input device bus, vendor, product, version -- cgit v1.2.3 From b00315628095075da4af8d6d519d85d95117de09 Mon Sep 17 00:00:00 2001 From: Dana Elfassy Date: Tue, 23 May 2023 14:49:42 -0700 Subject: Input: tests - add test to cover all input_grab_device() function Currently input_grab_device() isn't covered by any tests Thus, adding a test to cover the cases: 1. The device is grabbed successfully 2. Trying to grab a device that is already grabbed by another input handle Signed-off-by: Dana Elfassy Tested-by: Javier Martinez Canillas Reviewed-by: Javier Martinez Canillas Reviewed-by: Dmitry Torokhov Link: https://lore.kernel.org/r/20230522215514.722564-1-dangel101@gmail.com Signed-off-by: Dmitry Torokhov --- drivers/input/tests/input_test.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) (limited to 'drivers/input/tests/input_test.c') diff --git a/drivers/input/tests/input_test.c b/drivers/input/tests/input_test.c index 0540225f0288..2fa5b725ae0a 100644 --- a/drivers/input/tests/input_test.c +++ b/drivers/input/tests/input_test.c @@ -130,10 +130,42 @@ static void input_test_match_device_id(struct kunit *test) KUNIT_ASSERT_FALSE(test, input_match_device_id(input_dev, &id)); } +static void input_test_grab(struct kunit *test) +{ + struct input_dev *input_dev = test->priv; + struct input_handle test_handle; + struct input_handler handler; + struct input_handle handle; + struct input_device_id id; + int res; + + handler.name = "handler"; + handler.id_table = &id; + + handle.dev = input_get_device(input_dev); + handle.name = dev_name(&input_dev->dev); + handle.handler = &handler; + res = input_grab_device(&handle); + KUNIT_ASSERT_TRUE(test, res == 0); + + test_handle.dev = input_get_device(input_dev); + test_handle.name = dev_name(&input_dev->dev); + test_handle.handler = &handler; + res = input_grab_device(&test_handle); + KUNIT_ASSERT_EQ(test, res, -EBUSY); + + input_release_device(&handle); + input_put_device(input_dev); + res = input_grab_device(&test_handle); + KUNIT_ASSERT_TRUE(test, res == 0); + input_put_device(input_dev); +} + static struct kunit_case input_tests[] = { KUNIT_CASE(input_test_polling), KUNIT_CASE(input_test_timestamp), KUNIT_CASE(input_test_match_device_id), + KUNIT_CASE(input_test_grab), { /* sentinel */ } }; -- cgit v1.2.3