Hi, I am running syzkaller on a KASAN-enabled x86_64 kernel based on Linux 6.17.0/6.18-rc2, and I hit a reproducible general protection fault in input_unregister_device() which seems to be triggered by concurrent writes to the dev.mac_hid.mouse_button_emulation sysctl.
>From the stack trace, the faulting instruction in input_unregister_device() is reached from the mac_hid emulated mouse teardown path in drivers/macintosh/mac_hid.c. The mac_hid driver keeps a global struct input_dev * for the emulated mouse, and the sysctl handler for dev.mac_hid.mouse_button_emulation toggles that device between “created” and “destroyed” states. The teardown helper calls input_unregister_device() on the global pointer and then sets the pointer to NULL. However, there may has no proper synchronization around this global pointer in the sysctl handler. The sysctl handler can end up calling input_unregister_device() multiple times on the same device (or on a stale pointer) under concurrent updates. This issue can be reproduced on both v6.18-rc2 and v6.17.0. This can be reproduced on: HEAD commit: e5f0a698b34ed76002dc5cff3804a61c80233a7a 6fab32bb6508abbb8b7b1c5498e44f0c32320ed5 report: https://pastebin.com/raw/Fxc8KiiH console output : https://pastebin.com/raw/trZpGBDe kernel config : https://pastebin.com/raw/1grwrT16 C reproducer :https://pastebin.com/raw/sdxjzABJ Let me know if you need more details or testing. Best regards, Xianying
