Bug 210241 - Crashes after unplugging Apple Trackpad 2 - KASAN reports errors
Summary: Crashes after unplugging Apple Trackpad 2 - KASAN reports errors
Status: NEW
Alias: None
Product: Drivers
Classification: Unclassified
Component: Input Devices (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: drivers_input-devices
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-17 22:43 UTC by Felix Hädicke
Modified: 2021-02-27 18:58 UTC (History)
5 users (show)

See Also:
Kernel Version: 5.9.8
Tree: Mainline
Regression: No


Attachments
dmesg output - used decode_stacktrace script (154.09 KB, text/plain)
2020-11-17 22:43 UTC, Felix Hädicke
Details
Used kernel configuration (226.33 KB, text/plain)
2020-11-17 23:01 UTC, Felix Hädicke
Details
logs from machine that cannot boot with trackpad attached (111.17 KB, application/zip)
2021-01-22 06:16 UTC, Jacob Abrams
Details

Description Felix Hädicke 2020-11-17 22:43:22 UTC
Created attachment 293705 [details]
dmesg output - used decode_stacktrace script

When using the Apple Trackpad 2 with the "hid-magicmouse" driver via USB, I get reproducible kernel crashes after unplugging the device. Sometimes, the computer hangs immediately, and even Magic SysRQ is not always possible in this state. But most of the times, the computer hangs during shutdown afterwards.

The same problem appears when turning the device off, or unloading the hid-magicmouse module, instead of unplugging it.

With enabled KASAN, I get reports like this when unplugging this device most of the time (but not always):

  BUG: KASAN: double-free or invalid-free in hid_free_buffers.isra.0 (drivers/hid/usbhid/hid-core.c:978) usbhid

See attached dmesg output.

The problem is not reproducible when the hid-magicmouse module is blacklisted. The device can still be used (fallback to hid-generic driver) without this driver, but with very limited functionality.

Kernel built from unmodified 5.9.8 source code.
Comment 1 Felix Hädicke 2020-11-17 23:01:43 UTC
Created attachment 293707 [details]
Used kernel configuration
Comment 2 Felix Hädicke 2020-11-19 07:44:08 UTC
Works when unloading / blacklisting the "hid-generic" driver, too.

The problem only occurs when both driver modules, hid-generic and hid-magicmouse are loaded.
Comment 3 Felix Hädicke 2020-11-19 07:46:52 UTC
Adding the Apple Magic Trackpad 2 to the "hid_have_special_driver" list in hid-quirks.c solves the problem, too.

Is this not the right thing to do anyway? I am going to send a patch...
Comment 5 Merlin Büge 2020-11-28 01:38:09 UTC
I may be experiencing the same bug:

https://lists.archlinux.org/pipermail/arch-general/2020-November/048320.html

I'm going to test your patch, building now...
Comment 6 Merlin Büge 2020-11-28 14:09:20 UTC
Tested with 5.9.11.arch1-1, your patch seems to fix the issue I had.

Used kernel configuration:
https://github.com/archlinux/svntogit-packages/blob/4e921e037821091f48659ce82394995ae3e7be08/trunk/config

Regarding your comment earlier, I don't know if it's the right way to do it, but it seems to work (it's hard to say for sure since the issue appears somewhat random). Should I encounter any issues again I will report it back here.

Thanks for looking into this!
Comment 7 Merlin Büge 2020-11-28 14:14:44 UTC
Please let me know if I can do something else to help resolve this, e.g. testing with a different kernel version/config.
Comment 8 Nicholas Sherlock 2021-01-15 09:46:29 UTC
I'm experiencing the same bug, detected by KASAN, with Proxmox kernel 5.4.78-2-pve (based on Ubuntu Focal's kernel).
Comment 9 Jacob Abrams 2021-01-22 06:16:25 UTC
Created attachment 294807 [details]
logs from machine that cannot boot with trackpad attached

My machine cannot boot with Apple magic trackpad 2 plugged in:

Linux version 5.8.0-38-generic (buildd@lgw01-amd64-022) (gcc (Ubuntu 10.2.0-13ubuntu1) 10.2.0, GNU ld (GNU Binutils for Ubuntu) 2.35.1) #43-Ubuntu SMP Tue Jan 12 12:42:13 UTC 2021

I've attached logs.
Comment 10 Jacob Abrams 2021-02-04 21:25:13 UTC
From a security standpoint I'm curious if this could be exploited. I realize this would require physical access to exploit but Android phones run linux kernel and people often plug their phones into various usb outlets for charging purposes. If something pretends to be a Magic Trackpad I wonder how much such a device might be able to intrude into the kernel. This my affect priority of getting a fix.

Note You need to log in before you can comment on or make changes to this bug.