syzbot

map[Actionable:true Confident:true Explanation:The bug report is **actionable** and **self-consistent**. It provides all three required stack traces: the bad memory access, the heap block allocation, and the heap block free.

### Analysis of the Stacks:
1.  **Access Stack**: The crash occurs in `input_devices_seq_show` (triggered by reading `/proc/bus/input/devices`). Specifically, it happens at line 1099 of `drivers/input/input.c` while accessing the `dev->phys` field of a `struct input_dev`. The KASAN report indicates a `slab-use-after-free` when reading the string pointed to by `phys`.
2.  **Allocation/Free Stacks**: The memory in question was allocated and freed by `ieee80211_inform_bss` in the `mac80211` wireless subsystem. This function is called during wireless scanning when a new BSS (Access Point) is discovered. It allocates a temporary `struct ieee80211_elems_parse` (size 1KB) to parse Information Elements (IEs) from the beacon/probe response and frees it immediately after processing.

### Conclusion:
The report is highly consistent. It reveals that some code (likely within a wireless driver or the `mac80211`/`cfg80211` stack) assigned a pointer to a field inside the temporary `ieee80211_elems_parse` object to the `phys` field of a persistent `input_dev` structure. 

Because `ieee80211_inform_bss` frees this temporary object before returning, the `input_dev->phys` pointer becomes a dangling pointer (Use-After-Free). When a user-space process later reads `/proc/bus/input/devices`, the kernel attempts to print this string, leading to the crash.

The report provides enough information to identify the subsystem (`mac80211`/`input`) and the specific temporary object being misused, making it actionable for developers to track down the incorrect pointer assignment.]

map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/cb24f0835974de80148d21636f6b653d93682021]

map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/937d5996a1bbadcc53e9225f96b2420402480993]

map[Index:codesearch-index]

gemini-3-flash-preview

map[Actionable:true Confident:true]

You are an experienced Linux kernel developer tasked with determining if the given kernel bug
report is actionable or not. Actionable means that it contains enough info to root cause
the underlying bug, and that the report is self-consistent and makes sense, rather than
e.g. a one-off nonsensical crash induced by a previous memory corruption.


The bug report is about a use-after-free bug generated by KASAN tool.
It should contain 3 stack traces: the bad memory access stack, the heap block allocation stack,
and the heap block free stack. If the report does not contain 3 stacks, it's not actionable.

All 3 stack traces should be related to the same object type,
and usually be in the same kernel subsystem (at least leaf stack frames).
An example of an actionable and consistent report would be: first access stack relates
to an access to a field of struct Foo, allocation/free stacks relate to allocation/free
of the struct Foo.
In inconsistent/nonsensical reports an access may be to a struct Foo, but allocation
stack allocates a different structure in a different subsystem.
Look for other suspicious signals/inconsistencies that can make this report hard to
debug/understand. 


In the final reply explain why you think the report is self-consistent and actionable,
or why it's inconsistent and/or not actionable.

Use the provided tools to confirm any assumptions, variables/fields being accessed, etc.
In particular, don't make assumptions about the kernel source code,
use codesearch tools to read the actual source code.

Prefer calling several tools at the same time to save round-trips.


Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

The bug report is:

==================================================================
BUG: KASAN: slab-use-after-free in string_nocheck lib/vsprintf.c:654 [inline]
BUG: KASAN: slab-use-after-free in string+0x231/0x2b0 lib/vsprintf.c:736
Read of size 1 at addr ffff888059a15a20 by task syz.1.395/7511

CPU: 1 UID: 0 PID: 7511 Comm: syz.1.395 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 string_nocheck lib/vsprintf.c:654 [inline]
 string+0x231/0x2b0 lib/vsprintf.c:736
 vsnprintf+0x739/0xee0 lib/vsprintf.c:2947
 seq_vprintf fs/seq_file.c:391 [inline]
 seq_printf+0x178/0x270 fs/seq_file.c:406
 input_devices_seq_show+0x145/0x640 drivers/input/input.c:1099
 seq_read_iter+0x9bb/0xe20 fs/seq_file.c:272
 seq_read+0x369/0x480 fs/seq_file.c:162
 pde_read fs/proc/inode.c:308 [inline]
 proc_reg_read+0x1e9/0x2e0 fs/proc/inode.c:320
 do_loop_readv_writev fs/read_write.c:847 [inline]
 vfs_readv+0x5aa/0x850 fs/read_write.c:1020
 do_preadv fs/read_write.c:1132 [inline]
 __do_sys_preadv fs/read_write.c:1179 [inline]
 __se_sys_preadv fs/read_write.c:1174 [inline]
 __x64_sys_preadv+0x197/0x2a0 fs/read_write.c:1174
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3fbc58f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3fbd4ec038 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00007f3fbc7e5fa0 RCX: 00007f3fbc58f749
RDX: 0000000000000001 RSI: 00002000000015c0 RDI: 0000000000000003
RBP: 00007f3fbc613f91 R08: 0000000000207fff R09: 0000000000000000
R10: 00000000000000f2 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3fbc7e6038 R14: 00007f3fbc7e5fa0 R15: 00007f3fbc90fa28
 </TASK>

Allocated by task 7472:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __do_kmalloc_node mm/slub.c:5657 [inline]
 __kmalloc_noprof+0x41d/0x800 mm/slub.c:5669
 kmalloc_noprof include/linux/slab.h:961 [inline]
 kzalloc_noprof include/linux/slab.h:1094 [inline]
 ieee802_11_parse_elems_full+0x152/0x2ab0 net/mac80211/parse.c:1031
 ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2469 [inline]
 ieee80211_inform_bss+0x147/0x1130 net/mac80211/scan.c:79
 rdev_inform_bss net/wireless/rdev-ops.h:418 [inline]
 cfg80211_inform_single_bss_data+0xd14/0x1ad0 net/wireless/scan.c:2373
 cfg80211_inform_bss_data+0x203/0x3b40 net/wireless/scan.c:3228
 cfg80211_inform_bss_frame_data+0x3c7/0x710 net/wireless/scan.c:3319
 ieee80211_bss_info_update+0x749/0x9e0 net/mac80211/scan.c:230
 ieee80211_scan_rx+0x593/0xa20 net/mac80211/scan.c:359
 __ieee80211_rx_handle_packet net/mac80211/rx.c:5287 [inline]
 ieee80211_rx_list+0x2485/0x2f90 net/mac80211/rx.c:5544
 ieee80211_rx_napi+0x1a8/0x3d0 net/mac80211/rx.c:5567
 ieee80211_rx include/net/mac80211.h:5216 [inline]
 ieee80211_handle_queued_frames+0xe8/0x1e0 net/mac80211/main.c:452
 tasklet_action_common+0x2da/0x4b0 kernel/softirq.c:925
 handle_softirqs+0x22b/0x7c0 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 ip_mc_clear_src net/ipv4/igmp.c:2253 [inline]
 __ip_mc_dec_group+0x4c7/0x670 net/ipv4/igmp.c:1780
 inetdev_event+0x297/0x15b0 net/ipv4/devinet.c:1641
 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
 call_netdevice_notifiers net/core/dev.c:2282 [inline]
 __dev_notify_flags+0x18d/0x2e0 net/core/dev.c:-1
 netif_change_flags+0xe8/0x1a0 net/core/dev.c:9804
 do_setlink+0xc55/0x41c0 net/core/rtnetlink.c:3158
 rtnl_group_changelink net/core/rtnetlink.c:3790 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3944 [inline]
 rtnl_newlink+0x14b0/0x1c90 net/core/rtnetlink.c:4072
 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:742
 ____sys_sendmsg+0x505/0x820 net/socket.c:2592
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2681
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 7472:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2540 [inline]
 slab_free mm/slub.c:6670 [inline]
 kfree+0x1c0/0x660 mm/slub.c:6878
 ieee80211_inform_bss+0xc4e/0x1130 net/mac80211/scan.c:164
 rdev_inform_bss net/wireless/rdev-ops.h:418 [inline]
 cfg80211_inform_single_bss_data+0xd14/0x1ad0 net/wireless/scan.c:2373
 cfg80211_inform_bss_data+0x203/0x3b40 net/wireless/scan.c:3228
 cfg80211_inform_bss_frame_data+0x3c7/0x710 net/wireless/scan.c:3319
 ieee80211_bss_info_update+0x749/0x9e0 net/mac80211/scan.c:230
 ieee80211_scan_rx+0x593/0xa20 net/mac80211/scan.c:359
 __ieee80211_rx_handle_packet net/mac80211/rx.c:5287 [inline]
 ieee80211_rx_list+0x2485/0x2f90 net/mac80211/rx.c:5544
 ieee80211_rx_napi+0x1a8/0x3d0 net/mac80211/rx.c:5567
 ieee80211_rx include/net/mac80211.h:5216 [inline]
 ieee80211_handle_queued_frames+0xe8/0x1e0 net/mac80211/main.c:452
 tasklet_action_common+0x2da/0x4b0 kernel/softirq.c:925
 handle_softirqs+0x22b/0x7c0 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 ip_mc_clear_src net/ipv4/igmp.c:2253 [inline]
 __ip_mc_dec_group+0x4c7/0x670 net/ipv4/igmp.c:1780
 inetdev_event+0x297/0x15b0 net/ipv4/devinet.c:1641
 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
 call_netdevice_notifiers net/core/dev.c:2282 [inline]
 __dev_notify_flags+0x18d/0x2e0 net/core/dev.c:-1
 netif_change_flags+0xe8/0x1a0 net/core/dev.c:9804
 do_setlink+0xc55/0x41c0 net/core/rtnetlink.c:3158
 rtnl_group_changelink net/core/rtnetlink.c:3790 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3944 [inline]
 rtnl_newlink+0x14b0/0x1c90 net/core/rtnetlink.c:4072
 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:742
 ____sys_sendmsg+0x505/0x820 net/socket.c:2592
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2681
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888059a15800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 544 bytes inside of
 freed 1024-byte region [ffff888059a15800, ffff888059a15c00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x59a10
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ffa6dc0 ffffea0001333000 dead000000000002
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813ffa6dc0 ffffea0001333000 dead000000000002
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001668401 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 36, tgid 36 (kworker/u8:2), ts 110548083117, free_ts 39099257608
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
 prep_new_page mm/page_alloc.c:1865 [inline]
 get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
 alloc_slab_page mm/slub.c:3075 [inline]
 allocate_slab+0x86/0x3b0 mm/slub.c:3248
 new_slab mm/slub.c:3302 [inline]
 ___slab_alloc+0xe53/0x1820 mm/slub.c:4656
 __slab_alloc+0x65/0x100 mm/slub.c:4779
 __slab_alloc_node mm/slub.c:4855 [inline]
 slab_alloc_node mm/slub.c:5251 [inline]
 __do_kmalloc_node mm/slub.c:5656 [inline]
 __kmalloc_noprof+0x47d/0x800 mm/slub.c:5669
 kmalloc_noprof include/linux/slab.h:961 [inline]
 kzalloc_noprof include/linux/slab.h:1094 [inline]
 ieee802_11_parse_elems_full+0x152/0x2ab0 net/mac80211/parse.c:1031
 ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2469 [inline]
 ieee80211_inform_bss+0x147/0x1130 net/mac80211/scan.c:79
 rdev_inform_bss net/wireless/rdev-ops.h:418 [inline]
 cfg80211_inform_single_bss_data+0xd14/0x1ad0 net/wireless/scan.c:2373
 cfg80211_inform_bss_data+0x203/0x3b40 net/wireless/scan.c:3228
 cfg80211_inform_bss_frame_data+0x3c7/0x710 net/wireless/scan.c:3319
 ieee80211_bss_info_update+0x749/0x9e0 net/mac80211/scan.c:230
 ieee80211_scan_rx+0x593/0xa20 net/mac80211/scan.c:359
 __ieee80211_rx_handle_packet net/mac80211/rx.c:5287 [inline]
 ieee80211_rx_list+0x2485/0x2f90 net/mac80211/rx.c:5544
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1406 [inline]
 __free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
 __free_pages mm/page_alloc.c:5329 [inline]
 free_contig_range+0x1bd/0x490 mm/page_alloc.c:7197
 destroy_args+0x69/0x660 mm/debug_vm_pgtable.c:983
 debug_vm_pgtable+0x38f/0x3a0 mm/debug_vm_pgtable.c:1372
 do_one_initcall+0x1f1/0x800 init/main.c:1378
 do_initcall_level+0x104/0x190 init/main.c:1440
 do_initcalls+0x59/0xa0 init/main.c:1456
 kernel_init_freeable+0x2a7/0x3d0 init/main.c:1688
 kernel_init+0x1d/0x1d0 init/main.c:1578
 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Memory state around the buggy address:
 ffff888059a15900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888059a15980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888059a15a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff888059a15a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888059a15b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

The bug report is **actionable** and **self-consistent**. It provides all three required stack traces: the bad memory access, the heap block allocation, and the heap block free.

### Analysis of the Stacks:
1.  **Access Stack**: The crash occurs in `input_devices_seq_show` (triggered by reading `/proc/bus/input/devices`). Specifically, it happens at line 1099 of `drivers/input/input.c` while accessing the `dev->phys` field of a `struct input_dev`. The KASAN report indicates a `slab-use-after-free` when reading the string pointed to by `phys`.
2.  **Allocation/Free Stacks**: The memory in question was allocated and freed by `ieee80211_inform_bss` in the `mac80211` wireless subsystem. This function is called during wireless scanning when a new BSS (Access Point) is discovered. It allocates a temporary `struct ieee80211_elems_parse` (size 1KB) to parse Information Elements (IEs) from the beacon/probe response and frees it immediately after processing.

### Conclusion:
The report is highly consistent. It reveals that some code (likely within a wireless driver or the `mac80211`/`cfg80211` stack) assigned a pointer to a field inside the temporary `ieee80211_elems_parse` object to the `phys` field of a persistent `input_dev` structure. 

Because `ieee80211_inform_bss` frees this temporary object before returning, the `input_dev->phys` pointer becomes a dangling pointer (Use-After-Free). When a user-space process later reads `/proc/bus/input/devices`, the kernel attempts to print this string, leading to the crash.

The report provides enough information to identify the subsystem (`mac80211`/`input`) and the specific temporary object being misused, making it actionable for developers to track down the incorrect pointer assignment.

gemini-3-flash-preview

							input: 9660
							output: 43
							thoughts: 496
						

**KASAN Slab-Use-After-Free Deep Dive**

Okay, so I've got a KASAN slab-use-after-free on my hands. From the access stack trace, it looks like the issue is being triggered in `input_devices_seq_show`, which is reading some data – probably from `/proc/bus/input/devices` or something similar, judging by the context. I can see the call chain winding its way through `vsprintf` in the standard C library.

The access is in `string_nocheck` at `lib/vsprintf.c:654`. I know these `vsprintf` functions can be tricky, so that's a key area to keep in mind.

Now, where did this thing get allocated and freed? The allocation and free stacks point to `mac80211`. Specifically, I'm seeing `ieee802_11_parse_elems_full` as the allocation point. Then, both the allocation and free seem to converge on `ieee80211_inform_bss`, which makes me think there might be a race condition in the wireless stack. And I see that it is all triggered by `rtnetlink_rcv_msg`. Interesting.

So, let me recap: `input_devices_seq_show` – that's input devices – is accessing memory that's being allocated and freed within `mac80211`, wireless network stuff. A bit of a head-scratcher!

Right, I need to check those specific functions. Let's look at `input_devices_seq_show` in `drivers/input/input.c:1099` and then jump to `ieee802_11_parse_elems_full` in `net/mac80211/parse.c:1031`.

The buggy address is `ffff888059a15a20`. The object itself is located at `ffff888059a15800`, with a size of 1024 bytes. The use-after-free is happening at an offset of 544 bytes. It's time to dig into the code and see what data structure is at that offset. I should check `input_devices_seq_show` first.

map[ContextFile:drivers/input/input.c IncludeLines:true Name:input_devices_seq_show]

map[SourceCode:1089:	static int input_devices_seq_show(struct seq_file *seq, void *v)
1090:	{
1091:		struct input_dev *dev = container_of(v, struct input_dev, node);
1092:		const char *path = kobject_get_path(&dev->dev.kobj, GFP_KERNEL);
1093:		struct input_handle *handle;
1094:	
1095:		seq_printf(seq, "I: Bus=%04x Vendor=%04x Product=%04x Version=%04x\n",
1096:			   dev->id.bustype, dev->id.vendor, dev->id.product, dev->id.version);
1097:	
1098:		seq_printf(seq, "N: Name=\"%s\"\n", dev->name ? dev->name : "");
1099:		seq_printf(seq, "P: Phys=%s\n", dev->phys ? dev->phys : "");
1100:		seq_printf(seq, "S: Sysfs=%s\n", path ? path : "");
1101:		seq_printf(seq, "U: Uniq=%s\n", dev->uniq ? dev->uniq : "");
1102:		seq_puts(seq, "H: Handlers=");
1103:	
1104:		list_for_each_entry(handle, &dev->h_list, d_node)
1105:			seq_printf(seq, "%s ", handle->name);
1106:		seq_putc(seq, '\n');
1107:	
1108:		input_seq_print_bitmap(seq, "PROP", dev->propbit, INPUT_PROP_MAX);
1109:	
1110:		input_seq_print_bitmap(seq, "EV", dev->evbit, EV_MAX);
1111:		if (test_bit(EV_KEY, dev->evbit))
1112:			input_seq_print_bitmap(seq, "KEY", dev->keybit, KEY_MAX);
1113:		if (test_bit(EV_REL, dev->evbit))
1114:			input_seq_print_bitmap(seq, "REL", dev->relbit, REL_MAX);
1115:		if (test_bit(EV_ABS, dev->evbit))
1116:			input_seq_print_bitmap(seq, "ABS", dev->absbit, ABS_MAX);
1117:		if (test_bit(EV_MSC, dev->evbit))
1118:			input_seq_print_bitmap(seq, "MSC", dev->mscbit, MSC_MAX);
1119:		if (test_bit(EV_LED, dev->evbit))
1120:			input_seq_print_bitmap(seq, "LED", dev->ledbit, LED_MAX);
1121:		if (test_bit(EV_SND, dev->evbit))
1122:			input_seq_print_bitmap(seq, "SND", dev->sndbit, SND_MAX);
1123:		if (test_bit(EV_FF, dev->evbit))
1124:			input_seq_print_bitmap(seq, "FF", dev->ffbit, FF_MAX);
1125:		if (test_bit(EV_SW, dev->evbit))
1126:			input_seq_print_bitmap(seq, "SW", dev->swbit, SW_MAX);
1127:	
1128:		seq_putc(seq, '\n');
1129:	
1130:		kfree(path);
1131:		return 0;
1132:	}
 SourceFile:drivers/input/input.c]

gemini-3-flash-preview

							input: 11692
							output: 55
							thoughts: 266
						

**Debugging a Kernel Crash**

Okay, so the crash happened at line 1099, specifically during a `seq_printf` call. It looks like it's trying to access `dev->phys`. That's where the problem *appears* to be.

But, hold on a second. The KASAN report throws a wrench into that initial thought. It's a slab-use-after-free in `string_nocheck`, specifically during a `%s` format specifier. That's a key detail! So the issue isn't *just* the access, it's that `dev->phys` points to freed memory. `string_nocheck` is called by `string`, meaning it's trying to *read* the string data pointed to by `dev->phys`.

Now, the real investigation begins. I need to trace this memory back. Where was `dev->phys` allocated and freed? The backtrace points to `ieee802_11_parse_elems_full` in `net/mac80211/parse.c` at line 1031.  I have to check what is allocated in there and where it is freed. This seems to be where the bad memory is being allocated.

map[ContextFile:net/mac80211/parse.c IncludeLines:true Name:ieee802_11_parse_elems_full]

map[SourceCode:1015:	struct ieee802_11_elems *
1016:	ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params)
1017:	{
1018:		struct ieee80211_elems_parse_params sub = {};
1019:		struct ieee80211_elems_parse *elems_parse;
1020:		const struct element *non_inherit = NULL;
1021:		struct ieee802_11_elems *elems;
1022:		size_t scratch_len = 3 * params->len;
1023:		bool multi_link_inner = false;
1024:	
1025:		BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0);
1026:	
1027:		/* cannot parse for both a specific link and non-transmitted BSS */
1028:		if (WARN_ON(params->link_id >= 0 && params->bss))
1029:			return NULL;
1030:	
1031:		elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len),
1032:				      GFP_ATOMIC);
1033:		if (!elems_parse)
1034:			return NULL;
1035:	
1036:		elems_parse->scratch_len = scratch_len;
1037:		elems_parse->scratch_pos = elems_parse->scratch;
1038:	
1039:		elems = &elems_parse->elems;
1040:		elems->ie_start = params->start;
1041:		elems->total_len = params->len;
1042:	
1043:		/* set all TPE entries to unlimited (but invalid) */
1044:		ieee80211_clear_tpe(&elems->tpe);
1045:		ieee80211_clear_tpe(&elems->csa_tpe);
1046:	
1047:		/*
1048:		 * If we're looking for a non-transmitted BSS then we cannot at
1049:		 * the same time be looking for a second link as the two can only
1050:		 * appear in the same frame carrying info for different BSSes.
1051:		 *
1052:		 * In any case, we only look for one at a time, as encoded by
1053:		 * the WARN_ON above.
1054:		 */
1055:		if (params->bss) {
1056:			int nontx_len =
1057:				ieee802_11_find_bssid_profile(params->start,
1058:							      params->len,
1059:							      elems, params->bss,
1060:							      elems_parse->scratch_pos);
1061:			sub.start = elems_parse->scratch_pos;
1062:			sub.mode = params->mode;
1063:			sub.len = nontx_len;
1064:			sub.type = params->type;
1065:			sub.link_id = params->link_id;
1066:	
1067:			/* consume the space used for non-transmitted profile */
1068:			elems_parse->scratch_pos += nontx_len;
1069:	
1070:			non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
1071:							     sub.start, nontx_len);
1072:		} else {
1073:			/* must always parse to get elems_parse->ml_basic_elem */
1074:			non_inherit = ieee80211_prep_mle_link_parse(elems_parse, params,
1075:								    &sub);
1076:			multi_link_inner = true;
1077:		}
1078:	
1079:		elems_parse->skip_vendor =
1080:			cfg80211_find_elem(WLAN_EID_VENDOR_SPECIFIC,
1081:					   sub.start, sub.len);
1082:		elems->crc = _ieee802_11_parse_elems_full(params, elems_parse,
1083:							  non_inherit);
1084:	
1085:		/* Override with nontransmitted/per-STA profile if found */
1086:		if (sub.len) {
1087:			elems_parse->multi_link_inner = multi_link_inner;
1088:			elems_parse->skip_vendor = false;
1089:			_ieee802_11_parse_elems_full(&sub, elems_parse, NULL);
1090:		}
1091:	
1092:		ieee80211_mle_defrag_reconf(elems_parse);
1093:	
1094:		ieee80211_mle_defrag_epcs(elems_parse);
1095:	
1096:		if (elems->tim && !elems->parse_error) {
1097:			const struct ieee80211_tim_ie *tim_ie = elems->tim;
1098:	
1099:			elems->dtim_period = tim_ie->dtim_period;
1100:			elems->dtim_count = tim_ie->dtim_count;
1101:		}
1102:	
1103:		/* Override DTIM period and count if needed */
1104:		if (elems->bssid_index &&
1105:		    elems->bssid_index_len >=
1106:		    offsetofend(struct ieee80211_bssid_index, dtim_period))
1107:			elems->dtim_period = elems->bssid_index->dtim_period;
1108:	
1109:		if (elems->bssid_index &&
1110:		    elems->bssid_index_len >=
1111:		    offsetofend(struct ieee80211_bssid_index, dtim_count))
1112:			elems->dtim_count = elems->bssid_index->dtim_count;
1113:	
1114:		return elems;
1115:	}
 SourceFile:net/mac80211/parse.c]

gemini-3-flash-preview

							input: 14045
							output: 52
							thoughts: 178
						

**Allocation and Return of Element Parsing Structure**

Okay, so I'm looking at this code and it's allocating a `struct ieee80211_elems_parse`. Specifically, it's using `kzalloc` to allocate a block of memory sized according to the `struct_size` of `elems_parse`, taking into account `scratch` and `scratch_len` fields. Then it looks like the function returns a pointer to the `elems` member of the allocated structure; specifically, `&elems_parse->elems`. That seems straightforward.

```c
1031:		elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len),
1032:				      GFP_ATOMIC);
...
1039:		elems = &elems_parse->elems;
...
1114:		return elems;
```

I see that the memory allocated by the above snippet can be freed by `ieee80211_inform_bss` which is in `net/mac80211/scan.c` at line 164. I should check that code to see how the memory is freed.

map[ContextFile:net/mac80211/scan.c IncludeLines:true Name:ieee80211_inform_bss]

map[SourceCode:  63:	void ieee80211_inform_bss(struct wiphy *wiphy,
  64:				  struct cfg80211_bss *cbss,
  65:				  const struct cfg80211_bss_ies *ies,
  66:				  void *data)
  67:	{
  68:		struct ieee80211_local *local = wiphy_priv(wiphy);
  69:		struct inform_bss_update_data *update_data = data;
  70:		struct ieee80211_bss *bss = (void *)cbss->priv;
  71:		struct ieee80211_rx_status *rx_status;
  72:		struct ieee802_11_elems *elems;
  73:		int clen, srlen;
  74:	
  75:		/* This happens while joining an IBSS */
  76:		if (!update_data)
  77:			return;
  78:	
  79:		elems = ieee802_11_parse_elems(ies->data, ies->len,
  80:					       update_data->beacon ?
  81:						IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON :
  82:						IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_RESP,
  83:					       NULL);
  84:		if (!elems)
  85:			return;
  86:	
  87:		rx_status = update_data->rx_status;
  88:	
  89:		if (update_data->beacon)
  90:			bss->device_ts_beacon = rx_status->device_timestamp;
  91:		else
  92:			bss->device_ts_presp = rx_status->device_timestamp;
  93:	
  94:		if (elems->parse_error) {
  95:			if (update_data->beacon)
  96:				bss->corrupt_data |= IEEE80211_BSS_CORRUPT_BEACON;
  97:			else
  98:				bss->corrupt_data |= IEEE80211_BSS_CORRUPT_PROBE_RESP;
  99:		} else {
 100:			if (update_data->beacon)
 101:				bss->corrupt_data &= ~IEEE80211_BSS_CORRUPT_BEACON;
 102:			else
 103:				bss->corrupt_data &= ~IEEE80211_BSS_CORRUPT_PROBE_RESP;
 104:		}
 105:	
 106:		/* save the ERP value so that it is available at association time */
 107:		if (elems->erp_info && (!elems->parse_error ||
 108:					!(bss->valid_data & IEEE80211_BSS_VALID_ERP))) {
 109:			bss->erp_value = elems->erp_info[0];
 110:			bss->has_erp_value = true;
 111:			if (!elems->parse_error)
 112:				bss->valid_data |= IEEE80211_BSS_VALID_ERP;
 113:		}
 114:	
 115:		/* replace old supported rates if we get new values */
 116:		if (!elems->parse_error ||
 117:		    !(bss->valid_data & IEEE80211_BSS_VALID_RATES)) {
 118:			srlen = 0;
 119:			if (elems->supp_rates) {
 120:				clen = IEEE80211_MAX_SUPP_RATES;
 121:				if (clen > elems->supp_rates_len)
 122:					clen = elems->supp_rates_len;
 123:				memcpy(bss->supp_rates, elems->supp_rates, clen);
 124:				srlen += clen;
 125:			}
 126:			if (elems->ext_supp_rates) {
 127:				clen = IEEE80211_MAX_SUPP_RATES - srlen;
 128:				if (clen > elems->ext_supp_rates_len)
 129:					clen = elems->ext_supp_rates_len;
 130:				memcpy(bss->supp_rates + srlen, elems->ext_supp_rates,
 131:				       clen);
 132:				srlen += clen;
 133:			}
 134:			if (srlen) {
 135:				bss->supp_rates_len = srlen;
 136:				if (!elems->parse_error)
 137:					bss->valid_data |= IEEE80211_BSS_VALID_RATES;
 138:			}
 139:		}
 140:	
 141:		if (!elems->parse_error ||
 142:		    !(bss->valid_data & IEEE80211_BSS_VALID_WMM)) {
 143:			bss->wmm_used = elems->wmm_param || elems->wmm_info;
 144:			bss->uapsd_supported = is_uapsd_supported(elems);
 145:			if (!elems->parse_error)
 146:				bss->valid_data |= IEEE80211_BSS_VALID_WMM;
 147:		}
 148:	
 149:		if (update_data->beacon) {
 150:			struct ieee80211_supported_band *sband =
 151:				local->hw.wiphy->bands[rx_status->band];
 152:			if (!(rx_status->encoding == RX_ENC_HT) &&
 153:			    !(rx_status->encoding == RX_ENC_VHT))
 154:				bss->beacon_rate =
 155:					&sband->bitrates[rx_status->rate_idx];
 156:		}
 157:	
 158:		if (elems->vht_cap_elem)
 159:			bss->vht_cap_info =
 160:				le32_to_cpu(elems->vht_cap_elem->vht_cap_info);
 161:		else
 162:			bss->vht_cap_info = 0;
 163:	
 164:		kfree(elems);
 165:	}
 SourceFile:net/mac80211/scan.c]

gemini-3-flash-preview

							input: 16316
							output: 52
							thoughts: 159
						

**Memory Management Mystery**

Okay, hold on a second. I'm looking at this code and something feels...off. Line 164: `kfree(elems)`. Right, that's freeing memory. But where did `elems` come from? Ah, yes, it was returned by `ieee802_11_parse_elems`, which, in turn, calls `ieee802_11_parse_elems_full`. And *that* function returns `&elems_parse->elems`.

Now, here's where my alarm bells start to ring. `elems_parse` was allocated using `kzalloc`. So, `elems_parse` is the start of the memory block, and `&elems_parse->elems` would be somewhere offset from the start of `elems_parse`. Now we are calling `kfree(elems)`. This means we're freeing the memory starting at the address `elems`. But wait a minute, isn't that *inside* the allocated block of `elems_parse`, and *not* at the beginning? We should be freeing the memory starting at `elems_parse`, not `elems`.

This could be a pretty nasty memory leak or even a double-free situation in the making. Let's dig deeper and inspect the `struct ieee80211_elems_parse` definition to understand its layout.

map[ContextFile:net/mac80211/parse.c IncludeLines:true Name:ieee80211_elems_parse]

map[SourceCode:  37:	struct ieee80211_elems_parse {
  38:		/* must be first for kfree to work */
  39:		struct ieee802_11_elems elems;
  40:	
  41:		/* The basic Multi-Link element in the original elements */
  42:		const struct element *ml_basic_elem;
  43:	
  44:		/* The reconfiguration Multi-Link element in the original elements */
  45:		const struct element *ml_reconf_elem;
  46:	
  47:		/* The EPCS Multi-Link element in the original elements */
  48:		const struct element *ml_epcs_elem;
  49:	
  50:		bool multi_link_inner;
  51:		bool skip_vendor;
  52:	
  53:		/*
  54:		 * scratch buffer that can be used for various element parsing related
  55:		 * tasks, e.g., element de-fragmentation etc.
  56:		 */
  57:		size_t scratch_len;
  58:		u8 *scratch_pos;
  59:		u8 scratch[] __counted_by(scratch_len);
  60:	};
 SourceFile:net/mac80211/parse.c]

gemini-3-flash-preview

							input: 17177
							output: 17
							thoughts: 650
						

**Analyzing a Kernel Memory Access Bug**

Okay, so I'm looking at this crash report, and it's pointing to a memory access violation within the kernel. The error involves `input_devices_seq_show`, which is reading from an address (`ffff888059a15a20`) that appears to be problematic. The object at `ffff888059a15800` is being accessed at an offset of 544 bytes.

The immediate thought is about the layout. I see a `struct ieee802_11_elems elems` declared. Since it is first it should be at offset 0. And if it's the target, `kfree(elems)` should be fine. However, it's immediately jumping out that `input_devices_seq_show` is accessing this region via the `dev->phys` pointer of a `struct input_dev`. That's the first red flag.

The report also mentions that `dev->phys` *seems* to be pointing inside an `ieee80211_elems_parse` object. And that is interesting. That structure has a `scratch` buffer at the end of the struct. The length of this buffer, `scratch_len`, is calculated as `3 * params->len`. This means the size is variable. Looking back at how `ieee802_11_parse_elems_full` allocates this `elems_parse` object, it uses `kzalloc` with `struct_size` to handle the variable-length `scratch` buffer. This is good to check.

The crucial question is how did `dev->phys` get set to point within this temporary object? Usually, `dev->phys` holds a string. So how did a pointer to this parsing buffer end up there?

The report specifies the memory was allocated by task 7472 and freed by the same task, both within `ieee80211_inform_bss`. The access (the read causing the crash) happens in `input_devices_seq_show` from task 7511. So, it looks like a classic use-after-free scenario. This `ieee80211_elems_parse` object is temporary, allocated within `ieee80211_inform_bss` and freed at the end. That structure is used during the parsing of information. Somehow, a pointer to a field inside it has been assigned to `dev->phys` and that means the object has a lifetime that is longer than the parsing process.

So, the next step is to find out where `input_dev->phys` is being set. I'll need to grep the kernel source for `phys =` to trace the assignment and identify where this dangling pointer could have been introduced.

map[Expression:\.phys =]

map[Output:
Full output is too long, showing 500 out of 868 lines.
Use more precise expression if possible.

[arch/mips/cavium-octeon/flash_setup.c=71=static int octeon_flash_probe(struct platform_device *pdev)
 --
 arch/mips/cavium-octeon/flash_setup.c-97-		flash_map.name = "phys_mapped_flash";
 arch/mips/cavium-octeon/flash_setup.c:98:		flash_map.phys = region_cfg.s.base << 16;
 arch/mips/cavium-octeon/flash_setup.c-99-		flash_map.size = 0x1fc00000 - flash_map.phys;
 --
 arch/powerpc/mm/book3s32/mmu.c=260=void __init setbat(int index, unsigned long virt, phys_addr_t phys,
 --
 arch/powerpc/mm/book3s32/mmu.c-296-	bat_addrs[index].limit = virt + ((bl + 1) << 17) - 1;
 arch/powerpc/mm/book3s32/mmu.c:297:	bat_addrs[index].phys = phys;
 arch/powerpc/mm/book3s32/mmu.c-298-}
 --
 arch/powerpc/mm/nohash/e500.c=97=static void settlbcam(int index, unsigned long virt, phys_addr_t phys,
 --
 arch/powerpc/mm/nohash/e500.c-134-	tlbcam_addrs[index].limit = virt + size - 1;
 arch/powerpc/mm/nohash/e500.c:135:	tlbcam_addrs[index].phys = phys;
 arch/powerpc/mm/nohash/e500.c-136-}
 --
 arch/x86/mm/mmio-mod.c=219=static void ioremap_trace_core(resource_size_t offset, unsigned long size,
 --
 arch/x86/mm/mmio-mod.c-225-	struct mmiotrace_map map = {
 arch/x86/mm/mmio-mod.c:226:		.phys = offset,
 arch/x86/mm/mmio-mod.c-227-		.virt = (unsigned long)addr,
 --
 arch/x86/mm/mmio-mod.c-244-		},
 arch/x86/mm/mmio-mod.c:245:		.phys = offset,
 arch/x86/mm/mmio-mod.c-246-		.id = atomic_inc_return(&next_id)
 --
 arch/x86/mm/mmio-mod.c=278=static void iounmap_trace_core(volatile void __iomem *addr)
 --
 arch/x86/mm/mmio-mod.c-280-	struct mmiotrace_map map = {
 arch/x86/mm/mmio-mod.c:281:		.phys = 0,
 arch/x86/mm/mmio-mod.c-282-		.virt = (unsigned long)addr,
 --
 drivers/atm/he.c=770=static int he_init_group(struct he_dev *he_dev, int group)
 --
 drivers/atm/he.c-827-		he_dev->rbpl_base[i].idx =  i << RBP_IDX_OFFSET;
 drivers/atm/he.c:828:		he_dev->rbpl_base[i].phys = mapping + offsetof(struct he_buff, data);
 drivers/atm/he.c-829-	}
 --
 drivers/bus/arm-cci.c=438=static int cci_probe_ports(struct device_node *np)
 --
 drivers/bus/arm-cci.c-482-			ports[i].base = ioremap(res.start, resource_size(&res));
 drivers/bus/arm-cci.c:483:			ports[i].phys = res.start;
 drivers/bus/arm-cci.c-484-		}
 --
 drivers/dma/at_xdmac.c=564=static struct at_xdmac_desc *at_xdmac_alloc_desc(struct dma_chan *chan,
 --
 drivers/dma/at_xdmac.c-575-		desc->tx_dma_desc.tx_submit = at_xdmac_tx_submit;
 drivers/dma/at_xdmac.c:576:		desc->tx_dma_desc.phys = phys;
 drivers/dma/at_xdmac.c-577-	}
 --
 drivers/dma/bcm-sba-raid.c=1463=static int sba_prealloc_channel_resources(struct sba_device *sba)
 --
 drivers/dma/bcm-sba-raid.c-1514-		req->tx.tx_submit = sba_tx_submit;
 drivers/dma/bcm-sba-raid.c:1515:		req->tx.phys = sba->resp_dma_base + i * sba->hw_resp_size;
 drivers/dma/bcm-sba-raid.c-1516-		list_add_tail(&req->node, &sba->reqs_free_list);
 --
 drivers/dma/dw/core.c=78=static struct dw_desc *dwc_desc_get(struct dw_dma_chan *dwc)
 --
 drivers/dma/dw/core.c-92-	desc->txd.flags = DMA_CTRL_ACK;
 drivers/dma/dw/core.c:93:	desc->txd.phys = phys;
 drivers/dma/dw/core.c-94-	return desc;
 --
 drivers/dma/dw/core.c=298=static void dwc_scan_descriptors(struct dw_dma *dw, struct dw_dma_chan *dwc)
 --
 drivers/dma/dw/core.c-367-		/* Check first descriptors addr */
 drivers/dma/dw/core.c:368:		if (desc->txd.phys == DWC_LLP_LOC(llp)) {
 drivers/dma/dw/core.c-369-			spin_unlock_irqrestore(&dwc->lock, flags);
 --
 drivers/dma/fsldma.c=459=static struct fsl_desc_sw *fsl_dma_alloc_descriptor(struct fsldma_chan *chan)
 --
 drivers/dma/fsldma.c-472-	desc->async_tx.tx_submit = fsl_dma_tx_submit;
 drivers/dma/fsldma.c:473:	desc->async_tx.phys = pdesc;
 drivers/dma/fsldma.c-474-
 --
 drivers/dma/fsldma.c=636=static void fsldma_cleanup_descriptors(struct fsldma_chan *chan)
 --
 drivers/dma/fsldma.c-658-		 */
 drivers/dma/fsldma.c:659:		if (desc->async_tx.phys == curr_phys) {
 drivers/dma/fsldma.c-660-			seen_current = 1;
 --
 drivers/dma/ioat/dma.c=337=ioat_alloc_ring_ent(struct dma_chan *chan, int idx, gfp_t flags)
 --
 drivers/dma/ioat/dma.c-361-	desc->hw = hw;
 drivers/dma/ioat/dma.c:362:	desc->txd.phys = phys;
 drivers/dma/ioat/dma.c-363-	return desc;
 --
 drivers/dma/mmp_pdma.c=521=mmp_pdma_alloc_descriptor(struct mmp_pdma_chan *chan)
 --
 drivers/dma/mmp_pdma.c-535-	desc->async_tx.tx_submit = mmp_pdma_tx_submit;
 drivers/dma/mmp_pdma.c:536:	desc->async_tx.phys = pdesc;
 drivers/dma/mmp_pdma.c-537-
 --
 drivers/dma/mv_xor.c=263=static void mv_chan_slot_cleanup(struct mv_xor_chan *mv_chan)
 --
 drivers/dma/mv_xor.c-292-			/* break if we did cleaned the current */
 drivers/dma/mv_xor.c:293:			if (iter->async_tx.phys == current_desc) {
 drivers/dma/mv_xor.c-294-				current_cleaned = 1;
 --
 drivers/dma/mv_xor.c-297-		} else {
 drivers/dma/mv_xor.c:298:			if (iter->async_tx.phys == current_desc) {
 drivers/dma/mv_xor.c-299-				current_cleaned = 0;
 --
 drivers/dma/mv_xor.c=434=static int mv_xor_alloc_chan_resources(struct dma_chan *chan)
 --
 drivers/dma/mv_xor.c-460-		dma_desc = mv_chan->dma_desc_pool;
 drivers/dma/mv_xor.c:461:		slot->async_tx.phys = dma_desc + idx * MV_XOR_SLOT_SIZE;
 drivers/dma/mv_xor.c-462-		slot->idx = idx++;
 --
 drivers/dma/pch_dma.c=421=static struct pch_dma_desc *pdc_alloc_desc(struct dma_chan *chan, gfp_t flags)
 --
 drivers/dma/pch_dma.c-432-		desc->txd.flags = DMA_CTRL_ACK;
 drivers/dma/pch_dma.c:433:		desc->txd.phys = addr;
 drivers/dma/pch_dma.c-434-	}
 --
 drivers/dma/timb_dma.c=322=static struct timb_dma_desc *td_alloc_init_desc(struct timb_dma_chan *td_chan)
 --
 drivers/dma/timb_dma.c-341-
 drivers/dma/timb_dma.c:342:	td_desc->txd.phys = dma_map_single(chan2dmadev(chan),
 drivers/dma/timb_dma.c-343-		td_desc->desc_list, td_desc->desc_list_len, DMA_TO_DEVICE);
 --
 drivers/dma/txx9dmac.c=189=static struct txx9dmac_desc *txx9dmac_desc_alloc(struct txx9dmac_chan *dc,
 --
 drivers/dma/txx9dmac.c-202-	desc->txd.flags = DMA_CTRL_ACK;
 drivers/dma/txx9dmac.c:203:	desc->txd.phys = dma_map_single(chan2parent(&dc->chan), &desc->hwdesc,
 drivers/dma/txx9dmac.c-204-					ddev->descsize, DMA_TO_DEVICE);
 --
 drivers/dma/xgene-dma.c=489=static struct xgene_dma_desc_sw *xgene_dma_alloc_descriptor(
 --
 drivers/dma/xgene-dma.c-501-	INIT_LIST_HEAD(&desc->tx_list);
 drivers/dma/xgene-dma.c:502:	desc->tx.phys = phys;
 drivers/dma/xgene-dma.c-503-	desc->tx.tx_submit = xgene_dma_tx_submit;
 --
 drivers/dma/xilinx/xilinx_dma.c=1114=static int xilinx_dma_alloc_chan_resources(struct dma_chan *dchan)
 --
 drivers/dma/xilinx/xilinx_dma.c-1164-				((i + 1) % XILINX_DMA_NUM_DESCS));
 drivers/dma/xilinx/xilinx_dma.c:1165:			chan->seg_v[i].phys = chan->seg_p +
 drivers/dma/xilinx/xilinx_dma.c-1166-				sizeof(*chan->seg_v) * i;
 --
 drivers/dma/xilinx/xilinx_dma.c-1188-				((i + 1) % XILINX_DMA_NUM_DESCS));
 drivers/dma/xilinx/xilinx_dma.c:1189:			chan->seg_mv[i].phys = chan->seg_p +
 drivers/dma/xilinx/xilinx_dma.c-1190-				sizeof(*chan->seg_mv) * i;
 --
 drivers/dma/xilinx/xilinx_dma.c=2043=xilinx_vdma_dma_prep_interleaved(struct dma_chan *dchan,
 --
 drivers/dma/xilinx/xilinx_dma.c-2109-				   struct xilinx_vdma_tx_segment, node);
 drivers/dma/xilinx/xilinx_dma.c:2110:	desc->async_tx.phys = segment->phys;
 drivers/dma/xilinx/xilinx_dma.c-2111-
 --
 drivers/dma/xilinx/xilinx_dma.c=2130=xilinx_cdma_prep_memcpy(struct dma_chan *dchan, dma_addr_t dma_dst,
 --
 drivers/dma/xilinx/xilinx_dma.c-2164-
 drivers/dma/xilinx/xilinx_dma.c:2165:	desc->async_tx.phys = segment->phys;
 drivers/dma/xilinx/xilinx_dma.c-2166-	hw->next_desc = segment->phys;
 --
 drivers/dma/xilinx/xilinx_dma.c=2186=static struct dma_async_tx_descriptor *xilinx_dma_prep_peripheral_dma_vec(
 --
 drivers/dma/xilinx/xilinx_dma.c-2246-	head = list_first_entry(&desc->segments, struct xilinx_axidma_tx_segment, node);
 drivers/dma/xilinx/xilinx_dma.c:2247:	desc->async_tx.phys = head->phys;
 drivers/dma/xilinx/xilinx_dma.c-2248-
 --
 drivers/dma/xilinx/xilinx_dma.c=2279=static struct dma_async_tx_descriptor *xilinx_dma_prep_slave_sg(
 --
 drivers/dma/xilinx/xilinx_dma.c-2348-				   struct xilinx_axidma_tx_segment, node);
 drivers/dma/xilinx/xilinx_dma.c:2349:	desc->async_tx.phys = segment->phys;
 drivers/dma/xilinx/xilinx_dma.c-2350-
 --
 drivers/dma/xilinx/xilinx_dma.c=2381=static struct dma_async_tx_descriptor *xilinx_dma_prep_dma_cyclic(
 --
 drivers/dma/xilinx/xilinx_dma.c-2451-				   struct xilinx_axidma_tx_segment, node);
 drivers/dma/xilinx/xilinx_dma.c:2452:	desc->async_tx.phys = head_segment->phys;
 drivers/dma/xilinx/xilinx_dma.c-2453-
 --
 drivers/dma/xilinx/xilinx_dma.c=2489=xilinx_mcdma_prep_slave_sg(struct dma_chan *dchan, struct scatterlist *sgl,
 --
 drivers/dma/xilinx/xilinx_dma.c-2555-				   struct xilinx_aximcdma_tx_segment, node);
 drivers/dma/xilinx/xilinx_dma.c:2556:	desc->async_tx.phys = segment->phys;
 drivers/dma/xilinx/xilinx_dma.c-2557-
 --
 drivers/firmware/google/memconsole-coreboot.c=40=static ssize_t memconsole_coreboot_read(char *buf, loff_t pos, size_t count)
 --
 drivers/firmware/google/memconsole-coreboot.c-54-			cursor = 0;
 drivers/firmware/google/memconsole-coreboot.c:55:		seg[0] = (struct seg){.phys = cursor, .len = size - cursor};
 drivers/firmware/google/memconsole-coreboot.c:56:		seg[1] = (struct seg){.phys = 0, .len = cursor};
 drivers/firmware/google/memconsole-coreboot.c-57-	} else {
 drivers/firmware/google/memconsole-coreboot.c:58:		seg[0] = (struct seg){.phys = 0, .len = min(cursor, size)};
 drivers/firmware/google/memconsole-coreboot.c-59-	}
 --
 drivers/firmware/tegra/bpmp-tegra186.c=192=static int tegra186_bpmp_dram_init(struct tegra_bpmp *bpmp)
 --
 drivers/firmware/tegra/bpmp-tegra186.c-214-
 drivers/firmware/tegra/bpmp-tegra186.c:215:	priv->tx.phys = res.start;
 drivers/firmware/tegra/bpmp-tegra186.c:216:	priv->rx.phys = res.start + SZ_4K;
 drivers/firmware/tegra/bpmp-tegra186.c-217-
 --
 drivers/firmware/tegra/ivc.c=646=int tegra_ivc_init(struct tegra_ivc *ivc, struct device *peer, const struct iosys_map *rx,
 --
 drivers/firmware/tegra/ivc.c-672-	if (peer) {
 drivers/firmware/tegra/ivc.c:673:		ivc->rx.phys = dma_map_single(peer, iosys_map_get_vaddr(rx), queue_size,
 drivers/firmware/tegra/ivc.c-674-					      DMA_BIDIRECTIONAL);
 --
 drivers/firmware/tegra/ivc.c-677-
 drivers/firmware/tegra/ivc.c:678:		ivc->tx.phys = dma_map_single(peer, iosys_map_get_vaddr(tx), queue_size,
 drivers/firmware/tegra/ivc.c-679-					      DMA_BIDIRECTIONAL);
 --
 drivers/firmware/tegra/ivc.c-685-	} else {
 drivers/firmware/tegra/ivc.c:686:		ivc->rx.phys = rx_phys;
 drivers/firmware/tegra/ivc.c:687:		ivc->tx.phys = tx_phys;
 drivers/firmware/tegra/ivc.c-688-	}
 --
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c=3335=struct dw_hdmi *dw_hdmi_probe(struct platform_device *pdev,
 --
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c-3535-
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c:3536:		audio.phys = iores->start;
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c-3537-		audio.base = hdmi->regs;
 --
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c-3566-
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c:3567:		audio.phys = iores->start;
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c-3568-		audio.base = hdmi->regs;
 --
 drivers/gpu/drm/i915/gem/i915_gem_pages.c=23=void __i915_gem_object_set_pages(struct drm_i915_gem_object *obj,
 --
 drivers/gpu/drm/i915/gem/i915_gem_pages.c-51-
 drivers/gpu/drm/i915/gem/i915_gem_pages.c:52:	obj->mm.page_sizes.phys = i915_sg_dma_sizes(pages->sgl);
 drivers/gpu/drm/i915/gem/i915_gem_pages.c-53-	GEM_BUG_ON(!obj->mm.page_sizes.phys);
 --
 drivers/gpu/drm/i915/gem/i915_gem_pages.c=214=__i915_gem_object_unset_pages(struct drm_i915_gem_object *obj)
 --
 drivers/gpu/drm/i915/gem/i915_gem_pages.c-235-	__i915_gem_object_reset_page_iter(obj);
 drivers/gpu/drm/i915/gem/i915_gem_pages.c:236:	obj->mm.page_sizes.phys = obj->mm.page_sizes.sg = 0;
 drivers/gpu/drm/i915/gem/i915_gem_pages.c-237-
 --
 drivers/gpu/drm/tegra/nvdec.c=244=static int nvdec_load_falcon_firmware(struct nvdec *nvdec)
 --
 drivers/gpu/drm/tegra/nvdec.c-292-
 drivers/gpu/drm/tegra/nvdec.c:293:		nvdec->falcon.firmware.phys = phys;
 drivers/gpu/drm/tegra/nvdec.c-294-	}
 --
 drivers/gpu/drm/tegra/nvjpg.c=110=static int nvjpg_load_falcon_firmware(struct nvjpg *nvjpg)
 --
 drivers/gpu/drm/tegra/nvjpg.c-158-
 drivers/gpu/drm/tegra/nvjpg.c:159:		nvjpg->falcon.firmware.phys = phys;
 drivers/gpu/drm/tegra/nvjpg.c-160-	}
 --
 drivers/gpu/drm/tegra/vic.c=210=static int vic_load_firmware(struct vic *vic)
 --
 drivers/gpu/drm/tegra/vic.c-268-
 drivers/gpu/drm/tegra/vic.c:269:		vic->falcon.firmware.phys = phys;
 drivers/gpu/drm/tegra/vic.c-270-	}
 --
 drivers/hwtracing/coresight/coresight-stm.c=828=static int __stm_probe(struct device *dev, struct resource *res)
 --
 drivers/hwtracing/coresight/coresight-stm.c-859-		return ret;
 drivers/hwtracing/coresight/coresight-stm.c:860:	drvdata->chs.phys = ch_res.start;
 drivers/hwtracing/coresight/coresight-stm.c-861-
 --
 drivers/input/misc/pm8941-pwrkey.c=423=static const struct pm8941_data pwrkey_data = {
 --
 drivers/input/misc/pm8941-pwrkey.c-426-	.name = "pm8941_pwrkey",
 drivers/input/misc/pm8941-pwrkey.c:427:	.phys = "pm8941_pwrkey/input0",
 drivers/input/misc/pm8941-pwrkey.c-428-	.supports_ps_hold_poff_config = true,
 --
 drivers/input/misc/pm8941-pwrkey.c=434=static const struct pm8941_data resin_data = {
 --
 drivers/input/misc/pm8941-pwrkey.c-437-	.name = "pm8941_resin",
 drivers/input/misc/pm8941-pwrkey.c:438:	.phys = "pm8941_resin/input0",
 drivers/input/misc/pm8941-pwrkey.c-439-	.supports_ps_hold_poff_config = true,
 --
 drivers/input/misc/pm8941-pwrkey.c=445=static const struct pm8941_data pon_gen3_pwrkey_data = {
 --
 drivers/input/misc/pm8941-pwrkey.c-447-	.name = "pmic_pwrkey",
 drivers/input/misc/pm8941-pwrkey.c:448:	.phys = "pmic_pwrkey/input0",
 drivers/input/misc/pm8941-pwrkey.c-449-	.supports_ps_hold_poff_config = false,
 --
 drivers/input/misc/pm8941-pwrkey.c=455=static const struct pm8941_data pon_gen3_resin_data = {
 --
 drivers/input/misc/pm8941-pwrkey.c-457-	.name = "pmic_resin",
 drivers/input/misc/pm8941-pwrkey.c:458:	.phys = "pmic_resin/input0",
 drivers/input/misc/pm8941-pwrkey.c-459-	.supports_ps_hold_poff_config = false,
 --
 drivers/media/pci/cobalt/cobalt-flash.c=18=static struct map_info cobalt_flash_map = {
 --
 drivers/media/pci/cobalt/cobalt-flash.c-21-	.size =		0x4000000, /* 64MB */
 drivers/media/pci/cobalt/cobalt-flash.c:22:	.phys =		0,         /* offset  */
 drivers/media/pci/cobalt/cobalt-flash.c-23-};
 --
 drivers/media/pci/tw686x/tw686x-video.c=184=static int tw686x_sg_desc_fill(struct tw686x_sg_desc *descs,
 --
 drivers/media/pci/tw686x/tw686x-video.c-208-			entry_len = min_t(unsigned int, entry_len, buf_len);
 drivers/media/pci/tw686x/tw686x-video.c:209:			descs[count].phys = cpu_to_le32(phys);
 drivers/media/pci/tw686x/tw686x-video.c-210-			descs[count++].flags_length =
 --
 drivers/media/platform/amphion/venc.c=1004=static void venc_request_mem_resource(struct vpu_inst *inst,
 --
 drivers/media/platform/amphion/venc.c-1050-	venc->act[0].length = act_frame_size;
 drivers/media/platform/amphion/venc.c:1051:	venc->act[0].phys = inst->act.phys;
 drivers/media/platform/amphion/venc.c-1052-	venc->act[0].virt = inst->act.virt;
 --
 drivers/media/platform/amphion/vpu_core.c=413=int vpu_inst_register(struct vpu_inst *inst)
 --
 drivers/media/platform/amphion/vpu_core.c-450-	if (core->res->act_size) {
 drivers/media/platform/amphion/vpu_core.c:451:		inst->act.phys = core->act.phys + core->res->act_size * inst->id;
 drivers/media/platform/amphion/vpu_core.c-452-		inst->act.virt = core->act.virt + core->res->act_size * inst->id;
 --
 drivers/media/platform/amphion/vpu_core.c=543=static int vpu_core_parse_dt(struct vpu_core *core, struct device_node *np)
 --
 drivers/media/platform/amphion/vpu_core.c-553-
 drivers/media/platform/amphion/vpu_core.c:554:	core->fw.phys = res.start;
 drivers/media/platform/amphion/vpu_core.c-555-	core->fw.length = resource_size(&res);
 --
 drivers/media/platform/amphion/vpu_core.c-562-
 drivers/media/platform/amphion/vpu_core.c:563:	core->rpc.phys = res.start;
 drivers/media/platform/amphion/vpu_core.c-564-	core->rpc.length = resource_size(&res);
 --
 drivers/media/platform/amphion/vpu_core.c-582-
 drivers/media/platform/amphion/vpu_core.c:583:	core->log.phys = core->rpc.phys + core->res->rpc_size;
 drivers/media/platform/amphion/vpu_core.c-584-	core->log.virt = core->rpc.virt + core->res->rpc_size;
 drivers/media/platform/amphion/vpu_core.c-585-	core->log.length = core->res->fwlog_size;
 drivers/media/platform/amphion/vpu_core.c:586:	core->act.phys = core->log.phys + core->log.length;
 drivers/media/platform/amphion/vpu_core.c-587-	core->act.virt = core->log.virt + core->log.length;
 --
 drivers/media/platform/renesas/rcar-vin/rcar-dma.c=963=static void rvin_fill_hw_slot(struct rvin_dev *vin, int slot)
 --
 drivers/media/platform/renesas/rcar-vin/rcar-dma.c-989-
 drivers/media/platform/renesas/rcar-vin/rcar-dma.c:990:	vin->buf_hw[slot].phys = phys_addr;
 drivers/media/platform/renesas/rcar-vin/rcar-dma.c-991-	rvin_set_slot_addr(vin, slot, phys_addr);
 --
 drivers/mtd/maps/amd76xrom.c=104=static int amd76xrom_init_one(struct pci_dev *pdev,
 --
 drivers/mtd/maps/amd76xrom.c-197-		map->map.name = map->map_name;
 drivers/mtd/maps/amd76xrom.c:198:		map->map.phys = map_top;
 drivers/mtd/maps/amd76xrom.c-199-		offset = map_top - window->phys;
 --
 drivers/mtd/maps/amd76xrom.c-255-		map->map.virt = window->virt;
 drivers/mtd/maps/amd76xrom.c:256:		map->map.phys = window->phys;
 drivers/mtd/maps/amd76xrom.c-257-		cfi = map->map.fldrv_priv;
 --
 drivers/mtd/maps/cfi_flagadm.c=91=static int __init init_flagadm(void)
 --
 drivers/mtd/maps/cfi_flagadm.c-95-
 drivers/mtd/maps/cfi_flagadm.c:96:	flagadm_map.phys = FLASH_PHYS_ADDR;
 drivers/mtd/maps/cfi_flagadm.c-97-	flagadm_map.virt = ioremap(FLASH_PHYS_ADDR,
 --
 drivers/mtd/maps/ck804xrom.c=116=static int __init ck804xrom_init_one(struct pci_dev *pdev,
 --
 drivers/mtd/maps/ck804xrom.c-227-		map->map.name = map->map_name;
 drivers/mtd/maps/ck804xrom.c:228:		map->map.phys = map_top;
 drivers/mtd/maps/ck804xrom.c-229-		offset = map_top - window->phys;
 --
 drivers/mtd/maps/ck804xrom.c-285-		map->map.virt = window->virt;
 drivers/mtd/maps/ck804xrom.c:286:		map->map.phys = window->phys;
 drivers/mtd/maps/ck804xrom.c-287-		cfi = map->map.fldrv_priv;
 --
 drivers/mtd/maps/dc21285.c=139=static struct map_info dc21285_map = {
 drivers/mtd/maps/dc21285.c-140-	.name = "DC21285 flash",
 drivers/mtd/maps/dc21285.c:141:	.phys = NO_XIP,
 drivers/mtd/maps/dc21285.c-142-	.size = 16*1024*1024,
 --
 drivers/mtd/maps/esb2rom.c=148=static int __init esb2rom_init_one(struct pci_dev *pdev,
 --
 drivers/mtd/maps/esb2rom.c-287-		map->map.name = map->map_name;
 drivers/mtd/maps/esb2rom.c:288:		map->map.phys = map_top;
 drivers/mtd/maps/esb2rom.c-289-		offset = map_top - window->phys;
 --
 drivers/mtd/maps/esb2rom.c-347-		map->map.virt = window->virt;
 drivers/mtd/maps/esb2rom.c:348:		map->map.phys = window->phys;
 drivers/mtd/maps/esb2rom.c-349-		cfi = map->map.fldrv_priv;
 --
 drivers/mtd/maps/ichxrom.c=90=static int __init ichxrom_init_one(struct pci_dev *pdev,
 --
 drivers/mtd/maps/ichxrom.c-221-		map->map.name = map->map_name;
 drivers/mtd/maps/ichxrom.c:222:		map->map.phys = map_top;
 drivers/mtd/maps/ichxrom.c-223-		offset = map_top - window->phys;
 --
 drivers/mtd/maps/ichxrom.c-282-		map->map.virt = window->virt;
 drivers/mtd/maps/ichxrom.c:283:		map->map.phys = window->phys;
 drivers/mtd/maps/ichxrom.c-284-		cfi = map->map.fldrv_priv;
 --
 drivers/mtd/maps/impa7.c=56=static int __init init_impa7(void)
 --
 drivers/mtd/maps/impa7.c-70-
 drivers/mtd/maps/impa7.c:71:		impa7_map[i].phys = pt[i].addr;
 drivers/mtd/maps/impa7.c-72-		impa7_map[i].virt = ioremap(pt[i].addr, pt[i].size);
 --
 drivers/mtd/maps/l440gx.c=48=static struct map_info l440gx_map = {
 --
 drivers/mtd/maps/l440gx.c-51-	.bankwidth = BUSWIDTH,
 drivers/mtd/maps/l440gx.c:52:	.phys = WINDOW_ADDR,
 drivers/mtd/maps/l440gx.c-53-#if 0
 --
 drivers/mtd/maps/netsc520.c=69=static struct map_info netsc520_map = {
 --
 drivers/mtd/maps/netsc520.c-72-	.bankwidth = 4,
 drivers/mtd/maps/netsc520.c:73:	.phys = WINDOW_ADDR,
 drivers/mtd/maps/netsc520.c-74-};
 --
 drivers/mtd/maps/nettel.c=164=static int __init nettel_init(void)
 --
 drivers/mtd/maps/nettel.c-218-
 drivers/mtd/maps/nettel.c:219:	nettel_amd_map.phys = amdaddr;
 drivers/mtd/maps/nettel.c-220-	nettel_amd_map.virt = ioremap(amdaddr, maxsize);
 --
 drivers/mtd/maps/nettel.c-304-	nettel_intel_map.size = maxsize;
 drivers/mtd/maps/nettel.c:305:	nettel_intel_map.phys = intel0addr;
 drivers/mtd/maps/nettel.c-306-	nettel_intel_map.virt = ioremap(intel0addr, maxsize);
 --
 drivers/mtd/maps/pci.c=77=static const struct map_info mtd_pci_map = {
 drivers/mtd/maps/pci.c:78:	.phys =		NO_XIP,
 drivers/mtd/maps/pci.c-79-	.copy_from =	mtd_pci_copyfrom,
 --
 drivers/mtd/maps/pcmciamtd.c=462=static int pcmciamtd_config(struct pcmcia_device *link)
 --
 drivers/mtd/maps/pcmciamtd.c-474-
 drivers/mtd/maps/pcmciamtd.c:475:	dev->pcmcia_map.phys = NO_XIP;
 drivers/mtd/maps/pcmciamtd.c-476-	dev->pcmcia_map.copy_from = pcmcia_copy_from_remap;
 --
 drivers/mtd/maps/physmap-core.c=328=static int physmap_flash_of_init(struct platform_device *dev)
 --
 drivers/mtd/maps/physmap-core.c-392-		if (map_indirect)
 drivers/mtd/maps/physmap-core.c:393:			info->maps[i].phys = NO_XIP;
 drivers/mtd/maps/physmap-core.c-394-	}
 --
 drivers/mtd/maps/physmap-core.c=446=static int physmap_flash_probe(struct platform_device *dev)
 --
 drivers/mtd/maps/physmap-core.c-518-		if (!info->maps[i].phys)
 drivers/mtd/maps/physmap-core.c:519:			info->maps[i].phys = res->start;
 drivers/mtd/maps/physmap-core.c-520-
 --
 drivers/mtd/maps/plat-ram.c=95=static int platram_probe(struct platform_device *pdev)
 --
 drivers/mtd/maps/plat-ram.c-134-
 drivers/mtd/maps/plat-ram.c:135:	info->map.phys = res->start;
 drivers/mtd/maps/plat-ram.c-136-	info->map.size = resource_size(res);
 --
 drivers/mtd/maps/pxa2xx-flash.c=44=static int pxa2xx_flash_probe(struct platform_device *pdev)
 --
 drivers/mtd/maps/pxa2xx-flash.c-59-	info->map.bankwidth = flash->width;
 drivers/mtd/maps/pxa2xx-flash.c:60:	info->map.phys = res->start;
 drivers/mtd/maps/pxa2xx-flash.c-61-	info->map.size = resource_size(res);
 --
 drivers/mtd/maps/sa1100-flash.c=67=static int sa1100_probe_subdev(struct sa_subdev_info *subdev, struct resource *res)
 --
 drivers/mtd/maps/sa1100-flash.c-101-
 drivers/mtd/maps/sa1100-flash.c:102:	subdev->map.phys = phys;
 drivers/mtd/maps/sa1100-flash.c-103-	subdev->map.size = size;
 --
 drivers/mtd/maps/sbc_gxx.c=154=static struct map_info sbc_gxx_map = {
 drivers/mtd/maps/sbc_gxx.c-155-	.name = "SBC-GXx flash",
 drivers/mtd/maps/sbc_gxx.c:156:	.phys = NO_XIP,
 drivers/mtd/maps/sbc_gxx.c-157-	.size = MAX_SIZE_KiB*1024, /* this must be set to a maximum possible amount
 --
 drivers/mtd/maps/sc520cdp.c=72=static struct map_info sc520cdp_map[] = {
 --
 drivers/mtd/maps/sc520cdp.c-76-		.bankwidth = 4,
 drivers/mtd/maps/sc520cdp.c:77:		.phys = WINDOW_ADDR_0
 drivers/mtd/maps/sc520cdp.c-78-	},
 --
 drivers/mtd/maps/sc520cdp.c-82-		.bankwidth = 4,
 drivers/mtd/maps/sc520cdp.c:83:		.phys = WINDOW_ADDR_1
 drivers/mtd/maps/sc520cdp.c-84-	},
 --
 drivers/mtd/maps/sc520cdp.c-88-		.bankwidth = 1,
 drivers/mtd/maps/sc520cdp.c:89:		.phys = WINDOW_ADDR_2
 drivers/mtd/maps/sc520cdp.c-90-	},
 --
 drivers/mtd/maps/sc520cdp.c=170=static void sc520cdp_setup_par(void)
 --
 drivers/mtd/maps/sc520cdp.c-180-		for(i = 0; i < NUM_FLASH_BANKS; i++)
 drivers/mtd/maps/sc520cdp.c:181:			sc520cdp_map[i].phys = par_table[i].default_address;
 drivers/mtd/maps/sc520cdp.c-182-		return;
 --
 drivers/mtd/maps/sc520cdp.c-205-				par_table[i].default_address);
 drivers/mtd/maps/sc520cdp.c:206:			sc520cdp_map[i].phys = par_table[i].default_address;
 drivers/mtd/maps/sc520cdp.c-207-		}
 --
 drivers/mtd/maps/scb2_flash.c=135=static int scb2_flash_probe(struct pci_dev *dev,
 --
 drivers/mtd/maps/scb2_flash.c-162-
 drivers/mtd/maps/scb2_flash.c:163:	scb2_map.phys = SCB2_ADDR;
 drivers/mtd/maps/scb2_flash.c-164-	scb2_map.virt = scb2_ioaddr;
 --
 drivers/mtd/maps/scx200_docflash.c=76=static int __init init_scx200_docflash(void)
 --
 drivers/mtd/maps/scx200_docflash.c-177-
 drivers/mtd/maps/scx200_docflash.c:178:	scx200_docflash_map.phys = docmem.start;
 drivers/mtd/maps/scx200_docflash.c-179-	scx200_docflash_map.virt = ioremap(docmem.start, scx200_docflash_map.size);
 --
 drivers/mtd/maps/solutionengine.c=36=static int __init init_soleng_maps(void)
 --
 drivers/mtd/maps/solutionengine.c-38-	/* First probe at offset 0 */
 drivers/mtd/maps/solutionengine.c:39:	soleng_flash_map.phys = 0;
 drivers/mtd/maps/solutionengine.c-40-	soleng_flash_map.virt = (void __iomem *)P2SEGADDR(0);
 drivers/mtd/maps/solutionengine.c:41:	soleng_eprom_map.phys = 0x01000000;
 drivers/mtd/maps/solutionengine.c-42-	soleng_eprom_map.virt = (void __iomem *)P1SEGADDR(0x01000000);
 --
 drivers/mtd/maps/solutionengine.c-50-		printk(KERN_NOTICE "Probing for flash chips at 0x01000000:\n");
 drivers/mtd/maps/solutionengine.c:51:		soleng_flash_map.phys = 0x01000000;
 drivers/mtd/maps/solutionengine.c-52-		soleng_flash_map.virt = P2SEGADDR(0x01000000);
 drivers/mtd/maps/solutionengine.c:53:		soleng_eprom_map.phys = 0;
]
]

gemini-3-flash-preview

							input: 30402
							output: 17
							thoughts: 605
						

**Debugging a Dangling Pointer in Input Device's `phys` Field**

Okay, first things first, that broad `grep` for `.phys =` isn't going to cut it. I need to narrow the search to `input_dev`'s `phys` field specifically. I remember that's a `const char *` inside the `input_dev` struct.

Alright, the game plan is to trace how and where `input_dev` is allocated and, crucially, where its `phys` field gets set, particularly within the `mac80211` or `cfg80211` subsystems. Hmm, wait... `mac80211` doesn't usually *directly* create input devices. So, maybe it's some wireless driver acting on its behalf? Let's keep that in mind.

Aha! The allocation and deallocation happening in `ieee80211_inform_bss` have got my attention. That function gets called every time a BSS is discovered during a scan, which is frequent. It's parsing the Information Elements (IEs) of the BSS, and the `ieee80211_elems_parse` object is used to hold the parsed IEs. Those IEs often contain strings.

The pieces are starting to fit. If `dev->phys` is pointing to one of these strings, but the string lives inside the `ieee80211_elems_parse` object, like in its `scratch` buffer, then when that object gets freed, `dev->phys` becomes a dangling pointer!

But... why on earth would an `input_dev`'s `phys` point to a BSS IE? That doesn't seem right.

Wait, it's clear now, `input_devices_seq_show` is dumping *all* input devices. This is it. One of them is showing a `phys` pointer that's pointing to freed memory.

Let me revisit that `input_devices_seq_show` code block:
```c
1099:		seq_printf(seq, "P: Phys=%s\n", dev->phys ? dev->phys : "");
```
Yep, it's reading `dev->phys`. This confirms the problem.

Alright, the memory was freed by `ieee80211_inform_bss`. That means `dev->phys` *was* pointing to something within the `ieee80211_elems_parse` object.

And just to reiterate, `ieee80211_inform_bss` is called on every single BSS discovery. That's a *very* frequent operation during scanning. If somewhere, someone did something like this:
`input_dev->phys = some_pointer_into_ieee80211_elems_parse;`
That's the bug. That's the source of the dangling pointer.

Now, the question is *where*? What driver? Maybe some input device driver that's loosely coupled with wireless, like `applespi`?

Okay, time to get to work. Let's dig into the `input_dev` structure and get precise. Let's search the *whole* kernel, but scoped to `input_dev`, specifically for where `phys` is assigned. Actually, let's search for `->phys =`. That should be revealing.

map[Expression:->phys =]

map[Output:
Full output is too long, showing 500 out of 2522 lines.
Use more precise expression if possible.

[arch/arm/common/locomo.c=356=__locomo_probe(struct device *me, struct resource *mem, int irq)
 --
 arch/arm/common/locomo.c-371-
 arch/arm/common/locomo.c:372:	lchip->phys = mem->start;
 arch/arm/common/locomo.c-373-	lchip->irq = irq;
 --
 arch/arm/common/sa1111.c=792=static int __sa1111_probe(struct device *me, struct resource *mem, int irq)
 --
 arch/arm/common/sa1111.c-820-	sachip->pdata = pd;
 arch/arm/common/sa1111.c:821:	sachip->phys = mem->start;
 arch/arm/common/sa1111.c-822-	sachip->irq = irq;
 --
 arch/powerpc/mm/init_64.c=168=static __meminit int vmemmap_list_populate(unsigned long phys,
 --
 arch/powerpc/mm/init_64.c-179-
 arch/powerpc/mm/init_64.c:180:	vmem_back->phys = phys;
 arch/powerpc/mm/init_64.c-181-	vmem_back->virt_addr = start;
 --
 arch/x86/mm/mmio-mod.c=128=static void pre(struct kmmio_probe *p, struct pt_regs *regs,
 --
 arch/x86/mm/mmio-mod.c-146-
 arch/x86/mm/mmio-mod.c:147:	my_trace->phys = addr - trace->probe.addr + trace->phys;
 arch/x86/mm/mmio-mod.c-148-	my_trace->map_id = trace->id;
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c=435=static int setup_power_button(struct platform_device *pdev)
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c-443-	power_button_idev->name = "Power Button";
 arch/x86/platform/olpc/olpc-xo1-sci.c:444:	power_button_idev->phys = DRV_NAME "/input0";
 arch/x86/platform/olpc/olpc-xo1-sci.c-445-	set_bit(EV_KEY, power_button_idev->evbit);
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c=465=static int setup_ebook_switch(struct platform_device *pdev)
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c-473-	ebook_switch_idev->name = "EBook Switch";
 arch/x86/platform/olpc/olpc-xo1-sci.c:474:	ebook_switch_idev->phys = DRV_NAME "/input1";
 arch/x86/platform/olpc/olpc-xo1-sci.c-475-	set_bit(EV_SW, ebook_switch_idev->evbit);
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c=495=static int setup_lid_switch(struct platform_device *pdev)
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c-503-	lid_switch_idev->name = "Lid Switch";
 arch/x86/platform/olpc/olpc-xo1-sci.c:504:	lid_switch_idev->phys = DRV_NAME "/input2";
 arch/x86/platform/olpc/olpc-xo1-sci.c-505-	set_bit(EV_SW, lid_switch_idev->evbit);
 --
 drivers/accessibility/speakup/fakekey.c=22=int speakup_add_virtual_keyboard(void)
 --
 drivers/accessibility/speakup/fakekey.c-32-	virt_keyboard->id.bustype = BUS_VIRTUAL;
 drivers/accessibility/speakup/fakekey.c:33:	virt_keyboard->phys = "speakup/input0";
 drivers/accessibility/speakup/fakekey.c-34-	virt_keyboard->dev.parent = NULL;
 --
 drivers/acpi/acpi_video.c=1894=static int acpi_video_bus_add_notify_handler(struct acpi_video_bus *video)
 --
 drivers/acpi/acpi_video.c-1913-	input->name = acpi_device_name(video->device);
 drivers/acpi/acpi_video.c:1914:	input->phys = video->phys;
 drivers/acpi/acpi_video.c-1915-	input->id.bustype = BUS_HOST;
 --
 drivers/acpi/button.c=534=static int acpi_button_add(struct acpi_device *device)
 --
 drivers/acpi/button.c-599-	input->name = name;
 drivers/acpi/button.c:600:	input->phys = button->phys;
 drivers/acpi/button.c-601-	input->id.bustype = BUS_HOST;
 --
 drivers/acpi/osl.c=323=void __iomem __ref
 --
 drivers/acpi/osl.c-363-	map->virt = (void __iomem __force *)((unsigned long)virt & PAGE_MASK);
 drivers/acpi/osl.c:364:	map->phys = pg_off;
 drivers/acpi/osl.c-365-	map->size = pg_sz;
 --
 drivers/ata/libahci_platform.c=477=struct ahci_host_priv *ahci_platform_get_resources(struct platform_device *pdev,
 --
 drivers/ata/libahci_platform.c-587-
 drivers/ata/libahci_platform.c:588:	hpriv->phys = devm_kcalloc(dev, hpriv->nports, sizeof(*hpriv->phys), GFP_KERNEL);
 drivers/ata/libahci_platform.c-589-	if (!hpriv->phys) {
 --
 drivers/atm/he.c=1878=he_service_rbpl(struct he_dev *he_dev, int group)
 --
 drivers/atm/he.c-1913-		new_tail->idx = i << RBP_IDX_OFFSET;
 drivers/atm/he.c:1914:		new_tail->phys = mapping + offsetof(struct he_buff, data);
 drivers/atm/he.c-1915-
 --
 drivers/bus/mips_cdmm.c=372=static int mips_cdmm_setup(struct mips_cdmm_bus *bus)
 --
 drivers/bus/mips_cdmm.c-383-		/* If CDMM region is still set up, nothing to do */
 drivers/bus/mips_cdmm.c:384:		if (bus->phys == mips_cdmm_cur_base())
 drivers/bus/mips_cdmm.c-385-			goto out;
 --
 drivers/bus/mips_cdmm.c-396-	if (!bus->phys)
 drivers/bus/mips_cdmm.c:397:		bus->phys = mips_cdmm_cur_base();
 drivers/bus/mips_cdmm.c-398-	/* Otherwise, ask platform code for suggestions */
 drivers/bus/mips_cdmm.c-399-	if (!bus->phys)
 drivers/bus/mips_cdmm.c:400:		bus->phys = mips_cdmm_phys_base();
 drivers/bus/mips_cdmm.c-401-	/* Otherwise, copy what other CPUs have done */
 drivers/bus/mips_cdmm.c-402-	if (!bus->phys)
 drivers/bus/mips_cdmm.c:403:		bus->phys = mips_cdmm_default_base;
 drivers/bus/mips_cdmm.c-404-	/* Otherwise, complain once */
 drivers/bus/mips_cdmm.c-405-	if (!bus->phys) {
 drivers/bus/mips_cdmm.c:406:		bus->phys = 1;
 drivers/bus/mips_cdmm.c-407-		/*
 --
 drivers/bus/mips_cdmm.c-415-	/* Already complained? */
 drivers/bus/mips_cdmm.c:416:	if (bus->phys == 1) {
 drivers/bus/mips_cdmm.c-417-		ret = -ENOMEM;
 --
 drivers/crypto/tegra/tegra-se-main.c=44=tegra_se_cmdbuf_pin(struct device *dev, struct host1x_bo *bo, enum dma_data_direction direction)
 --
 drivers/crypto/tegra/tegra-se-main.c-73-
 drivers/crypto/tegra/tegra-se-main.c:74:	map->phys = sg_dma_address(map->sgt->sgl);
 drivers/crypto/tegra/tegra-se-main.c-75-	map->size = cmdbuf->words * 4;
 --
 drivers/dma/idma64.c=300=static struct dma_async_tx_descriptor *idma64_prep_slave_sg(
 --
 drivers/dma/idma64.c-324-
 drivers/dma/idma64.c:325:		hw->phys = sg_dma_address(sg);
 drivers/dma/idma64.c-326-		hw->len = sg_dma_len(sg);
 --
 drivers/dma/ioat/dma.c=591=static void __ioat_cleanup(struct ioatdma_chan *ioat_chan, dma_addr_t phys_complete)
 --
 drivers/dma/ioat/dma.c-632-
 drivers/dma/ioat/dma.c:633:		if (tx->phys == phys_complete)
 drivers/dma/ioat/dma.c-634-			seen_current = true;
 --
 drivers/dma/loongson1-apb-dma.c=156=static int ls1x_dma_alloc_chan_resources(struct dma_chan *dchan)
 --
 drivers/dma/loongson1-apb-dma.c-183-	}
 drivers/dma/loongson1-apb-dma.c:184:	chan->curr_lli->phys = phys;
 drivers/dma/loongson1-apb-dma.c-185-
 --
 drivers/dma/loongson1-apb-dma.c=216=static int ls1x_dma_prep_lli(struct dma_chan *dchan, struct ls1x_dma_desc *desc,
 --
 drivers/dma/loongson1-apb-dma.c-261-		/* setup HW descriptors */
 drivers/dma/loongson1-apb-dma.c:262:		lli->phys = phys;
 drivers/dma/loongson1-apb-dma.c-263-		lli->hw[LS1X_DMADESC_SADDR] = buf_addr;
 --
 drivers/dma/loongson2-apb-dma.c=321=ls2x_dma_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl,
 --
 drivers/dma/loongson2-apb-dma.c-356-
 drivers/dma/loongson2-apb-dma.c:357:		ldma_sg->phys = sg_dma_address(sg);
 drivers/dma/loongson2-apb-dma.c-358-		ldma_sg->len = sg_dma_len(sg);
 --
 drivers/dma/loongson2-apb-dma.c=382=ls2x_dma_prep_dma_cyclic(struct dma_chan *chan, dma_addr_t buf_addr, size_t buf_len,
 --
 drivers/dma/loongson2-apb-dma.c-422-
 drivers/dma/loongson2-apb-dma.c:423:		ldma_sg->phys = buf_addr + period_len * i;
 drivers/dma/loongson2-apb-dma.c-424-		ldma_sg->len = period_len;
 --
 drivers/dma/owl-dma.c=349=static struct owl_dma_lli *owl_dma_alloc_lli(struct owl_dma *od)
 --
 drivers/dma/owl-dma.c-358-	INIT_LIST_HEAD(&lli->node);
 drivers/dma/owl-dma.c:359:	lli->phys = phys;
 drivers/dma/owl-dma.c-360-
 --
 drivers/dma/owl-dma.c=771=static u32 owl_dma_getbytes_chan(struct owl_dma_vchan *vchan)
 --
 drivers/dma/owl-dma.c-792-			/* Start from the next active node */
 drivers/dma/owl-dma.c:793:			if (lli->phys == next_lli_phy) {
 drivers/dma/owl-dma.c-794-				list_for_each_entry(lli, &txd->lli_list, node)
 --
 drivers/dma/ppc4xx/adma.c=896=static void ppc440spe_adma_device_clear_eot_status(
 --
 drivers/dma/ppc4xx/adma.c-946-				    chain_node) {
 drivers/dma/ppc4xx/adma.c:947:					if (iter->phys == phys)
 drivers/dma/ppc4xx/adma.c-948-						break;
 --
 drivers/dma/ppc4xx/adma.c=1487=static int ppc440spe_adma_clean_slot(struct ppc440spe_adma_desc_slot *desc,
 --
 drivers/dma/ppc4xx/adma.c-1499-	if (list_is_last(&desc->chain_node, &chan->chain) ||
 drivers/dma/ppc4xx/adma.c:1500:	    desc->phys == ppc440spe_chan_get_current_descriptor(chan))
 drivers/dma/ppc4xx/adma.c-1501-		return 1;
 --
 drivers/dma/ppc4xx/adma.c=1533=static void __ppc440spe_adma_slot_cleanup(struct ppc440spe_adma_chan *chan)
 --
 drivers/dma/ppc4xx/adma.c-1575-		 */
 drivers/dma/ppc4xx/adma.c:1576:		if (iter->phys == current_desc) {
 drivers/dma/ppc4xx/adma.c-1577-			BUG_ON(seen_current++);
 --
 drivers/dma/ppc4xx/adma.c=1764=static int ppc440spe_adma_alloc_chan_resources(struct dma_chan *chan)
 --
 drivers/dma/ppc4xx/adma.c-1798-		INIT_LIST_HEAD(&slot->group_list);
 drivers/dma/ppc4xx/adma.c:1799:		slot->phys = ppc440spe_chan->device->dma_desc_pool + i * db_sz;
 drivers/dma/ppc4xx/adma.c-1800-		slot->idx = i;
 --
 drivers/dma/pxa_dma.c=1233=static int pxad_init_phys(struct platform_device *op,
 --
 drivers/dma/pxa_dma.c-1243-
 drivers/dma/pxa_dma.c:1244:	pdev->phys = devm_kcalloc(&op->dev, nb_phy_chans,
 drivers/dma/pxa_dma.c-1245-				  sizeof(pdev->phys[0]), GFP_KERNEL);
 --
 drivers/dma/xilinx/xilinx_dma.c=670=xilinx_vdma_alloc_tx_segment(struct xilinx_dma_chan *chan)
 --
 drivers/dma/xilinx/xilinx_dma.c-678-
 drivers/dma/xilinx/xilinx_dma.c:679:	segment->phys = phys;
 drivers/dma/xilinx/xilinx_dma.c-680-
 --
 drivers/dma/xilinx/xilinx_dma.c=691=xilinx_cdma_alloc_tx_segment(struct xilinx_dma_chan *chan)
 --
 drivers/dma/xilinx/xilinx_dma.c-699-
 drivers/dma/xilinx/xilinx_dma.c:700:	segment->phys = phys;
 drivers/dma/xilinx/xilinx_dma.c-701-
 --
 drivers/dma/xilinx/xilinx_dma.c=1114=static int xilinx_dma_alloc_chan_resources(struct dma_chan *dchan)
 --
 drivers/dma/xilinx/xilinx_dma.c-1155-		}
 drivers/dma/xilinx/xilinx_dma.c:1156:		chan->cyclic_seg_v->phys = chan->cyclic_seg_p;
 drivers/dma/xilinx/xilinx_dma.c-1157-
 --
 drivers/extcon/extcon-max77693.c=1068=static int max77693_muic_probe(struct platform_device *pdev)
 --
 drivers/extcon/extcon-max77693.c-1109-	info->dock->name = "max77693-muic/dock";
 drivers/extcon/extcon-max77693.c:1110:	info->dock->phys = "max77693-muic/extcon";
 drivers/extcon/extcon-max77693.c-1111-	info->dock->dev.parent = &pdev->dev;
 --
 drivers/firmware/efi/capsule-loader.c=38=int __efi_capsule_setup_info(struct capsule_info *cap_info)
 --
 drivers/firmware/efi/capsule-loader.c-74-
 drivers/firmware/efi/capsule-loader.c:75:	cap_info->phys = temp_page;
 drivers/firmware/efi/capsule-loader.c-76-
 --
 drivers/firmware/efi/capsule-loader.c=281=static int efi_capsule_open(struct inode *inode, struct file *file)
 --
 drivers/firmware/efi/capsule-loader.c-294-
 drivers/firmware/efi/capsule-loader.c:295:	cap_info->phys = kzalloc(sizeof(phys_addr_t), GFP_KERNEL);
 drivers/firmware/efi/capsule-loader.c-296-	if (!cap_info->phys) {
 --
 drivers/firmware/qcom/qcom_scm.c=578=int qcom_scm_pas_init_image(u32 peripheral, const void *metadata, size_t size,
 --
 drivers/firmware/qcom/qcom_scm.c-632-		ctx->ptr = mdata_buf;
 drivers/firmware/qcom/qcom_scm.c:633:		ctx->phys = mdata_phys;
 drivers/firmware/qcom/qcom_scm.c-634-		ctx->size = size;
 --
 drivers/firmware/qcom/qcom_scm.c=645=void qcom_scm_pas_metadata_release(struct qcom_scm_pas_metadata *ctx)
 --
 drivers/firmware/qcom/qcom_scm.c-652-	ctx->ptr = NULL;
 drivers/firmware/qcom/qcom_scm.c:653:	ctx->phys = 0;
 drivers/firmware/qcom/qcom_scm.c-654-	ctx->size = 0;
 --
 drivers/fpga/dfl-afu-region.c=50=int afu_mmio_region_add(struct dfl_feature_dev_data *fdata,
 --
 drivers/fpga/dfl-afu-region.c-63-	region->size = region_size;
 drivers/fpga/dfl-afu-region.c:64:	region->phys = phys;
 drivers/fpga/dfl-afu-region.c-65-	region->flags = flags;
 --
 drivers/gpu/drm/nouveau/nvkm/core/firmware.c=226=nvkm_firmware_ctor(const struct nvkm_firmware_func *func, const char *name,
 --
 drivers/gpu/drm/nouveau/nvkm/core/firmware.c-247-			memcpy(fw->img, src, fw->len);
 drivers/gpu/drm/nouveau/nvkm/core/firmware.c:248:			fw->phys = addr;
 drivers/gpu/drm/nouveau/nvkm/core/firmware.c-249-		}
 --
 drivers/gpu/drm/tegra/gem.c=59=static struct host1x_bo_mapping *tegra_bo_pin(struct device *dev, struct host1x_bo *bo,
 --
 drivers/gpu/drm/tegra/gem.c-141-	if (!obj->mm) {
 drivers/gpu/drm/tegra/gem.c:142:		map->phys = sg_dma_address(map->sgt->sgl);
 drivers/gpu/drm/tegra/gem.c-143-		map->chunks = err;
 drivers/gpu/drm/tegra/gem.c-144-	} else {
 drivers/gpu/drm/tegra/gem.c:145:		map->phys = obj->iova;
 drivers/gpu/drm/tegra/gem.c-146-		map->chunks = 1;
 --
 drivers/gpu/drm/tegra/submit.c=68=gather_bo_pin(struct device *dev, struct host1x_bo *bo, enum dma_data_direction direction)
 --
 drivers/gpu/drm/tegra/submit.c-97-
 drivers/gpu/drm/tegra/submit.c:98:	map->phys = sg_dma_address(map->sgt->sgl);
 drivers/gpu/drm/tegra/submit.c-99-	map->size = gather->gather_data_words * 4;
 --
 drivers/gpu/host1x/cdma.c=48=static void host1x_pushbuffer_destroy(struct push_buffer *pb)
 --
 drivers/gpu/host1x/cdma.c-63-	pb->mapped = NULL;
 drivers/gpu/host1x/cdma.c:64:	pb->phys = 0;
 drivers/gpu/host1x/cdma.c-65-}
 --
 drivers/gpu/host1x/cdma.c=70=static int host1x_pushbuffer_init(struct push_buffer *pb)
 --
 drivers/gpu/host1x/cdma.c-78-	pb->mapped = NULL;
 drivers/gpu/host1x/cdma.c:79:	pb->phys = 0;
 drivers/gpu/host1x/cdma.c-80-	pb->size = HOST1X_PUSHBUFFER_SLOTS * 8;
 --
 drivers/gpu/host1x/job.c=141=static unsigned int pin_job(struct host1x *host, struct host1x_job *job)
 --
 drivers/gpu/host1x/job.c-258-
 drivers/gpu/host1x/job.c:259:			map->phys = iova_dma_addr(&host->iova, alloc);
 drivers/gpu/host1x/job.c-260-			map->size = gather_size;
 --
 drivers/gpu/ipu-v3/ipu-image-convert.c=358=static void free_dma_buf(struct ipu_image_convert_priv *priv,
 --
 drivers/gpu/ipu-v3/ipu-image-convert.c-364-	buf->virt = NULL;
 drivers/gpu/ipu-v3/ipu-image-convert.c:365:	buf->phys = 0;
 drivers/gpu/ipu-v3/ipu-image-convert.c-366-}
 --
 drivers/hid/hid-alps.c=674=static int alps_input_configured(struct hid_device *hdev, struct hid_input *hi)
 --
 drivers/hid/hid-alps.c-738-		data->input2 = input2;
 drivers/hid/hid-alps.c:739:		input2->phys = input->phys;
 drivers/hid/hid-alps.c-740-		input2->name = "DualPoint Stick";
 --
 drivers/hid/hid-elan.c=152=static int elan_input_configured(struct hid_device *hdev, struct hid_input *hi)
 --
 drivers/hid/hid-elan.c-169-	input->name = "Elan Touchpad";
 drivers/hid/hid-elan.c:170:	input->phys = hdev->phys;
 drivers/hid/hid-elan.c-171-	input->uniq = hdev->uniq;
 --
 drivers/hid/hid-input.c=2023=static struct hid_input *hidinput_allocate(struct hid_device *hid,
 --
 drivers/hid/hid-input.c-2101-	input_dev->name = hidinput->name ? hidinput->name : hid->name;
 drivers/hid/hid-input.c:2102:	input_dev->phys = hid->phys;
 drivers/hid/hid-input.c-2103-	input_dev->uniq = hid->uniq;
 --
 drivers/hid/hid-letsketch.c=81=static struct input_dev *letsketch_alloc_input_dev(struct letsketch_data *data)
 --
 drivers/hid/hid-letsketch.c-92-	input->id.version = data->hdev->bus;
 drivers/hid/hid-letsketch.c:93:	input->phys = data->hdev->phys;
 drivers/hid/hid-letsketch.c-94-	input->uniq = data->hdev->uniq;
 --
 drivers/hid/hid-lg-g15.c=1064=static void lg_g15_init_input_dev_core(struct hid_device *hdev, struct input_dev *input,
 --
 drivers/hid/hid-lg-g15.c-1067-	input->name = name;
 drivers/hid/hid-lg-g15.c:1068:	input->phys = hdev->phys;
 drivers/hid/hid-lg-g15.c-1069-	input->uniq = hdev->uniq;
 --
 drivers/hid/hid-logitech-hidpp.c=4147=static struct input_dev *hidpp_allocate_input(struct hid_device *hdev)
 --
 drivers/hid/hid-logitech-hidpp.c-4159-	input_dev->name = hidpp->name;
 drivers/hid/hid-logitech-hidpp.c:4160:	input_dev->phys = hdev->phys;
 drivers/hid/hid-logitech-hidpp.c-4161-	input_dev->uniq = hdev->uniq;
 --
 drivers/hid/hid-nintendo.c=2055=static int joycon_imu_input_create(struct joycon_ctlr *ctlr)
 --
 drivers/hid/hid-nintendo.c-2072-	ctlr->imu_input->uniq = ctlr->mac_addr_str;
 drivers/hid/hid-nintendo.c:2073:	ctlr->imu_input->phys = hdev->phys;
 drivers/hid/hid-nintendo.c-2074-
 --
 drivers/hid/hid-nintendo.c=2122=static int joycon_input_create(struct joycon_ctlr *ctlr)
 --
 drivers/hid/hid-nintendo.c-2137-	ctlr->input->name = hdev->name;
 drivers/hid/hid-nintendo.c:2138:	ctlr->input->phys = hdev->phys;
 drivers/hid/hid-nintendo.c-2139-	input_set_drvdata(ctlr->input, ctlr);
 --
 drivers/hid/hid-picolcd_core.c=407=static int picolcd_init_keys(struct picolcd_data *data,
 --
 drivers/hid/hid-picolcd_core.c-429-	idev->name = hdev->name;
 drivers/hid/hid-picolcd_core.c:430:	idev->phys = hdev->phys;
 drivers/hid/hid-picolcd_core.c-431-	idev->uniq = hdev->uniq;
 --
 drivers/hid/hid-sony.c=1008=static int sony_register_touchpad(struct sony_sc *sc, int touch_count,
 --
 drivers/hid/hid-sony.c-1020-	sc->touchpad->dev.parent = &sc->hdev->dev;
 drivers/hid/hid-sony.c:1021:	sc->touchpad->phys = sc->hdev->phys;
 drivers/hid/hid-sony.c-1022-	sc->touchpad->uniq = sc->hdev->uniq;
 --
 drivers/hid/hid-sony.c=1075=static int sony_register_sensors(struct sony_sc *sc)
 --
 drivers/hid/hid-sony.c-1086-	sc->sensor_dev->dev.parent = &sc->hdev->dev;
 drivers/hid/hid-sony.c:1087:	sc->sensor_dev->phys = sc->hdev->phys;
 drivers/hid/hid-sony.c-1088-	sc->sensor_dev->uniq = sc->hdev->uniq;
 --
 drivers/hid/hid-steam.c=706=static int steam_input_register(struct steam_device *steam)
 --
 drivers/hid/hid-steam.c-731-		"Steam Controller";
 drivers/hid/hid-steam.c:732:	input->phys = hdev->phys;
 drivers/hid/hid-steam.c-733-	input->uniq = steam->serial_no;
 --
 drivers/hid/hid-steam.c=834=static int steam_sensors_register(struct steam_device *steam)
 --
 drivers/hid/hid-steam.c-858-	sensors->name = "Steam Deck Motion Sensors";
 drivers/hid/hid-steam.c:859:	sensors->phys = hdev->phys;
 drivers/hid/hid-steam.c-860-	sensors->uniq = steam->serial_no;
 --
 drivers/hid/hid-udraw-ps3.c=278=static struct input_dev *allocate_and_setup(struct hid_device *hdev,
 --
 drivers/hid/hid-udraw-ps3.c-287-	input_dev->name = name;
 drivers/hid/hid-udraw-ps3.c:288:	input_dev->phys = hdev->phys;
 drivers/hid/hid-udraw-ps3.c-289-	input_dev->dev.parent = &hdev->dev;
 --
 drivers/hid/usbhid/usbkbd.c=261=static int usb_kbd_probe(struct usb_interface *iface,
 --
 drivers/hid/usbhid/usbkbd.c-314-	input_dev->name = kbd->name;
 drivers/hid/usbhid/usbkbd.c:315:	input_dev->phys = kbd->phys;
 drivers/hid/usbhid/usbkbd.c-316-	usb_to_input_id(dev, &input_dev->id);
 --
 drivers/hid/usbhid/usbmouse.c=106=static int usb_mouse_probe(struct usb_interface *intf, const struct usb_device_id *id)
 --
 drivers/hid/usbhid/usbmouse.c-162-	input_dev->name = mouse->name;
 drivers/hid/usbhid/usbmouse.c:163:	input_dev->phys = mouse->phys;
 drivers/hid/usbhid/usbmouse.c-164-	usb_to_input_id(dev, &input_dev->id);
 --
 drivers/hid/wacom_sys.c=2079=static struct input_dev *wacom_allocate_input(struct wacom *wacom)
 --
 drivers/hid/wacom_sys.c-2089-	input_dev->name = wacom_wac->features.name;
 drivers/hid/wacom_sys.c:2090:	input_dev->phys = hdev->phys;
 drivers/hid/wacom_sys.c-2091-	input_dev->dev.parent = &hdev->dev;
 --
 drivers/infiniband/hw/hfi1/user_exp_rcv.c=723=static int set_rcvarray_entry(struct hfi1_filedata *fd,
 --
 drivers/infiniband/hw/hfi1/user_exp_rcv.c-753-	mutex_init(&node->invalidate_mutex);
 drivers/infiniband/hw/hfi1/user_exp_rcv.c:754:	node->phys = page_to_phys(pages[0]);
 drivers/infiniband/hw/hfi1/user_exp_rcv.c-755-	node->npages = npages;
 --
 drivers/input/joystick/a3d.c=243=static int a3d_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/a3d.c-289-	input_dev->name = a3d_names[a3d->mode];
 drivers/input/joystick/a3d.c:290:	input_dev->phys = a3d->phys;
 drivers/input/joystick/a3d.c-291-	input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/adafruit-seesaw.c=223=static int seesaw_probe(struct i2c_client *client)
 --
 drivers/input/joystick/adafruit-seesaw.c-268-	seesaw->input_dev->name = "Adafruit Seesaw Gamepad";
 drivers/input/joystick/adafruit-seesaw.c:269:	seesaw->input_dev->phys = "i2c/" SEESAW_DEVICE_NAME;
 drivers/input/joystick/adafruit-seesaw.c-270-	seesaw->input_dev->open = seesaw_open;
 --
 drivers/input/joystick/adi.c=382=static int adi_init_input(struct adi *adi, struct adi_port *port, int half)
 --
 drivers/input/joystick/adi.c-401-	input_dev->name = adi->name;
 drivers/input/joystick/adi.c:402:	input_dev->phys = adi->phys;
 drivers/input/joystick/adi.c-403-	input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/amijoy.c=86=static int __init amijoy_init(void)
 --
 drivers/input/joystick/amijoy.c-110-		amijoy_dev[i]->name = "Amiga joystick";
 drivers/input/joystick/amijoy.c:111:		amijoy_dev[i]->phys = amijoy_phys[i];
 drivers/input/joystick/amijoy.c-112-		amijoy_dev[i]->id.bustype = BUS_AMIGA;
 --
 drivers/input/joystick/analog.c=363=static int analog_init_device(struct analog_port *port, struct analog *analog, int index)
 --
 drivers/input/joystick/analog.c-378-	input_dev->name = analog->name;
 drivers/input/joystick/analog.c:379:	input_dev->phys = analog->phys;
 drivers/input/joystick/analog.c-380-	input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/cobra.c=136=static int cobra_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/cobra.c-186-		input_dev->name = "Creative Labs Blaster GamePad Cobra";
 drivers/input/joystick/cobra.c:187:		input_dev->phys = cobra->phys[i];
 drivers/input/joystick/cobra.c-188-		input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/db9.c=541=static void db9_attach(struct parport *pp)
 --
 drivers/input/joystick/db9.c-609-		input_dev->name = db9_mode->name;
 drivers/input/joystick/db9.c:610:		input_dev->phys = db9->phys[i];
 drivers/input/joystick/db9.c-611-		input_dev->id.bustype = BUS_PARPORT;
 --
 drivers/input/joystick/fsia6b.c=127=static int fsia6b_serio_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/fsia6b.c-154-	input_dev->name = DRIVER_DESC;
 drivers/input/joystick/fsia6b.c:155:	input_dev->phys = fsia6b->phys;
 drivers/input/joystick/fsia6b.c-156-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/joystick/gamecon.c=795=static int gc_setup_pad(struct gc *gc, int idx, int pad_type)
 --
 drivers/input/joystick/gamecon.c-818-	input_dev->name = gc_names[pad_type];
 drivers/input/joystick/gamecon.c:819:	input_dev->phys = pad->phys;
 drivers/input/joystick/gamecon.c-820-	input_dev->id.bustype = BUS_PARPORT;
 --
 drivers/input/joystick/gf2k.c=218=static int gf2k_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/gf2k.c-283-	input_dev->name = gf2k_names[gf2k->id];
 drivers/input/joystick/gf2k.c:284:	input_dev->phys = gf2k->phys;
 drivers/input/joystick/gf2k.c-285-	input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/grip.c=279=static int grip_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/grip.c-339-		input_dev->name = grip_name[grip->mode[i]];
 drivers/input/joystick/grip.c:340:		input_dev->phys = grip->phys[i];
 drivers/input/joystick/grip.c-341-		input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/guillemot.c=158=static int guillemot_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/guillemot.c-206-	input_dev->name = guillemot_type[i].name;
 drivers/input/joystick/guillemot.c:207:	input_dev->phys = guillemot->phys;
 drivers/input/joystick/guillemot.c-208-	input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/interact.c=187=static int interact_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/interact.c-237-	input_dev->name = interact_type[i].name;
 drivers/input/joystick/interact.c:238:	input_dev->phys = interact->phys;
 drivers/input/joystick/interact.c-239-	input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/magellan.c=128=static int magellan_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/magellan.c-143-	input_dev->name = "LogiCad3D Magellan / SpaceMouse";
 drivers/input/joystick/magellan.c:144:	input_dev->phys = magellan->phys;
 drivers/input/joystick/magellan.c-145-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/joystick/n64joy.c=238=static int __init n64joy_probe(struct platform_device *pdev)
 --
 drivers/input/joystick/n64joy.c-274-			dev->name = "N64 controller";
 drivers/input/joystick/n64joy.c:275:			dev->phys = n64joy_phys[i];
 drivers/input/joystick/n64joy.c-276-			dev->id.bustype = BUS_HOST;
 --
 drivers/input/joystick/pxrc.c=117=static int pxrc_probe(struct usb_interface *intf,
 --
 drivers/input/joystick/pxrc.c-173-	strlcat(pxrc->phys, "/input0", sizeof(pxrc->phys));
 drivers/input/joystick/pxrc.c:174:	pxrc->input->phys = pxrc->phys;
 drivers/input/joystick/pxrc.c-175-
 --
 drivers/input/joystick/qwiic-joystick.c=62=static int qwiic_probe(struct i2c_client *client)
 --
 drivers/input/joystick/qwiic-joystick.c-92-	priv->dev->name = "SparkFun Qwiic Joystick";
 drivers/input/joystick/qwiic-joystick.c:93:	priv->dev->phys = priv->phys;
 drivers/input/joystick/qwiic-joystick.c-94-	input_set_drvdata(priv->dev, priv);
 --
 drivers/input/joystick/sensehat-joystick.c=61=static int sensehat_joystick_probe(struct platform_device *pdev)
 --
 drivers/input/joystick/sensehat-joystick.c-85-	sensehat_joystick->keys_dev->name = "Raspberry Pi Sense HAT Joystick";
 drivers/input/joystick/sensehat-joystick.c:86:	sensehat_joystick->keys_dev->phys = "sensehat-joystick/input0";
 drivers/input/joystick/sensehat-joystick.c-87-	sensehat_joystick->keys_dev->id.bustype = BUS_I2C;
 --
]
]

gemini-3-flash-preview

							input: 43146
							output: 19
							thoughts: 37
						

Okay, here's my take on those thoughts, tailored for an expert audience:

**Refining the Search for Input Device Usage**

Alright, the initial `grep` was a bit too wide-ranging, didn't it? I need to focus my search. My primary concern right now is understanding how `mac80211` or `cfg80211` might interact with `input_dev`. It's pretty likely that if there *is* input handling, it's going to be in one of those areas, given their role in wireless device management and configuration. So, let’s narrow the focus. Let's see if either of those modules has a demonstrable need for input devices. Time to dig in and re-run my queries, but with this focused goal in mind.

map[Expression:input_allocate_device]

map[Output:
Full output is too long, showing 500 out of 2927 lines.
Use more precise expression if possible.

[Documentation/driver-api/driver-model/devres.rst=300=INPUT
 Documentation/driver-api/driver-model/devres.rst:301:  devm_input_allocate_device()
 Documentation/driver-api/driver-model/devres.rst-302-
 --
 Documentation/input/input-programming.rst=10=pressed or released a BUTTON_IRQ happens. The driver could look like::
 --
 Documentation/input/input-programming.rst-36-
 Documentation/input/input-programming.rst:37:	    button_dev = input_allocate_device();
 Documentation/input/input-programming.rst-38-	    if (!button_dev) {
 --
 Documentation/input/input-programming.rst=79=for the presence of the device).
 Documentation/input/input-programming.rst-80-
 Documentation/input/input-programming.rst:81:Then it allocates a new input device structure with input_allocate_device()
 Documentation/input/input-programming.rst-82-and sets up input bitfields. This way the device driver tells the other
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c=435=static int setup_power_button(struct platform_device *pdev)
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c-438-
 arch/x86/platform/olpc/olpc-xo1-sci.c:439:	power_button_idev = input_allocate_device();
 arch/x86/platform/olpc/olpc-xo1-sci.c-440-	if (!power_button_idev)
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c=465=static int setup_ebook_switch(struct platform_device *pdev)
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c-468-
 arch/x86/platform/olpc/olpc-xo1-sci.c:469:	ebook_switch_idev = input_allocate_device();
 arch/x86/platform/olpc/olpc-xo1-sci.c-470-	if (!ebook_switch_idev)
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c=495=static int setup_lid_switch(struct platform_device *pdev)
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c-498-
 arch/x86/platform/olpc/olpc-xo1-sci.c:499:	lid_switch_idev = input_allocate_device();
 arch/x86/platform/olpc/olpc-xo1-sci.c-500-	if (!lid_switch_idev)
 --
 drivers/accessibility/speakup/fakekey.c=22=int speakup_add_virtual_keyboard(void)
 --
 drivers/accessibility/speakup/fakekey.c-25-
 drivers/accessibility/speakup/fakekey.c:26:	virt_keyboard = input_allocate_device();
 drivers/accessibility/speakup/fakekey.c-27-
 --
 drivers/acpi/acpi_video.c=1894=static int acpi_video_bus_add_notify_handler(struct acpi_video_bus *video)
 --
 drivers/acpi/acpi_video.c-1899-
 drivers/acpi/acpi_video.c:1900:	video->input = input = input_allocate_device();
 drivers/acpi/acpi_video.c-1901-	if (!input) {
 --
 drivers/acpi/button.c=534=static int acpi_button_add(struct acpi_device *device)
 --
 drivers/acpi/button.c-553-
 drivers/acpi/button.c:554:	button->input = input = input_allocate_device();
 drivers/acpi/button.c-555-	if (!input) {
 --
 drivers/auxdisplay/ht16k33.c=493=static int ht16k33_keypad_probe(struct i2c_client *client,
 --
 drivers/auxdisplay/ht16k33.c-503-
 drivers/auxdisplay/ht16k33.c:504:	keypad->dev = devm_input_allocate_device(dev);
 drivers/auxdisplay/ht16k33.c-505-	if (!keypad->dev)
 --
 drivers/char/sonypi.c=1147=static int sonypi_create_input_devices(struct platform_device *pdev)
 --
 drivers/char/sonypi.c-1153-
 drivers/char/sonypi.c:1154:	sonypi_device.input_jog_dev = jog_dev = input_allocate_device();
 drivers/char/sonypi.c-1155-	if (!jog_dev)
 --
 drivers/char/sonypi.c-1166-
 drivers/char/sonypi.c:1167:	sonypi_device.input_key_dev = key_dev = input_allocate_device();
 drivers/char/sonypi.c-1168-	if (!key_dev) {
 --
 drivers/extcon/extcon-max77693.c=1068=static int max77693_muic_probe(struct platform_device *pdev)
 --
 drivers/extcon/extcon-max77693.c-1103-	/* Register input device for button of dock device */
 drivers/extcon/extcon-max77693.c:1104:	info->dock = devm_input_allocate_device(&pdev->dev);
 drivers/extcon/extcon-max77693.c-1105-	if (!info->dock) {
 --
 drivers/hid/hid-alps.c=674=static int alps_input_configured(struct hid_device *hdev, struct hid_input *hi)
 --
 drivers/hid/hid-alps.c-731-	if (data->has_sp) {
 drivers/hid/hid-alps.c:732:		input2 = input_allocate_device();
 drivers/hid/hid-alps.c-733-		if (!input2) {
 --
 drivers/hid/hid-elan.c=152=static int elan_input_configured(struct hid_device *hdev, struct hid_input *hi)
 --
 drivers/hid/hid-elan.c-164-
 drivers/hid/hid-elan.c:165:	input = devm_input_allocate_device(&hdev->dev);
 drivers/hid/hid-elan.c-166-	if (!input)
 --
 drivers/hid/hid-google-hammer.c=177=static int __cbas_ec_probe(struct platform_device *pdev)
 --
 drivers/hid/hid-google-hammer.c-190-
 drivers/hid/hid-google-hammer.c:191:	input = devm_input_allocate_device(&pdev->dev);
 drivers/hid/hid-google-hammer.c-192-	if (!input)
 --
 drivers/hid/hid-input.c=2023=static struct hid_input *hidinput_allocate(struct hid_device *hid,
 --
 drivers/hid/hid-input.c-2026-	struct hid_input *hidinput = kzalloc(sizeof(*hidinput), GFP_KERNEL);
 drivers/hid/hid-input.c:2027:	struct input_dev *input_dev = input_allocate_device();
 drivers/hid/hid-input.c-2028-	const char *suffix = NULL;
 --
 drivers/hid/hid-letsketch.c=81=static struct input_dev *letsketch_alloc_input_dev(struct letsketch_data *data)
 --
 drivers/hid/hid-letsketch.c-84-
 drivers/hid/hid-letsketch.c:85:	input = devm_input_allocate_device(&data->hdev->dev);
 drivers/hid/hid-letsketch.c-86-	if (!input)
 --
 drivers/hid/hid-lg-g15.c=1113=static int lg_g15_probe(struct hid_device *hdev, const struct hid_device_id *id)
 --
 drivers/hid/hid-lg-g15.c-1156-
 drivers/hid/hid-lg-g15.c:1157:	input = devm_input_allocate_device(&hdev->dev);
 drivers/hid/hid-lg-g15.c-1158-	if (!input)
 --
 drivers/hid/hid-lg-g15.c-1177-		 */
 drivers/hid/hid-lg-g15.c:1178:		input_js = devm_input_allocate_device(&hdev->dev);
 drivers/hid/hid-lg-g15.c-1179-		if (!input_js)
 --
 drivers/hid/hid-logitech-hidpp.c=4147=static struct input_dev *hidpp_allocate_input(struct hid_device *hdev)
 drivers/hid/hid-logitech-hidpp.c-4148-{
 drivers/hid/hid-logitech-hidpp.c:4149:	struct input_dev *input_dev = devm_input_allocate_device(&hdev->dev);
 drivers/hid/hid-logitech-hidpp.c-4150-	struct hidpp_device *hidpp = hid_get_drvdata(hdev);
 --
 drivers/hid/hid-nintendo.c=2055=static int joycon_imu_input_create(struct joycon_ctlr *ctlr)
 --
 drivers/hid/hid-nintendo.c-2063-	/* configure the imu input device */
 drivers/hid/hid-nintendo.c:2064:	ctlr->imu_input = devm_input_allocate_device(&hdev->dev);
 drivers/hid/hid-nintendo.c-2065-	if (!ctlr->imu_input)
 --
 drivers/hid/hid-nintendo.c=2122=static int joycon_input_create(struct joycon_ctlr *ctlr)
 --
 drivers/hid/hid-nintendo.c-2128-
 drivers/hid/hid-nintendo.c:2129:	ctlr->input = devm_input_allocate_device(&hdev->dev);
 drivers/hid/hid-nintendo.c-2130-	if (!ctlr->input)
 --
 drivers/hid/hid-nvidia-shield.c=242=static struct input_dev *shield_allocate_input_dev(struct hid_device *hdev,
 --
 drivers/hid/hid-nvidia-shield.c-246-
 drivers/hid/hid-nvidia-shield.c:247:	idev = input_allocate_device();
 drivers/hid/hid-nvidia-shield.c-248-	if (!idev)
 --
 drivers/hid/hid-picolcd_core.c=407=static int picolcd_init_keys(struct picolcd_data *data,
 --
 drivers/hid/hid-picolcd_core.c-421-
 drivers/hid/hid-picolcd_core.c:422:	idev = input_allocate_device();
 drivers/hid/hid-picolcd_core.c-423-	if (idev == NULL) {
 --
 drivers/hid/hid-playstation.c=630=static struct input_dev *ps_allocate_input_dev(struct hid_device *hdev,
 --
 drivers/hid/hid-playstation.c-634-
 drivers/hid/hid-playstation.c:635:	input_dev = devm_input_allocate_device(&hdev->dev);
 drivers/hid/hid-playstation.c-636-	if (!input_dev)
 --
 drivers/hid/hid-sony.c=1008=static int sony_register_touchpad(struct sony_sc *sc, int touch_count,
 --
 drivers/hid/hid-sony.c-1014-
 drivers/hid/hid-sony.c:1015:	sc->touchpad = devm_input_allocate_device(&sc->hdev->dev);
 drivers/hid/hid-sony.c-1016-	if (!sc->touchpad)
 --
 drivers/hid/hid-sony.c=1075=static int sony_register_sensors(struct sony_sc *sc)
 --
 drivers/hid/hid-sony.c-1080-
 drivers/hid/hid-sony.c:1081:	sc->sensor_dev = devm_input_allocate_device(&sc->hdev->dev);
 drivers/hid/hid-sony.c-1082-	if (!sc->sensor_dev)
 --
 drivers/hid/hid-steam.c=706=static int steam_input_register(struct steam_device *steam)
 --
 drivers/hid/hid-steam.c-719-
 drivers/hid/hid-steam.c:720:	input = input_allocate_device();
 drivers/hid/hid-steam.c-721-	if (!input)
 --
 drivers/hid/hid-steam.c=834=static int steam_sensors_register(struct steam_device *steam)
 --
 drivers/hid/hid-steam.c-850-
 drivers/hid/hid-steam.c:851:	sensors = input_allocate_device();
 drivers/hid/hid-steam.c-852-	if (!sensors)
 --
 drivers/hid/hid-udraw-ps3.c=278=static struct input_dev *allocate_and_setup(struct hid_device *hdev,
 --
 drivers/hid/hid-udraw-ps3.c-282-
 drivers/hid/hid-udraw-ps3.c:283:	input_dev = devm_input_allocate_device(&hdev->dev);
 drivers/hid/hid-udraw-ps3.c-284-	if (!input_dev)
 --
 drivers/hid/hid-wiimote-core.c=624=static void wiimote_modules_load(struct wiimote_data *wdata,
 --
 drivers/hid/hid-wiimote-core.c-641-	if (need_input) {
 drivers/hid/hid-wiimote-core.c:642:		wdata->input = input_allocate_device();
 drivers/hid/hid-wiimote-core.c-643-		if (!wdata->input)
 --
 drivers/hid/hid-wiimote-modules.c=481=static int wiimod_accel_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-485-
 drivers/hid/hid-wiimote-modules.c:486:	wdata->accel = input_allocate_device();
 drivers/hid/hid-wiimote-modules.c-487-	if (!wdata->accel)
 --
 drivers/hid/hid-wiimote-modules.c=733=static int wiimod_ir_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-737-
 drivers/hid/hid-wiimote-modules.c:738:	wdata->ir = input_allocate_device();
 drivers/hid/hid-wiimote-modules.c-739-	if (!wdata->ir)
 --
 drivers/hid/hid-wiimote-modules.c=928=static int wiimod_nunchuk_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-932-
 drivers/hid/hid-wiimote-modules.c:933:	wdata->extension.input = input_allocate_device();
 drivers/hid/hid-wiimote-modules.c-934-	if (!wdata->extension.input)
 --
 drivers/hid/hid-wiimote-modules.c=1222=static int wiimod_classic_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-1226-
 drivers/hid/hid-wiimote-modules.c:1227:	wdata->extension.input = input_allocate_device();
 drivers/hid/hid-wiimote-modules.c-1228-	if (!wdata->extension.input)
 --
 drivers/hid/hid-wiimote-modules.c=1467=static int wiimod_bboard_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-1497-
 drivers/hid/hid-wiimote-modules.c:1498:	wdata->extension.input = input_allocate_device();
 drivers/hid/hid-wiimote-modules.c-1499-	if (!wdata->extension.input)
 --
 drivers/hid/hid-wiimote-modules.c=1862=static int wiimod_pro_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-1877-
 drivers/hid/hid-wiimote-modules.c:1878:	wdata->extension.input = input_allocate_device();
 drivers/hid/hid-wiimote-modules.c-1879-	if (!wdata->extension.input)
 --
 drivers/hid/hid-wiimote-modules.c=2108=static int wiimod_drums_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-2112-
 drivers/hid/hid-wiimote-modules.c:2113:	wdata->extension.input = input_allocate_device();
 drivers/hid/hid-wiimote-modules.c-2114-	if (!wdata->extension.input)
 --
 drivers/hid/hid-wiimote-modules.c=2338=static int wiimod_guitar_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-2342-
 drivers/hid/hid-wiimote-modules.c:2343:	wdata->extension.input = input_allocate_device();
 drivers/hid/hid-wiimote-modules.c-2344-	if (!wdata->extension.input)
 --
 drivers/hid/hid-wiimote-modules.c=2557=static int wiimod_turntable_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-2561-
 drivers/hid/hid-wiimote-modules.c:2562:	wdata->extension.input = input_allocate_device();
 drivers/hid/hid-wiimote-modules.c-2563-	if (!wdata->extension.input)
 --
 drivers/hid/hid-wiimote-modules.c=2797=static int wiimod_mp_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-2801-
 drivers/hid/hid-wiimote-modules.c:2802:	wdata->mp = input_allocate_device();
 drivers/hid/hid-wiimote-modules.c-2803-	if (!wdata->mp)
 --
 drivers/hid/usbhid/usbkbd.c=261=static int usb_kbd_probe(struct usb_interface *iface,
 --
 drivers/hid/usbhid/usbkbd.c-284-	kbd = kzalloc(sizeof(struct usb_kbd), GFP_KERNEL);
 drivers/hid/usbhid/usbkbd.c:285:	input_dev = input_allocate_device();
 drivers/hid/usbhid/usbkbd.c-286-	if (!kbd || !input_dev)
 --
 drivers/hid/usbhid/usbmouse.c=106=static int usb_mouse_probe(struct usb_interface *intf, const struct usb_device_id *id)
 --
 drivers/hid/usbhid/usbmouse.c-128-	mouse = kzalloc(sizeof(struct usb_mouse), GFP_KERNEL);
 drivers/hid/usbhid/usbmouse.c:129:	input_dev = input_allocate_device();
 drivers/hid/usbhid/usbmouse.c-130-	if (!mouse || !input_dev)
 --
 drivers/hid/wacom_sys.c=2079=static struct input_dev *wacom_allocate_input(struct wacom *wacom)
 --
 drivers/hid/wacom_sys.c-2084-
 drivers/hid/wacom_sys.c:2085:	input_dev = devm_input_allocate_device(&hdev->dev);
 drivers/hid/wacom_sys.c-2086-	if (!input_dev)
 --
 drivers/hwmon/applesmc.c=1175=static int applesmc_create_accelerometer(void)
 --
 drivers/hwmon/applesmc.c-1185-
 drivers/hwmon/applesmc.c:1186:	applesmc_idev = input_allocate_device();
 drivers/hwmon/applesmc.c-1187-	if (!applesmc_idev) {
 --
 drivers/iio/adc/at91_adc.c=930=static int at91_ts_register(struct iio_dev *idev,
 --
 drivers/iio/adc/at91_adc.c-936-
 drivers/iio/adc/at91_adc.c:937:	input = input_allocate_device();
 drivers/iio/adc/at91_adc.c-938-	if (!input) {
 --
 drivers/input/input.c=358=void input_handle_event(struct input_dev *dev,
 --
 drivers/input/input.c-384- * NOTE: input_event() may be safely used right after input device was
 drivers/input/input.c:385: * allocated with input_allocate_device(), even before it is registered
 drivers/input/input.c-386- * with input_register_device(), but the event will not reach any of the
 --
 drivers/input/input.c=1874=EXPORT_SYMBOL_GPL(input_class);
 --
 drivers/input/input.c-1876-/**
 drivers/input/input.c:1877: * input_allocate_device - allocate memory for new input device
 drivers/input/input.c-1878- *
 --
 drivers/input/input.c-1884- */
 drivers/input/input.c:1885:struct input_dev *input_allocate_device(void)
 drivers/input/input.c-1886-{
 --
 drivers/input/input.c-1927-}
 drivers/input/input.c:1928:EXPORT_SYMBOL(input_allocate_device);
 drivers/input/input.c-1929-
 --
 drivers/input/input.c=1941=static void devm_input_device_release(struct device *dev, void *res)
 --
 drivers/input/input.c-1951-/**
 drivers/input/input.c:1952: * devm_input_allocate_device - allocate managed input device
 drivers/input/input.c-1953- * @dev: device owning the input device being created
 --
 drivers/input/input.c-1968- */
 drivers/input/input.c:1969:struct input_dev *devm_input_allocate_device(struct device *dev)
 drivers/input/input.c-1970-{
 --
 drivers/input/input.c-1978-
 drivers/input/input.c:1979:	input = input_allocate_device();
 drivers/input/input.c-1980-	if (!input) {
 --
 drivers/input/input.c-1992-}
 drivers/input/input.c:1993:EXPORT_SYMBOL(devm_input_allocate_device);
 drivers/input/input.c-1994-
 --
 drivers/input/input.c-2003- *
 drivers/input/input.c:2004: * Device should be allocated by input_allocate_device().
 drivers/input/input.c-2005- *
 --
 drivers/input/input.c=2260=static int input_device_tune_vals(struct input_dev *dev)
 --
 drivers/input/input.c-2293- * This function registers device with input core. The device must be
 drivers/input/input.c:2294: * allocated with input_allocate_device() and all it's capabilities
 drivers/input/input.c-2295- * set up before registering.
 --
 drivers/input/input.c-2301- * Note that this function is also used to register managed input devices
 drivers/input/input.c:2302: * (ones allocated with devm_input_allocate_device()). Such managed input
 drivers/input/input.c-2303- * devices need not be explicitly unregistered or freed, their tear down
 --
 drivers/input/joystick/a3d.c=243=static int a3d_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/a3d.c-252-	a3d = kzalloc(sizeof(*a3d), GFP_KERNEL);
 drivers/input/joystick/a3d.c:253:	input_dev = input_allocate_device();
 drivers/input/joystick/a3d.c-254-	if (!a3d || !input_dev) {
 --
 drivers/input/joystick/adafruit-seesaw.c=223=static int seesaw_probe(struct i2c_client *client)
 --
 drivers/input/joystick/adafruit-seesaw.c-262-	seesaw->i2c_client = client;
 drivers/input/joystick/adafruit-seesaw.c:263:	seesaw->input_dev = devm_input_allocate_device(&client->dev);
 drivers/input/joystick/adafruit-seesaw.c-264-	if (!seesaw->input_dev)
 --
 drivers/input/joystick/adc-joystick.c=227=static int adc_joystick_probe(struct platform_device *pdev)
 --
 drivers/input/joystick/adc-joystick.c-266-
 drivers/input/joystick/adc-joystick.c:267:	input = devm_input_allocate_device(dev);
 drivers/input/joystick/adc-joystick.c-268-	if (!input) {
 --
 drivers/input/joystick/adi.c=382=static int adi_init_input(struct adi *adi, struct adi_port *port, int half)
 --
 drivers/input/joystick/adi.c-387-
 drivers/input/joystick/adi.c:388:	adi->dev = input_dev = input_allocate_device();
 drivers/input/joystick/adi.c-389-	if (!input_dev)
 --
 drivers/input/joystick/amijoy.c=86=static int __init amijoy_init(void)
 --
 drivers/input/joystick/amijoy.c-97-
 drivers/input/joystick/amijoy.c:98:		amijoy_dev[i] = input_allocate_device();
 drivers/input/joystick/amijoy.c-99-		if (!amijoy_dev[i]) {
 --
 drivers/input/joystick/analog.c=363=static int analog_init_device(struct analog_port *port, struct analog *analog, int index)
 --
 drivers/input/joystick/analog.c-373-
 drivers/input/joystick/analog.c:374:	analog->dev = input_dev = input_allocate_device();
 drivers/input/joystick/analog.c-375-	if (!input_dev)
 --
 drivers/input/joystick/as5011.c=215=static int as5011_probe(struct i2c_client *client)
 --
 drivers/input/joystick/as5011.c-240-	as5011 = kmalloc(sizeof(*as5011), GFP_KERNEL);
 drivers/input/joystick/as5011.c:241:	input_dev = input_allocate_device();
 drivers/input/joystick/as5011.c-242-	if (!as5011 || !input_dev) {
 --
 drivers/input/joystick/cobra.c=136=static int cobra_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/cobra.c-176-
 drivers/input/joystick/cobra.c:177:		cobra->dev[i] = input_dev = input_allocate_device();
 drivers/input/joystick/cobra.c-178-		if (!input_dev) {
 --
 drivers/input/joystick/db9.c=541=static void db9_attach(struct parport *pp)
 --
 drivers/input/joystick/db9.c-599-
 drivers/input/joystick/db9.c:600:		db9->dev[i] = input_dev = input_allocate_device();
 drivers/input/joystick/db9.c-601-		if (!input_dev) {
 --
 drivers/input/joystick/fsia6b.c=127=static int fsia6b_serio_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/fsia6b.c-144-
 drivers/input/joystick/fsia6b.c:145:	input_dev = input_allocate_device();
 drivers/input/joystick/fsia6b.c-146-	if (!input_dev) {
 --
 drivers/input/joystick/gamecon.c=795=static int gc_setup_pad(struct gc *gc, int idx, int pad_type)
 --
 drivers/input/joystick/gamecon.c-806-
 drivers/input/joystick/gamecon.c:807:	pad->dev = input_dev = input_allocate_device();
 drivers/input/joystick/gamecon.c-808-	if (!input_dev) {
 --
 drivers/input/joystick/gf2k.c=218=static int gf2k_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/gf2k.c-225-	gf2k = kzalloc(sizeof(*gf2k), GFP_KERNEL);
 drivers/input/joystick/gf2k.c:226:	input_dev = input_allocate_device();
 drivers/input/joystick/gf2k.c-227-	if (!gf2k || !input_dev) {
 --
 drivers/input/joystick/grip.c=279=static int grip_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/grip.c-329-
 drivers/input/joystick/grip.c:330:		grip->dev[i] = input_dev = input_allocate_device();
 drivers/input/joystick/grip.c-331-		if (!input_dev) {
 --
 drivers/input/joystick/grip_mp.c=584=static int register_slot(int slot, struct grip_mp *grip)
 --
 drivers/input/joystick/grip_mp.c-590-
 drivers/input/joystick/grip_mp.c:591:	port->dev = input_dev = input_allocate_device();
 drivers/input/joystick/grip_mp.c-592-	if (!input_dev)
 --
 drivers/input/joystick/guillemot.c=158=static int guillemot_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/guillemot.c-166-	guillemot = kzalloc(sizeof(*guillemot), GFP_KERNEL);
 drivers/input/joystick/guillemot.c:167:	input_dev = input_allocate_device();
 drivers/input/joystick/guillemot.c-168-	if (!guillemot || !input_dev) {
 --
 drivers/input/joystick/iforce/iforce-main.c=212=int iforce_init_device(struct device *parent, u16 bustype,
 --
 drivers/input/joystick/iforce/iforce-main.c-222-
 drivers/input/joystick/iforce/iforce-main.c:223:	input_dev = input_allocate_device();
 drivers/input/joystick/iforce/iforce-main.c-224-	if (!input_dev)
 --
 drivers/input/joystick/interact.c=187=static int interact_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/interact.c-195-	interact = kzalloc(sizeof(*interact), GFP_KERNEL);
 drivers/input/joystick/interact.c:196:	input_dev = input_allocate_device();
 drivers/input/joystick/interact.c-197-	if (!interact || !input_dev) {
 --
 drivers/input/joystick/magellan.c=128=static int magellan_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/magellan.c-135-	magellan = kzalloc(sizeof(*magellan), GFP_KERNEL);
 drivers/input/joystick/magellan.c:136:	input_dev = input_allocate_device();
 drivers/input/joystick/magellan.c-137-	if (!magellan || !input_dev)
 --
 drivers/input/joystick/maplecontrol.c=82=static int probe_maple_controller(struct device *dev)
 --
 drivers/input/joystick/maplecontrol.c-105-	pad = kzalloc(sizeof(*pad), GFP_KERNEL);
 drivers/input/joystick/maplecontrol.c:106:	idev = input_allocate_device();
 drivers/input/joystick/maplecontrol.c-107-	if (!pad || !idev) {
 --
 drivers/input/joystick/n64joy.c=238=static int __init n64joy_probe(struct platform_device *pdev)
 --
 drivers/input/joystick/n64joy.c-265-
 drivers/input/joystick/n64joy.c:266:			dev = priv->n64joy_dev[i] = input_allocate_device();
 drivers/input/joystick/n64joy.c-267-			if (!priv->n64joy_dev[i]) {
 --
 drivers/input/joystick/psxpad-spi.c=285=static int psxpad_spi_probe(struct spi_device *spi)
 --
 drivers/input/joystick/psxpad-spi.c-294-
 drivers/input/joystick/psxpad-spi.c:295:	idev = devm_input_allocate_device(&spi->dev);
 drivers/input/joystick/psxpad-spi.c-296-	if (!idev) {
 --
 drivers/input/joystick/pxrc.c=117=static int pxrc_probe(struct usb_interface *intf,
 --
 drivers/input/joystick/pxrc.c-163-
 drivers/input/joystick/pxrc.c:164:	pxrc->input = devm_input_allocate_device(&intf->dev);
 drivers/input/joystick/pxrc.c-165-	if (!pxrc->input) {
 --
 drivers/input/joystick/qwiic-joystick.c=62=static int qwiic_probe(struct i2c_client *client)
 --
 drivers/input/joystick/qwiic-joystick.c-86-
 drivers/input/joystick/qwiic-joystick.c:87:	priv->dev = devm_input_allocate_device(&client->dev);
 drivers/input/joystick/qwiic-joystick.c-88-	if (!priv->dev)
 --
 drivers/input/joystick/sensehat-joystick.c=61=static int sensehat_joystick_probe(struct platform_device *pdev)
 --
 drivers/input/joystick/sensehat-joystick.c-78-
 drivers/input/joystick/sensehat-joystick.c:79:	sensehat_joystick->keys_dev = devm_input_allocate_device(&pdev->dev);
 drivers/input/joystick/sensehat-joystick.c-80-	if (!sensehat_joystick->keys_dev) {
 --
 drivers/input/joystick/sidewinder.c=568=static int sw_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/sidewinder.c-728-
 drivers/input/joystick/sidewinder.c:729:		sw->dev[i] = input_dev = input_allocate_device();
 drivers/input/joystick/sidewinder.c-730-		if (!input_dev) {
 --
 drivers/input/joystick/spaceball.c=192=static int spaceball_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/spaceball.c-202-	spaceball = kmalloc(sizeof(*spaceball), GFP_KERNEL);
 drivers/input/joystick/spaceball.c:203:	input_dev = input_allocate_device();
 drivers/input/joystick/spaceball.c-204-	if (!spaceball || !input_dev)
 --
 drivers/input/joystick/spaceorb.c=143=static int spaceorb_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/spaceorb.c-150-	spaceorb = kzalloc(sizeof(*spaceorb), GFP_KERNEL);
 drivers/input/joystick/spaceorb.c:151:	input_dev = input_allocate_device();
 drivers/input/joystick/spaceorb.c-152-	if (!spaceorb || !input_dev)
 --
 drivers/input/joystick/stinger.c=115=static int stinger_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/stinger.c-121-	stinger = kmalloc(sizeof(*stinger), GFP_KERNEL);
 drivers/input/joystick/stinger.c:122:	input_dev = input_allocate_device();
 drivers/input/joystick/stinger.c-123-	if (!stinger || !input_dev)
 --
 drivers/input/joystick/tmdc.c=259=static int tmdc_setup_port(struct tmdc *tmdc, int idx, unsigned char *data)
 --
 drivers/input/joystick/tmdc.c-267-	tmdc->port[idx] = port = kzalloc(sizeof (struct tmdc_port), GFP_KERNEL);
 drivers/input/joystick/tmdc.c:268:	input_dev = input_allocate_device();
 drivers/input/joystick/tmdc.c-269-	if (!port || !input_dev) {
 --
]
]

gemini-3-flash-preview

							input: 53507
							output: 48
							thoughts: 516
						

**Debugging a Suspected Memory Corruption**

Okay, first things first, my initial grep search didn't reveal any direct links between `mac80211` and `input_dev` that jumped out. Time to reassess the situation.

Right, so `ieee80211_elems_parse` is being allocated and freed within `ieee80211_inform_bss`, but the problematic access is happening in `input_devices_seq_show`. That's a classic sign of a use-after-free or a memory overwrite. If `dev->phys` is pointing to memory that *used* to belong to that parsed element buffer, we're likely dealing with a dangling pointer.

Hold on, `dev->phys` is a `const char *`. This sparks an idea. Is someone doing something sloppy like: `dev->phys = some_buffer;`? And is `some_buffer` maybe allocated on the stack or as part of a temporary object? If the lifetime of `some_buffer` ends before `input_devices_seq_show` accesses it, bingo! We've got our culprit.

Okay, let's trace this back. `ieee80211_inform_bss` is actually called from `cfg80211_inform_single_bss_data`, which in turn is called by `cfg80211_inform_bss_data`. Got it. Let's go back and carefully examine `ieee80211_inform_bss` again.

Here, it calls `ieee802_11_parse_elems` with:

```c
  79:		elems = ieee802_11_parse_elems(ies->data, ies->len,
...
  83:					       NULL);
```

Wait a second. It's a macro or inline that ultimately calls `ieee802_11_parse_elems_full`.

And then, looking back at the arguments to `ieee80211_inform_bss`:

```c
  63:	void ieee80211_inform_bss(struct wiphy *wiphy,
  64:				  struct cfg80211_bss *cbss,
  65:				  const struct cfg80211_bss_ies *ies,
  66:				  void *data)
```

And then:

```c
  69:		struct inform_bss_update_data *update_data = data;
```

Ah! `ieee80211_inform_bss` takes a `void *data` argument. Seems like this `data` is crucial. The buffer being parsed is likely coming *through* that data pointer. So, now, time to dissect `struct inform_bss_update_data`. That's where I need to focus my attention. It probably holds the relevant buffer.

map[ContextFile:net/mac80211/scan.c IncludeLines:true Name:inform_bss_update_data]

map[SourceCode:  58:	struct inform_bss_update_data {
  59:		struct ieee80211_rx_status *rx_status;
  60:		bool beacon;
  61:	};
 SourceFile:net/mac80211/scan.c]

gemini-3-flash-preview

							input: 54812
							output: 47
							thoughts: 95
						

Okay, let's see what we've got here.

**Analyzing a Memory Corruption Bug**

Alright, nothing immediately jumps out at me. Standard stuff. Wait a minute… this bug report says something interesting: "The buggy address is located 544 bytes inside of freed 1024-byte region [ffff888059a15800, ffff888059a15c00]". Okay, that's a key piece of information. That region is 1024 bytes and the bug is somewhere inside it, and it was freed. Let me see... If `ieee80211_elems_parse` is 1024 bytes, then I need to understand its layout. Time to investigate that function's structure.

map[ContextFile:net/mac80211/parse.c Name:ieee80211_elems_parse]

map[Fields:[map[Name:elems OffsetBits:0 SizeBits:6272] map[Name:ml_basic_elem OffsetBits:6272 SizeBits:64] map[Name:ml_reconf_elem OffsetBits:6336 SizeBits:64] map[Name:ml_epcs_elem OffsetBits:6400 SizeBits:64] map[Name:multi_link_inner OffsetBits:6464 SizeBits:8] map[Name:skip_vendor OffsetBits:6472 SizeBits:8] map[Name:scratch_len OffsetBits:6528 SizeBits:64] map[Name:scratch_pos OffsetBits:6592 SizeBits:64] map[Name:scratch OffsetBits:6656 SizeBits:0]]]

gemini-3-flash-preview

							input: 55342
							output: 46
							thoughts: 112
						

**Analyzing a Memory Structure**

Okay, so I'm looking at this memory layout. I've got `elems`, which is taking up 6272 bits, that's equivalent to 784 bytes, got it. Then `ml_basic_elem` is starting at that exact offset of 784 bytes, which seems reasonable. And the `scratch` space begins at 6656 bits, or 832 bytes.

Now, here's where it gets interesting – I've got this buggy address, and it's at offset 544 bytes. Hmm, 544 bytes… that falls squarely within the `elems` structure, right? Given the starting address. Okay, that tells me something important – the source of the bug, whatever it is, is likely tied to that structure. I know `elems` is a `struct ieee802_11_elems`, so let's dive into that definition and see what we can find. I'll take a closer look at the members within that structure and see what's going on at offset 544.

map[ContextFile:net/mac80211/parse.c Name:ieee802_11_elems]

map[Fields:[map[Name:ie_start OffsetBits:0 SizeBits:64] map[Name:total_len OffsetBits:64 SizeBits:64] map[Name:crc OffsetBits:128 SizeBits:32] map[Name:lnk_id OffsetBits:192 SizeBits:64] map[Name:ch_sw_timing OffsetBits:256 SizeBits:64] map[Name:ext_capab OffsetBits:320 SizeBits:64] map[Name:ssid OffsetBits:384 SizeBits:64] map[Name:supp_rates OffsetBits:448 SizeBits:64] map[Name:ds_params OffsetBits:512 SizeBits:64] map[Name:tim OffsetBits:576 SizeBits:64] map[Name:rsn OffsetBits:640 SizeBits:64] map[Name:rsnx OffsetBits:704 SizeBits:64] map[Name:erp_info OffsetBits:768 SizeBits:64] map[Name:ext_supp_rates OffsetBits:832 SizeBits:64] map[Name:wmm_info OffsetBits:896 SizeBits:64] map[Name:wmm_param OffsetBits:960 SizeBits:64] map[Name:ht_cap_elem OffsetBits:1024 SizeBits:64] map[Name:ht_operation OffsetBits:1088 SizeBits:64] map[Name:vht_cap_elem OffsetBits:1152 SizeBits:64] map[Name:vht_operation OffsetBits:1216 SizeBits:64] map[Name:mesh_config OffsetBits:1280 SizeBits:64] map[Name:he_cap OffsetBits:1344 SizeBits:64] map[Name:he_operation OffsetBits:1408 SizeBits:64] map[Name:he_spr OffsetBits:1472 SizeBits:64] map[Name:mu_edca_param_set OffsetBits:1536 SizeBits:64] map[Name:he_6ghz_capa OffsetBits:1600 SizeBits:64] map[Name:uora_element OffsetBits:1664 SizeBits:64] map[Name:mesh_id OffsetBits:1728 SizeBits:64] map[Name:peering OffsetBits:1792 SizeBits:64] map[Name:awake_window OffsetBits:1856 SizeBits:64] map[Name:preq OffsetBits:1920 SizeBits:64] map[Name:prep OffsetBits:1984 SizeBits:64] map[Name:perr OffsetBits:2048 SizeBits:64] map[Name:rann OffsetBits:2112 SizeBits:64] map[Name:ch_switch_ie OffsetBits:2176 SizeBits:64] map[Name:ext_chansw_ie OffsetBits:2240 SizeBits:64] map[Name:wide_bw_chansw_ie OffsetBits:2304 SizeBits:64] map[Name:max_channel_switch_time OffsetBits:2368 SizeBits:64] map[Name:country_elem OffsetBits:2432 SizeBits:64] map[Name:pwr_constr_elem OffsetBits:2496 SizeBits:64] map[Name:cisco_dtpc_elem OffsetBits:2560 SizeBits:64] map[Name:timeout_int OffsetBits:2624 SizeBits:64] map[Name:opmode_notif OffsetBits:2688 SizeBits:64] map[Name:sec_chan_offs OffsetBits:2752 SizeBits:64] map[Name:mesh_chansw_params_ie OffsetBits:2816 SizeBits:64] map[Name:max_idle_period_ie OffsetBits:2880 SizeBits:64] map[Name:mbssid_config_ie OffsetBits:2944 SizeBits:64] map[Name:bssid_index OffsetBits:3008 SizeBits:64] map[Name:max_bssid_indicator OffsetBits:3072 SizeBits:8] map[Name:dtim_count OffsetBits:3080 SizeBits:8] map[Name:dtim_period OffsetBits:3088 SizeBits:8] map[Name:addba_ext_ie OffsetBits:3136 SizeBits:64] map[Name:s1g_capab OffsetBits:3200 SizeBits:64] map[Name:s1g_oper OffsetBits:3264 SizeBits:64] map[Name:s1g_bcn_compat OffsetBits:3328 SizeBits:64] map[Name:aid_resp OffsetBits:3392 SizeBits:64] map[Name:eht_cap OffsetBits:3456 SizeBits:64] map[Name:eht_operation OffsetBits:3520 SizeBits:64] map[Name:ml_basic OffsetBits:3584 SizeBits:64] map[Name:ml_reconf OffsetBits:3648 SizeBits:64] map[Name:ml_epcs OffsetBits:3712 SizeBits:64] map[Name:bandwidth_indication OffsetBits:3776 SizeBits:64] map[Name:ttlm OffsetBits:3840 SizeBits:128] map[Name:tpe OffsetBits:3968 SizeBits:832] map[Name:csa_tpe OffsetBits:4800 SizeBits:832] map[Name:ext_capab_len OffsetBits:5632 SizeBits:8] map[Name:ssid_len OffsetBits:5640 SizeBits:8] map[Name:supp_rates_len OffsetBits:5648 SizeBits:8] map[Name:tim_len OffsetBits:5656 SizeBits:8] map[Name:rsn_len OffsetBits:5664 SizeBits:8] map[Name:rsnx_len OffsetBits:5672 SizeBits:8] map[Name:ext_supp_rates_len OffsetBits:5680 SizeBits:8] map[Name:wmm_info_len OffsetBits:5688 SizeBits:8] map[Name:wmm_param_len OffsetBits:5696 SizeBits:8] map[Name:he_cap_len OffsetBits:5704 SizeBits:8] map[Name:mesh_id_len OffsetBits:5712 SizeBits:8] map[Name:peering_len OffsetBits:5720 SizeBits:8] map[Name:preq_len OffsetBits:5728 SizeBits:8] map[Name:prep_len OffsetBits:5736 SizeBits:8] map[Name:perr_len OffsetBits:5744 SizeBits:8] map[Name:country_elem_len OffsetBits:5752 SizeBits:8] map[Name:bssid_index_len OffsetBits:5760 SizeBits:8] map[Name:eht_cap_len OffsetBits:5768 SizeBits:8] map[Name:ml_basic_len OffsetBits:5824 SizeBits:64] map[Name:ml_reconf_len OffsetBits:5888 SizeBits:64] map[Name:ml_epcs_len OffsetBits:5952 SizeBits:64] map[Name:ttlm_num OffsetBits:6016 SizeBits:8] map[Name:prof OffsetBits:6080 SizeBits:64] map[Name:sta_prof_len OffsetBits:6144 SizeBits:64] map[Name:parse_error OffsetBits:6208 SizeBits:8]]]

gemini-3-flash-preview

							input: 57808
							output: 34
							thoughts: 419
						

**Analyzing a Buggy Memory Access**

Okay, so I've got this address offset: 544 bytes, which translates to 4352 bits. I need to figure out where this points within the larger structure. Let's see... Looking at the bit fields, `tpe` starts at 3968 bits, and `csa_tpe` starts at 4800 bits. So, 4352 bits falls right smack dab in the middle of `tpe`.

Alright, `tpe` is the `struct ieee80211_tpe_ie`. Wait a second, need to confirm the size of that structure. Let's see... 832 bits, or 104 bytes. So, 3968 + 832 = 4800, that checks out. So, the buggy access definitely falls within the `tpe` field.

Now, the code that's causing the problem is `input_devices_seq_show`, specifically this line: `seq_printf(seq, "P: Phys=%s\n", dev->phys ? dev->phys : "");`. It's reading a string, which is the key piece of information.

The crux of the issue is that if `dev->phys` is pointing at `ffff888059a15a20`, it's essentially pointing into the `tpe` field of `ieee802_11_elems`. That's bad.

The million-dollar question is: *why* is `dev->phys` pointing into the middle of `tpe`? It's supposed to be a string. Could some piece of code be doing something like: `input_dev->phys = (char *)&elems->tpe;` or, at least, something similar using an offset?

But `tpe` is supposed to be "Transmit Power Envelope". It's not a string! And that's the rub - `string_nocheck` is trying to read this as a string. If this area isn't null-terminated, it's going to keep reading until it finds a null byte, or until it hits a page boundary, or KASAN kicks in.

The main question, the one that's really bugging me, is still: How did `dev->phys` get that value in the first place? What set that pointer to point inside of a struct?

Could there be some confusion between `input_dev` and another object that's being allocated in the same slab cache? `input_dev` is usually quite large. Let me quickly check the size of `struct input_dev` to see if that's a plausible cause.

map[ContextFile:include/linux/input.h Name:input_dev]

map[Fields:[map[Name:name OffsetBits:0 SizeBits:64] map[Name:phys OffsetBits:64 SizeBits:64] map[Name:uniq OffsetBits:128 SizeBits:64] map[Name:id OffsetBits:192 SizeBits:64] map[Name:propbit OffsetBits:256 SizeBits:64] map[Name:evbit OffsetBits:320 SizeBits:64] map[Name:keybit OffsetBits:384 SizeBits:768] map[Name:relbit OffsetBits:1152 SizeBits:64] map[Name:absbit OffsetBits:1216 SizeBits:64] map[Name:mscbit OffsetBits:1280 SizeBits:64] map[Name:ledbit OffsetBits:1344 SizeBits:64] map[Name:sndbit OffsetBits:1408 SizeBits:64] map[Name:ffbit OffsetBits:1472 SizeBits:128] map[Name:swbit OffsetBits:1600 SizeBits:64] map[Name:hint_events_per_packet OffsetBits:1664 SizeBits:32] map[Name:keycodemax OffsetBits:1696 SizeBits:32] map[Name:keycodesize OffsetBits:1728 SizeBits:32] map[Name:keycode OffsetBits:1792 SizeBits:64] map[Name:setkeycode OffsetBits:1856 SizeBits:64] map[Name:getkeycode OffsetBits:1920 SizeBits:64] map[Name:ff OffsetBits:1984 SizeBits:64] map[Name:poller OffsetBits:2048 SizeBits:64] map[Name:repeat_key OffsetBits:2112 SizeBits:32] map[Name:timer OffsetBits:2176 SizeBits:640] map[Name:rep OffsetBits:2816 SizeBits:64] map[Name:mt OffsetBits:2880 SizeBits:64] map[Name:absinfo OffsetBits:2944 SizeBits:64] map[Name:key OffsetBits:3008 SizeBits:768] map[Name:led OffsetBits:3776 SizeBits:64] map[Name:snd OffsetBits:3840 SizeBits:64] map[Name:sw OffsetBits:3904 SizeBits:64] map[Name:open OffsetBits:3968 SizeBits:64] map[Name:close OffsetBits:4032 SizeBits:64] map[Name:flush OffsetBits:4096 SizeBits:64] map[Name:event OffsetBits:4160 SizeBits:64] map[Name:grab OffsetBits:4224 SizeBits:64] map[Name:event_lock OffsetBits:4288 SizeBits:512] map[Name:mutex OffsetBits:4800 SizeBits:1152] map[Name:users OffsetBits:5952 SizeBits:32] map[Name:going_away OffsetBits:5984 SizeBits:8] map[Name:dev OffsetBits:6016 SizeBits:9088] map[Name:h_list OffsetBits:15104 SizeBits:128] map[Name:node OffsetBits:15232 SizeBits:128] map[Name:num_vals OffsetBits:15360 SizeBits:32] map[Name:max_vals OffsetBits:15392 SizeBits:32] map[Name:vals OffsetBits:15424 SizeBits:64] map[Name:devres_managed OffsetBits:15488 SizeBits:8] map[Name:timestamp OffsetBits:15552 SizeBits:192] map[Name:inhibited OffsetBits:15744 SizeBits:8]]]

gemini-3-flash-preview

							input: 59896
							output: 15
							thoughts: 391
						

**Analyzing a Memory Corruption Bug**

Okay, so I'm looking at this crash report, and my initial thought was that the issue was related to `input_dev`. That structure is pretty massive, clocking in around 2KB worth of data. And, the report mentions a cache, `kmalloc-1k`, used by `ieee80211_elems_parse`. However, the crash report is giving me contradicting information. The report states the buggy address doesn't belong to the `kmalloc-1k` cache.

The address in question, `ffff888059a15a20`, is where the crash is happening. The report specifically mentions a read of size 1 at that address. It also points out that `dev->phys` is at an offset of 8 bytes (64 bits) within the `input_dev` structure. So, if I'm reading this correctly, `dev->phys` *itself* must contain the value `ffff888059a15a20`.

The big question now is, how did `dev->phys` end up with that address? What's assigning that value to it? I need to re-examine the `ieee80211_inform_bss` function and its caller, `cfg80211_inform_single_bss_data`. This feels like a classic pointer corruption scenario.

Wait a minute, I think I'm onto something. I recall that some wireless drivers sometimes create input devices for things like RF kill switches or physical buttons. But the setup of input devices is usually done only once. So, what if some code is mistakenly doing something like `input_dev->phys = some_pointer;` where `some_pointer` happens to be pointing into the Information Elements (IEs) of a BSS? Could the input device be unintentionally referencing a part of the BSS data?

I've got to dig deeper. I'll search the `net/mac80211` and `net/wireless` directories for instances of `phys` to see how it's being used. Let's see if this hunch pans out.

map[Expression:phys]

map[Output:
Full output is too long, showing 500 out of 192143 lines.
Use more precise expression if possible.

[.clang-format=71=ForEachMacros:
 --
 .clang-format-398-  - 'for_each_pcm_streams'
 .clang-format:399:  - 'for_each_physmem_range'
 .clang-format-400-  - 'for_each_populated_zone'
 --
 .mailmap=400=John Moon <john@jmoon.dev> <quic_johmoo@quicinc.com>
 .mailmap:401:John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
 .mailmap-402-John Stultz <johnstul@us.ibm.com>
 --
 CREDITS=1515=N: Richard Günther
 CREDITS:1516:E: rguenth@tat.physik.uni-tuebingen.de
 CREDITS:1517:W: http://www.tat.physik.uni-tuebingen.de/~rguenth
 CREDITS-1518-P: 2048/2E829319 2F 83 FC 93 E9 E4 19 E2  93 7A 32 42 45 37 23 57
 --
 CREDITS=1587=N: Bart Hartgers
 CREDITS:1588:E: bart@etpmod.phys.tue.nl
 CREDITS-1589-D: MTRR emulation with Centaur MCRs
 --
 CREDITS=2176=N: Harald Koenig
 CREDITS:2177:E: koenig@tat.physik.uni-tuebingen.de
 CREDITS-2178-D: XFree86 (S3), DCF77, some kernel hacks and fixes
 --
 Documentation/.renames.txt=367=media/uapi/cec/cec-ioc-adap-g-log-addrs userspace-api/media/cec/cec-ioc-adap-g-log-addrs
 Documentation/.renames.txt:368:media/uapi/cec/cec-ioc-adap-g-phys-addr userspace-api/media/cec/cec-ioc-adap-g-phys-addr
 Documentation/.renames.txt-369-media/uapi/cec/cec-ioc-dqevent userspace-api/media/cec/cec-ioc-dqevent
 --
 Documentation/.renames.txt=1120=vm/pagemap admin-guide/mm/pagemap
 Documentation/.renames.txt:1121:vm/physical_memory mm/physical_memory
 Documentation/.renames.txt-1122-vm/process_addrs mm/process_addrs
 --
 Documentation/ABI/obsolete/sysfs-kernel-kexec-kdump=66=Description:	read only
 --
 Documentation/ABI/obsolete/sysfs-kernel-kexec-kdump-68-		the Contiguous Memory Allocator (CMA) area that are allocated
 Documentation/ABI/obsolete/sysfs-kernel-kexec-kdump:69:		to the crash (kdump) kernel. It lists the start and end physical
 Documentation/ABI/obsolete/sysfs-kernel-kexec-kdump-70-		addresses of CMA regions assigned for crashkernel use.
 --
 Documentation/ABI/stable/sysfs-block=4=Description:
 Documentation/ABI/stable/sysfs-block:5:		Storage devices may report a physical block size that is
 Documentation/ABI/stable/sysfs-block-6-		bigger than the logical block size (for instance a drive
 Documentation/ABI/stable/sysfs-block:7:		with 4KB physical sectors exposing 512-byte logical
 Documentation/ABI/stable/sysfs-block-8-		blocks to the operating system).  This parameter
 --
 Documentation/ABI/stable/sysfs-block=191=Description:
 Documentation/ABI/stable/sysfs-block:192:		Storage devices may report a physical block size that is
 Documentation/ABI/stable/sysfs-block-193-		bigger than the logical block size (for instance a drive
 Documentation/ABI/stable/sysfs-block:194:		with 4KB physical sectors exposing 512-byte logical
 Documentation/ABI/stable/sysfs-block-195-		blocks to the operating system).  This parameter
 --
 Documentation/ABI/stable/sysfs-block=323=Description:
 --
 Documentation/ABI/stable/sysfs-block-328-		device. Otherwise the discard_granularity will be set to match
 Documentation/ABI/stable/sysfs-block:329:		the device's physical block size. A discard_granularity of 0
 Documentation/ABI/stable/sysfs-block-330-		means that the device does not support discard functionality.
 --
 Documentation/ABI/stable/sysfs-block=577=Description:
 --
 Documentation/ABI/stable/sysfs-block-580-		perform without incurring a performance penalty.  For disk
 Documentation/ABI/stable/sysfs-block:581:		drives this is often the physical block size.  For RAID arrays
 Documentation/ABI/stable/sysfs-block-582-		it is often the stripe chunk size.  A properly aligned multiple
 --
 Documentation/ABI/stable/sysfs-block=624=Description:
 --
 Documentation/ABI/stable/sysfs-block-633-
 Documentation/ABI/stable/sysfs-block:634:What:		/sys/block/<disk>/queue/physical_block_size
 Documentation/ABI/stable/sysfs-block-635-Date:		May 2009
 --
 Documentation/ABI/stable/sysfs-block=637=Description:
 Documentation/ABI/stable/sysfs-block:638:		[RO] This is the smallest unit a physical storage device can
 Documentation/ABI/stable/sysfs-block-639-		write atomically.  It is usually the same as the logical block
 --
 Documentation/ABI/stable/sysfs-block-642-		operating system.  For stacked block devices the
 Documentation/ABI/stable/sysfs-block:643:		physical_block_size variable contains the maximum
 Documentation/ABI/stable/sysfs-block:644:		physical_block_size of the component devices.
 Documentation/ABI/stable/sysfs-block-645-
 --
 Documentation/ABI/stable/sysfs-block=778=Description:
 --
 Documentation/ABI/stable/sysfs-block-780-		in a specified block range without incurring the cost of
 Documentation/ABI/stable/sysfs-block:781:		physically writing zeroes to the media for each individual
 Documentation/ABI/stable/sysfs-block-782-		block. If this parameter is set to write_zeroes_max_bytes, the
 --
 Documentation/ABI/stable/sysfs-block-786-		zeroed data. This operation is a best-effort optimization, a
 Documentation/ABI/stable/sysfs-block:787:		device may fall back to physically writing zeroes to the media
 Documentation/ABI/stable/sysfs-block-788-		due to other factors such as misalignment or being asked to
 --
 Documentation/ABI/stable/sysfs-block=798=Description:
 --
 Documentation/ABI/stable/sysfs-block-801-		unmap write zeroes operation is a best-effort optimization, some
 Documentation/ABI/stable/sysfs-block:802:		devices may still physically writing zeroes to media. So the
 Documentation/ABI/stable/sysfs-block-803-		speed of this operation is not guaranteed. Writing a value of
 --
 Documentation/ABI/stable/sysfs-bus-w1=4=Description:	Bus scanning interval, microseconds component.
 Documentation/ABI/stable/sysfs-bus-w1:5:		Some of 1-Wire devices commonly associated with physical access
 Documentation/ABI/stable/sysfs-bus-w1-6-		control systems are attached/generate presence for as short as
 --
 Documentation/ABI/stable/sysfs-bus-xen-backend=13=Description:
 --
 Documentation/ABI/stable/sysfs-bus-xen-backend-16-
 Documentation/ABI/stable/sysfs-bus-xen-backend:17:What:		/sys/bus/xen-backend/devices/vbd-*/physical_device
 Documentation/ABI/stable/sysfs-bus-xen-backend-18-Date:		April 2011
 --
 Documentation/ABI/stable/sysfs-bus-xen-backend=21=Description:
 Documentation/ABI/stable/sysfs-bus-xen-backend-22-                The major:minor number (in hexadecimal) of the
 Documentation/ABI/stable/sysfs-bus-xen-backend:23:                physical device providing the storage for this backend
 Documentation/ABI/stable/sysfs-bus-xen-backend-24-                block device.
 --
 Documentation/ABI/stable/sysfs-class-infiniband=44=What:		/sys/class/infiniband/<device>/ports/<port-num>/state
 Documentation/ABI/stable/sysfs-class-infiniband:45:What:		/sys/class/infiniband/<device>/ports/<port-num>/phys_state
 Documentation/ABI/stable/sysfs-class-infiniband-46-What:		/sys/class/infiniband/<device>/ports/<port-num>/cap_mask
 --
 Documentation/ABI/stable/sysfs-class-infiniband=50=Description:
 --
 Documentation/ABI/stable/sysfs-class-infiniband-66-
 Documentation/ABI/stable/sysfs-class-infiniband:67:		phys_state:	(RO) Port physical state (Sleep, Polling,
 Documentation/ABI/stable/sysfs-class-infiniband-68-				LinkUp, etc)
 --
 Documentation/ABI/stable/sysfs-class-infiniband=86=What:		/sys/class/infiniband/<device>/ports/<port-num>/counters/port_rcv_errors
 Documentation/ABI/stable/sysfs-class-infiniband:87:What:		/sys/class/infiniband/<device>/ports/<port-num>/counters/port_rcv_remote_physical_errors
 Documentation/ABI/stable/sysfs-class-infiniband-88-What:		/sys/class/infiniband/<device>/ports/<port-num>/counters/port_rcv_switch_relay_errors
 --
 Documentation/ABI/stable/sysfs-class-infiniband=109=Description:
 --
 Documentation/ABI/stable/sysfs-class-infiniband-112-		symbol_error: (RO) Total number of minor link errors detected on
 Documentation/ABI/stable/sysfs-class-infiniband:113:		one or more physical lanes.
 Documentation/ABI/stable/sysfs-class-infiniband-114-
 --
 Documentation/ABI/stable/sysfs-class-infiniband-117-
 Documentation/ABI/stable/sysfs-class-infiniband:118:		port_rcv_remote_physical_errors : (RO) Total number of packets
 Documentation/ABI/stable/sysfs-class-infiniband-119-		marked with the EBP delimiter received on the port.
 --
 Documentation/ABI/stable/sysfs-class-infiniband-129-		port_xmit_constraint_errors: (RO) Total number of packets not
 Documentation/ABI/stable/sysfs-class-infiniband:130:		transmitted from the switch physical port due to outbound raw
 Documentation/ABI/stable/sysfs-class-infiniband-131-		filtering or failing outbound partition or IP version check.
 --
 Documentation/ABI/stable/sysfs-class-infiniband-133-		port_rcv_constraint_errors: (RO) Total number of packets
 Documentation/ABI/stable/sysfs-class-infiniband:134:		received on the switch physical port that are discarded due to
 Documentation/ABI/stable/sysfs-class-infiniband-135-		inbound raw filtering or failing inbound partition or IP version
 --
 Documentation/ABI/stable/sysfs-class-infiniband-138-		local_link_integrity_errors: (RO) The number of times that the
 Documentation/ABI/stable/sysfs-class-infiniband:139:		count of local physical errors exceeded the threshold specified
 Documentation/ABI/stable/sysfs-class-infiniband-140-		by LocalPhyErrors
 --
 Documentation/ABI/stable/sysfs-class-infiniband=335=Description:
 --
 Documentation/ABI/stable/sysfs-class-infiniband-349-		======================= ==========================================
 Documentation/ABI/stable/sysfs-class-infiniband:350:		gids/<n>:		(RO) The physical port gids n = 0..127
 Documentation/ABI/stable/sysfs-class-infiniband-351-
 --
 Documentation/ABI/stable/sysfs-class-infiniband-355-
 Documentation/ABI/stable/sysfs-class-infiniband:356:		pkeys/<n>:		(RO) Displays the contents of the physical
 Documentation/ABI/stable/sysfs-class-infiniband-357-					key table n = 0..126
 --
 Documentation/ABI/stable/sysfs-class-infiniband-367-					directories, the admin may map the index
 Documentation/ABI/stable/sysfs-class-infiniband:368:					numbers in the physical tables (as under
 Documentation/ABI/stable/sysfs-class-infiniband-369-					iov/ports) to the paravirtualized index
 --
 Documentation/ABI/stable/sysfs-class-infiniband-372-					For example, if the administrator, for
 Documentation/ABI/stable/sysfs-class-infiniband:373:					port 1 on guest 2 maps physical pkey
 Documentation/ABI/stable/sysfs-class-infiniband-374-					index 10 to virtual index 1, then that
 --
 Documentation/ABI/stable/sysfs-class-infiniband=699=Description:
 --
 Documentation/ABI/stable/sysfs-class-infiniband-713-		sdma engine, which is "near" in terms of NUMA configuration, or
 Documentation/ABI/stable/sysfs-class-infiniband:714:		physical cpu location, the user will do::
 Documentation/ABI/stable/sysfs-class-infiniband-715-
 --
 Documentation/ABI/stable/sysfs-class-ubi=46=Description:
 Documentation/ABI/stable/sysfs-class-ubi:47:		Count of bad physical eraseblocks on the underlying MTD device.
 Documentation/ABI/stable/sysfs-class-ubi-48-
 --
 Documentation/ABI/stable/sysfs-class-ubi=78=Description:
 Documentation/ABI/stable/sysfs-class-ubi:79:		Maximum physical eraseblock erase counter value.
 Documentation/ABI/stable/sysfs-class-ubi-80-
 --
 Documentation/ABI/stable/sysfs-class-ubi=107=Description:
 Documentation/ABI/stable/sysfs-class-ubi:108:		Number of physical eraseblocks reserved for bad block handling.
 Documentation/ABI/stable/sysfs-class-ubi-109-
 --
 Documentation/ABI/stable/sysfs-class-ubi=123=Description:
 Documentation/ABI/stable/sysfs-class-ubi:124:		Total number of good (not marked as bad) physical eraseblocks on
 Documentation/ABI/stable/sysfs-class-ubi-125-		the underlying MTD device.
 --
 Documentation/ABI/stable/sysfs-class-ubi=190=Description:
 Documentation/ABI/stable/sysfs-class-ubi:191:		Count of physical eraseblock reserved for this volume.
 Documentation/ABI/stable/sysfs-class-ubi-192-		Equivalent to the volume size in logical eraseblocks.
 --
 Documentation/ABI/stable/sysfs-devices-node=189=Description:
 Documentation/ABI/stable/sysfs-devices-node:190:		The total amount of SGX physical memory in bytes.
 Documentation/ABI/stable/sysfs-devices-node-191-
 --
 Documentation/ABI/stable/sysfs-devices-system-cpu=68=What:           /sys/devices/system/cpu/cpuX/topology/package_cpus
 Documentation/ABI/stable/sysfs-devices-system-cpu:69:Description:    internal kernel map of the CPUs sharing the same physical_package_id.
 Documentation/ABI/stable/sysfs-devices-system-cpu-70-                (deprecated name: "core_siblings").
 --
 Documentation/ABI/stable/sysfs-devices-system-cpu=73=What:           /sys/devices/system/cpu/cpuX/topology/package_cpus_list
 Documentation/ABI/stable/sysfs-devices-system-cpu:74:Description:    human-readable list of CPUs sharing the same physical_package_id.
 Documentation/ABI/stable/sysfs-devices-system-cpu-75-                The format is like 0-3, 8-11, 14,17.
 --
 Documentation/ABI/stable/sysfs-driver-mlxreg-io=233=Description:	The files represent BIOS statuses:
 --
 Documentation/ABI/stable/sysfs-driver-mlxreg-io-245-		reason not because authentication. For example due to
 Documentation/ABI/stable/sysfs-driver-mlxreg-io:246:		physical SPI flash problem.
 Documentation/ABI/stable/sysfs-driver-mlxreg-io-247-
 --
 Documentation/ABI/testing/configfs-most=15=Description:
 --
 Documentation/ABI/testing/configfs-most-60-				configuration, the creation is post-poned until
 Documentation/ABI/testing/configfs-most:61:				a physical device is being attached to the bus.
 Documentation/ABI/testing/configfs-most-62-
 --
 Documentation/ABI/testing/configfs-most=70=Description:
 --
 Documentation/ABI/testing/configfs-most-115-				configuration, the creation is post-poned until
 Documentation/ABI/testing/configfs-most:116:				a physical device is being attached to the bus.
 Documentation/ABI/testing/configfs-most-117-
 --
 Documentation/ABI/testing/configfs-most=125=Description:
 --
 Documentation/ABI/testing/configfs-most-170-				configuration, the creation is post-poned until
 Documentation/ABI/testing/configfs-most:171:				a physical device is being attached to the bus.
 Documentation/ABI/testing/configfs-most-172-
 --
 Documentation/ABI/testing/configfs-most=191=Description:
 --
 Documentation/ABI/testing/configfs-most-236-				configuration, the creation is post-poned until
 Documentation/ABI/testing/configfs-most:237:				a physical device is being attached to the bus.
 Documentation/ABI/testing/configfs-most-238-
 --
 Documentation/ABI/testing/debugfs-driver-habanalabs=215=Contact:        ogabbay@kernel.org
 Documentation/ABI/testing/debugfs-driver-habanalabs:216:Description:    Displays the hop values and physical address for a given ASID
 Documentation/ABI/testing/debugfs-driver-habanalabs-217-                and virtual address. The user should write the ASID and VA into
 --
 Documentation/ABI/testing/sysfs-bus-coreboot=23=Description:
 Documentation/ABI/testing/sysfs-bus-coreboot:24:		This is the physical memory address that the CBMEM entry's data
 Documentation/ABI/testing/sysfs-bus-coreboot-25-		begins at, in hexadecimal (e.g., ``0x76ffe000``).
 --
 Documentation/ABI/testing/sysfs-bus-coreboot=37=Description:
 --
 Documentation/ABI/testing/sysfs-bus-coreboot-44-		requires root privileges given this is exposing a small subset
 Documentation/ABI/testing/sysfs-bus-coreboot:45:		of physical memory.
 --
 Documentation/ABI/testing/sysfs-bus-cxl=265=Description:
 Documentation/ABI/testing/sysfs-bus-cxl-266-		(RO) The 'start' and 'size' attributes together convey the
 Documentation/ABI/testing/sysfs-bus-cxl:267:		physical address base and number of bytes mapped in the
 Documentation/ABI/testing/sysfs-bus-cxl-268-		decoder's decode window. For decoders of devtype
 --
 Documentation/ABI/testing/sysfs-bus-cxl=340=Description:
 Documentation/ABI/testing/sysfs-bus-cxl-341-		(RW) When a CXL decoder is of devtype "cxl_decoder_endpoint" it
 Documentation/ABI/testing/sysfs-bus-cxl:342:		translates from a host physical address range, to a device
 Documentation/ABI/testing/sysfs-bus-cxl-343-		local address range. Device-local address ranges are further
 --
 Documentation/ABI/testing/sysfs-bus-cxl=359=Description:
 --
 Documentation/ABI/testing/sysfs-bus-cxl-361-		and its 'dpa_size' attribute is non-zero, this attribute
 Documentation/ABI/testing/sysfs-bus-cxl:362:		indicates the device physical address (DPA) base address of the
 Documentation/ABI/testing/sysfs-bus-cxl-363-		allocation.
 --
 Documentation/ABI/testing/sysfs-bus-cxl=370=Description:
 Documentation/ABI/testing/sysfs-bus-cxl-371-		(RW) When a CXL decoder is of devtype "cxl_decoder_endpoint" it
 Documentation/ABI/testing/sysfs-bus-cxl:372:		translates from a host physical address range, to a device local
 Documentation/ABI/testing/sysfs-bus-cxl-373-		address range. The range, base address plus length in bytes, of
 --
 Documentation/ABI/testing/sysfs-bus-cxl=390=Description:
 Documentation/ABI/testing/sysfs-bus-cxl-391-		(RO) The number of targets across which this decoder's host
 Documentation/ABI/testing/sysfs-bus-cxl:392:		physical address (HPA) memory range is interleaved. The device
 Documentation/ABI/testing/sysfs-bus-cxl-393-		maps every Nth block of HPA (of size ==
 --
 Documentation/ABI/testing/sysfs-bus-cxl=405=Description:
 Documentation/ABI/testing/sysfs-bus-cxl:406:		(RO) The number of consecutive bytes of host physical address
 Documentation/ABI/testing/sysfs-bus-cxl-407-		space this decoder claims at address N before the decode rotates
 --
 Documentation/ABI/testing/sysfs-bus-cxl=489=Description:
 Documentation/ABI/testing/sysfs-bus-cxl:490:		(RW) System physical address space to be consumed by the region.
 Documentation/ABI/testing/sysfs-bus-cxl-491-		When written trigger the driver to allocate space out of the
 --
 Documentation/ABI/testing/sysfs-bus-cxl=526=Description:
 --
 Documentation/ABI/testing/sysfs-bus-cxl-528-		address space. Region capacity is allocated by writing to the
 Documentation/ABI/testing/sysfs-bus-cxl:529:		size attribute, the resulting physical address space determined
 Documentation/ABI/testing/sysfs-bus-cxl-530-		by the driver is reflected here. It is therefore not useful to
 --
 Documentation/ABI/testing/sysfs-bus-dax=5=Description:
 Documentation/ABI/testing/sysfs-bus-dax-6-		(RW) Provides a way to specify an alignment for a dax device.
 Documentation/ABI/testing/sysfs-bus-dax:7:		Values allowed are constrained by the physical address ranges
 Documentation/ABI/testing/sysfs-bus-dax-8-		that back the dax device, and also by arch requirements.
 --
 Documentation/ABI/testing/sysfs-bus-dax=24=Description:
 --
 Documentation/ABI/testing/sysfs-bus-dax-27-		'mappingX' subdirectories. The 'start' attribute indicates the
 Documentation/ABI/testing/sysfs-bus-dax:28:		start physical address for the given range. The 'end' attribute
 Documentation/ABI/testing/sysfs-bus-dax:29:		indicates the end physical address for the given range. The
 Documentation/ABI/testing/sysfs-bus-dax-30-		'page_offset' attribute indicates the offset of the current
 --
 Documentation/ABI/testing/sysfs-bus-dax=37=Description:
 Documentation/ABI/testing/sysfs-bus-dax:38:		(RO) The resource attribute indicates the starting physical
 Documentation/ABI/testing/sysfs-bus-dax-39-		address of a dax device. In case of a device with multiple
 --
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci=4=Description:    Read-only. Attribute group to describe the magic bits
 --
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci-18-				offset = "config:32-63"
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci:19:				phys_processor_idx = "config:32-63"
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci-20-				secondary_index = "config:0-15"
 --
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci-25-		  processor_core_utilization_instructions_completed = "request=0x94,
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci:26:					phys_processor_idx=?,counter_info_version=0x8,
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci-27-					length=8,offset=0x18"
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci-28-
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci:29:		In this event, '?' after phys_processor_idx specifies this value
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci-30-		this value will be provided by user while running this event.
 --
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci=35=Description:
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci-36-		'0' if the hypervisor is configured to forbid access to event
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci:37:		counters being accumulated by other guests and to physical
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci-38-		domain event counters.
 --
 Documentation/ABI/testing/sysfs-bus-i3c=94=Description:
 --
 Documentation/ABI/testing/sysfs-bus-i3c-99-		Target is mounted on the same I3C bus and remains depowered
 Documentation/ABI/testing/sysfs-bus-i3c:100:		until needed or until the Target is physically inserted into the
 Documentation/ABI/testing/sysfs-bus-i3c-101-		I3C bus
 --
 Documentation/ABI/testing/sysfs-bus-iio=32=Description:
 Documentation/ABI/testing/sysfs-bus-iio:33:		Description of the physical chip / device for device X.
 Documentation/ABI/testing/sysfs-bus-iio-34-		Typically a part number.
 --
 Documentation/ABI/testing/sysfs-bus-iio=162=Description:
 --
 Documentation/ABI/testing/sysfs-bus-iio-164-		channel Y - channel Z where these channel numbers apply to the
 Documentation/ABI/testing/sysfs-bus-iio:165:		physically equivalent inputs when non differential readings are
 Documentation/ABI/testing/sysfs-bus-iio-166-		separately available. In differential only parts, then all that
 --
 Documentation/ABI/testing/sysfs-bus-iio=207=Description:
 --
 Documentation/ABI/testing/sysfs-bus-iio-209-		channel Y - channel Z where these channel numbers apply to the
 Documentation/ABI/testing/sysfs-bus-iio:210:		physically equivalent inputs when non differential readings are
 Documentation/ABI/testing/sysfs-bus-iio-211-		separately available. In differential only parts, then all that
 --
 Documentation/ABI/testing/sysfs-bus-iio=547=Description:
 --
 Documentation/ABI/testing/sysfs-bus-iio-549-		inaccuracies).
 Documentation/ABI/testing/sysfs-bus-iio:550:		icm42600: For this device values are real physical offsets
 Documentation/ABI/testing/sysfs-bus-iio-551-		expressed in SI units (m/s^2 for accelerometers and rad/s
 --
 Documentation/ABI/testing/sysfs-bus-iio=1987=Description:
 --
 Documentation/ABI/testing/sysfs-bus-iio-1992-		Main hardware placement is defined according to the local
 Documentation/ABI/testing/sysfs-bus-iio:1993:		reference frame related to the physical quantity the sensor
 Documentation/ABI/testing/sysfs-bus-iio-1994-		measures.
 --
 Documentation/ABI/testing/sysfs-bus-iio-sx9310=5=Description:
 --
 Documentation/ABI/testing/sysfs-bus-iio-sx9310-9-		combining measurements taken from a given set of
 Documentation/ABI/testing/sysfs-bus-iio-sx9310:10:		physical sensors.
 --
 Documentation/ABI/testing/sysfs-bus-most=5=Description:
 Documentation/ABI/testing/sysfs-bus-most:6:		Provides information about the physical location of the
 Documentation/ABI/testing/sysfs-bus-most-7-		device. Hardware attached via USB, for instance,
 --
 Documentation/ABI/testing/sysfs-bus-nfit=35=Description:
 --
 Documentation/ABI/testing/sysfs-bus-nfit-38-
 Documentation/ABI/testing/sysfs-bus-nfit:39:What:		/sys/bus/nd/devices/nmemX/nfit/phys_id
 Documentation/ABI/testing/sysfs-bus-nfit-40-Date:		Apr, 2015
 --
 Documentation/ABI/testing/sysfs-bus-nfit=72=Description:
 Documentation/ABI/testing/sysfs-bus-nfit-73-		(RO) The interface codes indicate support for persistent memory
 Documentation/ABI/testing/sysfs-bus-nfit:74:		mapped directly into system physical address space and / or a
 Documentation/ABI/testing/sysfs-bus-nfit-75-		block aperture access mechanism to the NVDIMM media.
 --
 Documentation/ABI/testing/sysfs-bus-pci=201=Description:
 --
 Documentation/ABI/testing/sysfs-bus-pci-207-
 Documentation/ABI/testing/sysfs-bus-pci:208:What:		/sys/bus/pci/devices/.../physfn
 Documentation/ABI/testing/sysfs-bus-pci-209-Date:		March 2009
 --
 Documentation/ABI/testing/sysfs-bus-pci=303=Description:
 Documentation/ABI/testing/sysfs-bus-pci:304:		This file appears when a physical PCIe device supports SR-IOV.
 Documentation/ABI/testing/sysfs-bus-pci-305-		Userspace applications can read this file to determine the
 Documentation/ABI/testing/sysfs-bus-pci:306:		maximum number of Virtual Functions (VFs) a PCIe physical
 Documentation/ABI/testing/sysfs-bus-pci-307-		function (PF) can support. Typically, this is the value reported
 --
 Documentation/ABI/testing/sysfs-bus-pci=316=Description:
 Documentation/ABI/testing/sysfs-bus-pci:317:		This file appears when a physical PCIe device supports SR-IOV.
 Documentation/ABI/testing/sysfs-bus-pci-318-		Userspace applications can read and write to this file to
 Documentation/ABI/testing/sysfs-bus-pci-319-		determine and control the enablement or disablement of Virtual
 Documentation/ABI/testing/sysfs-bus-pci:320:		Functions (VFs) on the physical function (PF). A read of this
 Documentation/ABI/testing/sysfs-bus-pci-321-		file will return the number of VFs that are enabled on this PF.
 --
 Documentation/ABI/testing/sysfs-bus-pci=456=Description:
 Documentation/ABI/testing/sysfs-bus-pci:457:		This file is associated with a SR-IOV physical function (PF).
 Documentation/ABI/testing/sysfs-bus-pci-458-		It contains the total number of MSI-X vectors available for
 --
 Documentation/ABI/testing/sysfs-bus-pci=627=Description:
 Documentation/ABI/testing/sysfs-bus-pci:628:		This directory only appears if a physical device function
 Documentation/ABI/testing/sysfs-bus-pci-629-		supports authentication (PCIe CMA-SPDM), interface security
 --
 Documentation/ABI/testing/sysfs-bus-pci=660=Description:	(RO) Return PCI device name of this device's DSM (Device
 --
 Documentation/ABI/testing/sysfs-bus-pci-663-		a secure-session connection with a device's DSM. A DSM is always
 Documentation/ABI/testing/sysfs-bus-pci:664:		physical function 0 and when the device supports TDISP (TEE
 Documentation/ABI/testing/sysfs-bus-pci-665-		Device Interface Security Protocol) its managed functions also
 --
 Documentation/ABI/testing/sysfs-bus-pci-668-		non-zero functions of a multi-function device, or downstream
 Documentation/ABI/testing/sysfs-bus-pci:669:		endpoints depending on whether the DSM is an SR-IOV physical
 Documentation/ABI/testing/sysfs-bus-pci-670-		function, function0 of a multi-function device, or an upstream
 --
 Documentation/ABI/testing/sysfs-bus-soundwire-slave=10=Description:	SoundWire Slave status
 --
 Documentation/ABI/testing/sysfs-bus-soundwire-slave-15-		detect devices exposed by platform firmware but not
 Documentation/ABI/testing/sysfs-bus-soundwire-slave:16:		physically present on the bus, and conversely devices
 Documentation/ABI/testing/sysfs-bus-soundwire-slave-17-		not exposed in platform firmware but enumerated.
 --
 Documentation/ABI/testing/sysfs-bus-usb=171=Description:
 Documentation/ABI/testing/sysfs-bus-usb:172:		Some platforms provide usb port physical location through
 Documentation/ABI/testing/sysfs-bus-usb-173-		firmware. This is used by the kernel to pair up logical ports
 Documentation/ABI/testing/sysfs-bus-usb:174:		mapping to the same physical connector. The attribute exposes the
 Documentation/ABI/testing/sysfs-bus-usb-175-		raw location value as a hex integer.
 --
 Documentation/ABI/testing/sysfs-class-mtd=13=Description:
 --
 Documentation/ABI/testing/sysfs-class-mtd-15-		to each /dev/mtdX character device.  These may represent
 Documentation/ABI/testing/sysfs-class-mtd:16:		physical/simulated flash devices, partitions on a flash
 Documentation/ABI/testing/sysfs-class-mtd-17-		device, or concatenated flash devices.
 --
 Documentation/ABI/testing/sysfs-class-net=83=Description:
 Documentation/ABI/testing/sysfs-class-net:84:		Indicates the current physical link state of the interface.
 Documentation/ABI/testing/sysfs-class-net-85-		Possible values are:
 --
 Documentation/ABI/testing/sysfs-class-net-87-		== =====================
 Documentation/ABI/testing/sysfs-class-net:88:		0  physical link is down
 Documentation/ABI/testing/sysfs-class-net:89:		1  physical link is up
 Documentation/ABI/testing/sysfs-class-net-90-		== =====================
 --
 Documentation/ABI/testing/sysfs-class-net=248=Description:
 --
 Documentation/ABI/testing/sysfs-class-net-255-
 Documentation/ABI/testing/sysfs-class-net:256:What:		/sys/class/net/<iface>/phys_port_id
 Documentation/ABI/testing/sysfs-class-net-257-Date:		July 2013
 --
 Documentation/ABI/testing/sysfs-class-net=260=Description:
 Documentation/ABI/testing/sysfs-class-net:261:		Indicates the interface unique physical port identifier within
 Documentation/ABI/testing/sysfs-class-net-262-		the NIC, as a string.
 Documentation/ABI/testing/sysfs-class-net-263-
 Documentation/ABI/testing/sysfs-class-net:264:What:		/sys/class/net/<iface>/phys_port_name
 Documentation/ABI/testing/sysfs-class-net-265-Date:		March 2015
 --
 Documentation/ABI/testing/sysfs-class-net=268=Description:
 Documentation/ABI/testing/sysfs-class-net:269:		Indicates the interface physical port name within the NIC,
 Documentation/ABI/testing/sysfs-class-net-270-		as a string.
 --
 Documentation/ABI/testing/sysfs-class-net=297=Description:
 --
 Documentation/ABI/testing/sysfs-class-net-300-
 Documentation/ABI/testing/sysfs-class-net:301:What:		/sys/class/net/<iface>/phys_switch_id
 Documentation/ABI/testing/sysfs-class-net-302-Date:		November 2014
 --
 Documentation/ABI/testing/sysfs-class-net=305=Description:
 Documentation/ABI/testing/sysfs-class-net:306:		Indicates the unique physical switch identifier of a switch this
 Documentation/ABI/testing/sysfs-class-net-307-		port belongs to, as a string.
 --
 Documentation/ABI/testing/sysfs-class-net-grcan=6=Description:
 Documentation/ABI/testing/sysfs-class-net-grcan:7:		Hardware configuration of physical interface 0. This file reads
 Documentation/ABI/testing/sysfs-class-net-grcan-8-		and writes the "Enable 0" bit of the configuration register.
 --
 Documentation/ABI/testing/sysfs-class-net-grcan=18=Description:
 Documentation/ABI/testing/sysfs-class-net-grcan:19:		Hardware configuration of physical interface 1. This file reads
 Documentation/ABI/testing/sysfs-class-net-grcan-20-		and writes the "Enable 1" bit of the configuration register.
 --
 Documentation/ABI/testing/sysfs-class-net-grcan=30=Description:
 Documentation/ABI/testing/sysfs-class-net-grcan:31:		Configuration of which physical interface to be used. Possible
 Documentation/ABI/testing/sysfs-class-net-grcan-32-		values: 0 or 1. See the GRCAN chapter of the GRLIB IP core
 --
 Documentation/ABI/testing/sysfs-class-net-statistics=150=Description:
 Documentation/ABI/testing/sysfs-class-net-statistics-151-		Indicates the number of packets that could not be transmitted
 Documentation/ABI/testing/sysfs-class-net-statistics:152:		because of carrier errors (e.g: physical link down). See the
 Documentation/ABI/testing/sysfs-class-net-statistics-153-		network driver for the exact meaning of this value.
 --
 Documentation/ABI/testing/sysfs-class-scsi_host=18=Description:	This file contains the current status of the "SSD Smart Path"
 --
 Documentation/ABI/testing/sysfs-class-scsi_host-20-		driver.  SSD Smart Path, when enabled permits the driver to
 Documentation/ABI/testing/sysfs-class-scsi_host:21:		send i/o requests directly to physical devices that are part
 Documentation/ABI/testing/sysfs-class-scsi_host-22-		of a logical drive, bypassing the controllers firmware RAID
 --
 Documentation/ABI/testing/sysfs-class-scsi_host-24-		'1' indicates the feature is enabled, and the controller may
 Documentation/ABI/testing/sysfs-class-scsi_host:25:		use the direct i/o path to physical devices.  A value of zero
 Documentation/ABI/testing/sysfs-class-scsi_host-26-		means the feature is disabled and the controller may not use
 Documentation/ABI/testing/sysfs-class-scsi_host:27:		the direct i/o path to physical devices.  This setting is
 Documentation/ABI/testing/sysfs-class-scsi_host-28-		controller wide, affecting all configured logical drives on the
 --
 Documentation/ABI/testing/sysfs-devices-edac=116=Description:	This control file allows this DIMM to have a label assigned
 --
 Documentation/ABI/testing/sysfs-devices-edac-121-		DIMM Labels must be assigned after booting, with information
 Documentation/ABI/testing/sysfs-devices-edac:122:		that correctly identifies the physical slot with its
 Documentation/ABI/testing/sysfs-devices-edac-123-		silk screen label. This information is currently very
 --
 Documentation/ABI/testing/sysfs-devices-memory=20=Users:		hotplug memory remove tools
 --
 Documentation/ABI/testing/sysfs-devices-memory-23-
 Documentation/ABI/testing/sysfs-devices-memory:24:What:		/sys/devices/system/memory/memoryX/phys_device
]
]

gemini-3-flash-preview

							input: 71501
							output: 19
							thoughts: 33
						

Okay, here's my interpretation of that thought process, tailored for an expert audience:

**Kernel Exploration for Wireless Device Drivers**

Right, let's get down to brass tacks. I'm thinking I need to delve into the kernel code directly to understand this properly. The first thing I'll do is zero in on the relevant areas. My instinct tells me that `net/mac80211` and `net/wireless` are the prime suspects, given their roles in the 802.11 stack. I'll use `input_dev` and `phys` as initial keywords for a targeted search. I'm expecting `input_dev` to lead me to the lower-level interaction with hardware, possibly interrupt handling or raw data acquisition, and `phys` to help me trace where physical interface or hardware addresses are handled. I'm betting that this approach will help me quickly cut through the noise and get to the heart of how this system is managing these devices. I'm interested in how these data structures are connected to the actual driver structure. I'll start with the search and see where the breadcrumbs lead.

map[Expression:input_dev.*phys]

map[Output:
Full output is too long, showing 500 out of 821 lines.
Use more precise expression if possible.

[drivers/hid/hid-input.c=2023=static struct hid_input *hidinput_allocate(struct hid_device *hid,
 --
 drivers/hid/hid-input.c-2101-	input_dev->name = hidinput->name ? hidinput->name : hid->name;
 drivers/hid/hid-input.c:2102:	input_dev->phys = hid->phys;
 drivers/hid/hid-input.c-2103-	input_dev->uniq = hid->uniq;
 --
 drivers/hid/hid-logitech-hidpp.c=4147=static struct input_dev *hidpp_allocate_input(struct hid_device *hdev)
 --
 drivers/hid/hid-logitech-hidpp.c-4159-	input_dev->name = hidpp->name;
 drivers/hid/hid-logitech-hidpp.c:4160:	input_dev->phys = hdev->phys;
 drivers/hid/hid-logitech-hidpp.c-4161-	input_dev->uniq = hdev->uniq;
 --
 drivers/hid/hid-udraw-ps3.c=278=static struct input_dev *allocate_and_setup(struct hid_device *hdev,
 --
 drivers/hid/hid-udraw-ps3.c-287-	input_dev->name = name;
 drivers/hid/hid-udraw-ps3.c:288:	input_dev->phys = hdev->phys;
 drivers/hid/hid-udraw-ps3.c-289-	input_dev->dev.parent = &hdev->dev;
 --
 drivers/hid/usbhid/usbkbd.c=261=static int usb_kbd_probe(struct usb_interface *iface,
 --
 drivers/hid/usbhid/usbkbd.c-314-	input_dev->name = kbd->name;
 drivers/hid/usbhid/usbkbd.c:315:	input_dev->phys = kbd->phys;
 drivers/hid/usbhid/usbkbd.c-316-	usb_to_input_id(dev, &input_dev->id);
 --
 drivers/hid/usbhid/usbmouse.c=106=static int usb_mouse_probe(struct usb_interface *intf, const struct usb_device_id *id)
 --
 drivers/hid/usbhid/usbmouse.c-162-	input_dev->name = mouse->name;
 drivers/hid/usbhid/usbmouse.c:163:	input_dev->phys = mouse->phys;
 drivers/hid/usbhid/usbmouse.c-164-	usb_to_input_id(dev, &input_dev->id);
 --
 drivers/hid/wacom_sys.c=2079=static struct input_dev *wacom_allocate_input(struct wacom *wacom)
 --
 drivers/hid/wacom_sys.c-2089-	input_dev->name = wacom_wac->features.name;
 drivers/hid/wacom_sys.c:2090:	input_dev->phys = hdev->phys;
 drivers/hid/wacom_sys.c-2091-	input_dev->dev.parent = &hdev->dev;
 --
 drivers/input/joystick/a3d.c=243=static int a3d_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/a3d.c-289-	input_dev->name = a3d_names[a3d->mode];
 drivers/input/joystick/a3d.c:290:	input_dev->phys = a3d->phys;
 drivers/input/joystick/a3d.c-291-	input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/adafruit-seesaw.c=223=static int seesaw_probe(struct i2c_client *client)
 --
 drivers/input/joystick/adafruit-seesaw.c-268-	seesaw->input_dev->name = "Adafruit Seesaw Gamepad";
 drivers/input/joystick/adafruit-seesaw.c:269:	seesaw->input_dev->phys = "i2c/" SEESAW_DEVICE_NAME;
 drivers/input/joystick/adafruit-seesaw.c-270-	seesaw->input_dev->open = seesaw_open;
 --
 drivers/input/joystick/adi.c=382=static int adi_init_input(struct adi *adi, struct adi_port *port, int half)
 --
 drivers/input/joystick/adi.c-401-	input_dev->name = adi->name;
 drivers/input/joystick/adi.c:402:	input_dev->phys = adi->phys;
 drivers/input/joystick/adi.c-403-	input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/analog.c=363=static int analog_init_device(struct analog_port *port, struct analog *analog, int index)
 --
 drivers/input/joystick/analog.c-378-	input_dev->name = analog->name;
 drivers/input/joystick/analog.c:379:	input_dev->phys = analog->phys;
 drivers/input/joystick/analog.c-380-	input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/cobra.c=136=static int cobra_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/cobra.c-186-		input_dev->name = "Creative Labs Blaster GamePad Cobra";
 drivers/input/joystick/cobra.c:187:		input_dev->phys = cobra->phys[i];
 drivers/input/joystick/cobra.c-188-		input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/db9.c=541=static void db9_attach(struct parport *pp)
 --
 drivers/input/joystick/db9.c-609-		input_dev->name = db9_mode->name;
 drivers/input/joystick/db9.c:610:		input_dev->phys = db9->phys[i];
 drivers/input/joystick/db9.c-611-		input_dev->id.bustype = BUS_PARPORT;
 --
 drivers/input/joystick/fsia6b.c=127=static int fsia6b_serio_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/fsia6b.c-154-	input_dev->name = DRIVER_DESC;
 drivers/input/joystick/fsia6b.c:155:	input_dev->phys = fsia6b->phys;
 drivers/input/joystick/fsia6b.c-156-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/joystick/gamecon.c=795=static int gc_setup_pad(struct gc *gc, int idx, int pad_type)
 --
 drivers/input/joystick/gamecon.c-818-	input_dev->name = gc_names[pad_type];
 drivers/input/joystick/gamecon.c:819:	input_dev->phys = pad->phys;
 drivers/input/joystick/gamecon.c-820-	input_dev->id.bustype = BUS_PARPORT;
 --
 drivers/input/joystick/gf2k.c=218=static int gf2k_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/gf2k.c-283-	input_dev->name = gf2k_names[gf2k->id];
 drivers/input/joystick/gf2k.c:284:	input_dev->phys = gf2k->phys;
 drivers/input/joystick/gf2k.c-285-	input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/grip.c=279=static int grip_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/grip.c-339-		input_dev->name = grip_name[grip->mode[i]];
 drivers/input/joystick/grip.c:340:		input_dev->phys = grip->phys[i];
 drivers/input/joystick/grip.c-341-		input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/guillemot.c=158=static int guillemot_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/guillemot.c-206-	input_dev->name = guillemot_type[i].name;
 drivers/input/joystick/guillemot.c:207:	input_dev->phys = guillemot->phys;
 drivers/input/joystick/guillemot.c-208-	input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/interact.c=187=static int interact_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/interact.c-237-	input_dev->name = interact_type[i].name;
 drivers/input/joystick/interact.c:238:	input_dev->phys = interact->phys;
 drivers/input/joystick/interact.c-239-	input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/magellan.c=128=static int magellan_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/magellan.c-143-	input_dev->name = "LogiCad3D Magellan / SpaceMouse";
 drivers/input/joystick/magellan.c:144:	input_dev->phys = magellan->phys;
 drivers/input/joystick/magellan.c-145-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/joystick/sidewinder.c=568=static int sw_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/sidewinder.c-735-		input_dev->name = sw->name;
 drivers/input/joystick/sidewinder.c:736:		input_dev->phys = sw->phys[i];
 drivers/input/joystick/sidewinder.c-737-		input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/spaceball.c=192=static int spaceball_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/spaceball.c-210-	input_dev->name = spaceball_names[id];
 drivers/input/joystick/spaceball.c:211:	input_dev->phys = spaceball->phys;
 drivers/input/joystick/spaceball.c-212-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/joystick/spaceorb.c=143=static int spaceorb_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/spaceorb.c-158-	input_dev->name = "SpaceTec SpaceOrb 360 / Avenger";
 drivers/input/joystick/spaceorb.c:159:	input_dev->phys = spaceorb->phys;
 drivers/input/joystick/spaceorb.c-160-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/joystick/stinger.c=115=static int stinger_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/stinger.c-129-	input_dev->name = "Gravis Stinger";
 drivers/input/joystick/stinger.c:130:	input_dev->phys = stinger->phys;
 drivers/input/joystick/stinger.c-131-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/joystick/tmdc.c=259=static int tmdc_setup_port(struct tmdc *tmdc, int idx, unsigned char *data)
 --
 drivers/input/joystick/tmdc.c-301-	input_dev->name = port->name;
 drivers/input/joystick/tmdc.c:302:	input_dev->phys = port->phys;
 drivers/input/joystick/tmdc.c-303-	input_dev->id.bustype = BUS_GAMEPORT;
 --
 drivers/input/joystick/turbografx.c=139=static void tgfx_attach(struct parport *pp)
 --
 drivers/input/joystick/turbografx.c-205-		input_dev->name = tgfx->name[i];
 drivers/input/joystick/turbografx.c:206:		input_dev->phys = tgfx->phys[i];
 drivers/input/joystick/turbografx.c-207-		input_dev->id.bustype = BUS_PARPORT;
 --
 drivers/input/joystick/twidjoy.c=166=static int twidjoy_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/twidjoy.c-182-	input_dev->name = "Handykey Twiddler";
 drivers/input/joystick/twidjoy.c:183:	input_dev->phys = twidjoy->phys;
 drivers/input/joystick/twidjoy.c-184-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/joystick/walkera0701.c=199=static void walkera0701_attach(struct parport *pp)
 --
 drivers/input/joystick/walkera0701.c-244-	w->input_dev->name = "Walkera WK-0701 TX";
 drivers/input/joystick/walkera0701.c:245:	w->input_dev->phys = w->parport->name;
 drivers/input/joystick/walkera0701.c-246-	w->input_dev->id.bustype = BUS_PARPORT;
 --
 drivers/input/joystick/warrior.c=121=static int warrior_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/warrior.c-135-	input_dev->name = "Logitech WingMan Warrior";
 drivers/input/joystick/warrior.c:136:	input_dev->phys = warrior->phys;
 drivers/input/joystick/warrior.c-137-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/joystick/xpad.c=1953=static int xpad_init_input(struct usb_xpad *xpad)
 --
 drivers/input/joystick/xpad.c-1963-	input_dev->name = xpad->name;
 drivers/input/joystick/xpad.c:1964:	input_dev->phys = xpad->phys;
 drivers/input/joystick/xpad.c-1965-	usb_to_input_id(xpad->udev, &input_dev->id);
 --
 drivers/input/joystick/zhenhua.c=128=static int zhenhua_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/zhenhua.c-142-	input_dev->name = "Zhen Hua 5-byte device";
 drivers/input/joystick/zhenhua.c:143:	input_dev->phys = zhenhua->phys;
 drivers/input/joystick/zhenhua.c-144-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/keyboard/applespi.c=1207=applespi_register_touchpad_device(struct applespi_data *applespi,
 --
 drivers/input/keyboard/applespi.c-1260-	touchpad_input_dev->name = "Apple SPI Touchpad";
 drivers/input/keyboard/applespi.c:1261:	touchpad_input_dev->phys = "applespi/input1";
 drivers/input/keyboard/applespi.c-1262-	touchpad_input_dev->dev.parent = &applespi->spi->dev;
 --
 drivers/input/keyboard/applespi.c=1608=static int applespi_probe(struct spi_device *spi)
 --
 drivers/input/keyboard/applespi.c-1687-	applespi->keyboard_input_dev->name = "Apple SPI Keyboard";
 drivers/input/keyboard/applespi.c:1688:	applespi->keyboard_input_dev->phys = "applespi/input0";
 drivers/input/keyboard/applespi.c-1689-	applespi->keyboard_input_dev->dev.parent = &spi->dev;
 --
 drivers/input/keyboard/atkbd.c=1181=static void atkbd_set_device_attrs(struct atkbd *atkbd)
 --
 drivers/input/keyboard/atkbd.c-1197-	input_dev->name = atkbd->name;
 drivers/input/keyboard/atkbd.c:1198:	input_dev->phys = atkbd->phys;
 drivers/input/keyboard/atkbd.c-1199-	input_dev->id.bustype = BUS_I8042;
 --
 drivers/input/keyboard/bcm-keypad.c=306=static int bcm_kp_probe(struct platform_device *pdev)
 --
 drivers/input/keyboard/bcm-keypad.c-328-	input_dev->name = pdev->name;
 drivers/input/keyboard/bcm-keypad.c:329:	input_dev->phys = "keypad/input0";
 drivers/input/keyboard/bcm-keypad.c-330-	input_dev->dev.parent = &pdev->dev;
 --
 drivers/input/keyboard/hil_kbd.c=326=static void hil_dev_keyboard_setup(struct hil_dev *kbd)
 --
 drivers/input/keyboard/hil_kbd.c-346-	input_dev->name	= strlen(kbd->rnm) ? kbd->rnm : "HIL keyboard";
 drivers/input/keyboard/hil_kbd.c:347:	input_dev->phys	= "hpkbd/input0";
 drivers/input/keyboard/hil_kbd.c-348-
 --
 drivers/input/keyboard/jornada680_kbd.c=178=static int jornada680kbd_probe(struct platform_device *pdev)
 --
 drivers/input/keyboard/jornada680_kbd.c-202-	input_dev->name = "HP Jornada 680 keyboard";
 drivers/input/keyboard/jornada680_kbd.c:203:	input_dev->phys = "jornadakbd/input0";
 drivers/input/keyboard/jornada680_kbd.c-204-	input_dev->keycode = jornadakbd->keymap;
 --
 drivers/input/keyboard/jornada720_kbd.c=88=static int jornada720_kbd_probe(struct platform_device *pdev)
 --
 drivers/input/keyboard/jornada720_kbd.c-110-	input_dev->name = "HP Jornada 720 keyboard";
 drivers/input/keyboard/jornada720_kbd.c:111:	input_dev->phys = "jornadakbd/input0";
 drivers/input/keyboard/jornada720_kbd.c-112-	input_dev->keycode = jornadakbd->keymap;
 --
 drivers/input/keyboard/lkkbd.c=604=static int lkkbd_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/keyboard/lkkbd.c-629-	input_dev->name = lk->name;
 drivers/input/keyboard/lkkbd.c:630:	input_dev->phys = lk->phys;
 drivers/input/keyboard/lkkbd.c-631-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/keyboard/locomokbd.c=221=static int locomokbd_probe(struct locomo_dev *dev)
 --
 drivers/input/keyboard/locomokbd.c-256-	input_dev->name = "LoCoMo keyboard";
 drivers/input/keyboard/locomokbd.c:257:	input_dev->phys = locomokbd->phys;
 drivers/input/keyboard/locomokbd.c-258-	input_dev->id.bustype = BUS_HOST;
 --
 drivers/input/keyboard/newtonkbd.c=64=static int nkbd_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/keyboard/newtonkbd.c-81-	input_dev->name = "Newton Keyboard";
 drivers/input/keyboard/newtonkbd.c:82:	input_dev->phys = nkbd->phys;
 drivers/input/keyboard/newtonkbd.c-83-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/keyboard/omap-keypad.c=180=static int omap_kp_probe(struct platform_device *pdev)
 --
 drivers/input/keyboard/omap-keypad.c-224-	input_dev->name = "omap-keypad";
 drivers/input/keyboard/omap-keypad.c:225:	input_dev->phys = "omap-keypad/input0";
 drivers/input/keyboard/omap-keypad.c-226-	input_dev->dev.parent = &pdev->dev;
 --
 drivers/input/keyboard/spear-keyboard.c=145=static int spear_kbd_probe(struct platform_device *pdev)
 --
 drivers/input/keyboard/spear-keyboard.c-187-	input_dev->name = "Spear Keyboard";
 drivers/input/keyboard/spear-keyboard.c:188:	input_dev->phys = "keyboard/input0";
 drivers/input/keyboard/spear-keyboard.c-189-	input_dev->id.bustype = BUS_HOST;
 --
 drivers/input/keyboard/st-keyscan.c=124=static int keyscan_probe(struct platform_device *pdev)
 --
 drivers/input/keyboard/st-keyscan.c-146-	input_dev->name = pdev->name;
 drivers/input/keyboard/st-keyscan.c:147:	input_dev->phys = "keyscan-keys/input0";
 drivers/input/keyboard/st-keyscan.c-148-	input_dev->dev.parent = &pdev->dev;
 --
 drivers/input/keyboard/stowaway.c=68=static int skbd_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/keyboard/stowaway.c-85-	input_dev->name = "Stowaway Keyboard";
 drivers/input/keyboard/stowaway.c:86:	input_dev->phys = skbd->phys;
 drivers/input/keyboard/stowaway.c-87-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/keyboard/sunkbd.c=258=static int sunkbd_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/keyboard/sunkbd.c-291-	input_dev->name = sunkbd->name;
 drivers/input/keyboard/sunkbd.c:292:	input_dev->phys = sunkbd->phys;
 drivers/input/keyboard/sunkbd.c-293-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/keyboard/xtkbd.c=66=static int xtkbd_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/keyboard/xtkbd.c-83-	input_dev->name = "XT Keyboard";
 drivers/input/keyboard/xtkbd.c:84:	input_dev->phys = xtkbd->phys;
 drivers/input/keyboard/xtkbd.c-85-	input_dev->id.bustype = BUS_XTKBD;
 --
 drivers/input/misc/adxl34x.c=683=struct adxl34x *adxl34x_probe(struct device *dev, int irq,
 --
 drivers/input/misc/adxl34x.c-741-
 drivers/input/misc/adxl34x.c:742:	input_dev->phys = ac->phys;
 drivers/input/misc/adxl34x.c-743-	input_dev->id.product = ac->model;
 --
 drivers/input/misc/atc260x-onkey.c=190=static int atc260x_onkey_probe(struct platform_device *pdev)
 --
 drivers/input/misc/atc260x-onkey.c-251-	input_dev->name = "atc260x-onkey";
 drivers/input/misc/atc260x-onkey.c:252:	input_dev->phys = "atc260x-onkey/input0";
 drivers/input/misc/atc260x-onkey.c-253-	input_dev->open = atc260x_onkey_open;
 --
 drivers/input/misc/atlas_btns.c=60=static int atlas_acpi_button_add(struct acpi_device *device)
 --
 drivers/input/misc/atlas_btns.c-72-	input_dev->name = "Atlas ACPI button driver";
 drivers/input/misc/atlas_btns.c:73:	input_dev->phys = "ASIM0000/atlas/input0";
 drivers/input/misc/atlas_btns.c-74-	input_dev->id.bustype = BUS_HOST;
 --
 drivers/input/misc/cm109.c=677=static int cm109_usb_probe(struct usb_interface *intf,
 --
 drivers/input/misc/cm109.c-772-	input_dev->name = nfo->name;
 drivers/input/misc/cm109.c:773:	input_dev->phys = dev->phys;
 drivers/input/misc/cm109.c-774-	usb_to_input_id(udev, &input_dev->id);
 --
 drivers/input/misc/da9052_onkey.c=71=static int da9052_onkey_probe(struct platform_device *pdev)
 --
 drivers/input/misc/da9052_onkey.c-95-	input_dev->name = "da9052-onkey";
 drivers/input/misc/da9052_onkey.c:96:	input_dev->phys = "da9052-onkey/input0";
 drivers/input/misc/da9052_onkey.c-97-	input_dev->dev.parent = &pdev->dev;
 --
 drivers/input/misc/da9055_onkey.c=71=static int da9055_onkey_probe(struct platform_device *pdev)
 --
 drivers/input/misc/da9055_onkey.c-96-	input_dev->name = "da9055-onkey";
 drivers/input/misc/da9055_onkey.c:97:	input_dev->phys = "da9055-onkey/input0";
 drivers/input/misc/da9055_onkey.c-98-	input_dev->dev.parent = &pdev->dev;
 --
 drivers/input/misc/keyspan_remote.c=444=static int keyspan_probe(struct usb_interface *interface, const struct usb_device_id *id)
 --
 drivers/input/misc/keyspan_remote.c-506-	input_dev->name = remote->name;
 drivers/input/misc/keyspan_remote.c:507:	input_dev->phys = remote->phys;
 drivers/input/misc/keyspan_remote.c-508-	usb_to_input_id(udev, &input_dev->id);
 --
 drivers/input/misc/m68kspkr.c=46=static int m68kspkr_probe(struct platform_device *dev)
 --
 drivers/input/misc/m68kspkr.c-55-	input_dev->name = "m68k beeper";
 drivers/input/misc/m68kspkr.c:56:	input_dev->phys = "m68k/generic";
 drivers/input/misc/m68kspkr.c-57-	input_dev->id.bustype = BUS_HOST;
 --
 drivers/input/misc/palmas-pwrbutton.c=155=static int palmas_pwron_probe(struct platform_device *pdev)
 --
 drivers/input/misc/palmas-pwrbutton.c-178-	input_dev->name = "palmas_pwron";
 drivers/input/misc/palmas-pwrbutton.c:179:	input_dev->phys = "palmas_pwron/input0";
 drivers/input/misc/palmas-pwrbutton.c-180-	input_dev->dev.parent = dev;
 --
 drivers/input/misc/pcap_keys.c=46=static int pcap_keys_probe(struct platform_device *pdev)
 --
 drivers/input/misc/pcap_keys.c-65-	input_dev->name = pdev->name;
 drivers/input/misc/pcap_keys.c:66:	input_dev->phys = "pcap-keys/input0";
 drivers/input/misc/pcap_keys.c-67-	input_dev->id.bustype = BUS_HOST;
 --
 drivers/input/misc/powermate.c=293=static int powermate_probe(struct usb_interface *intf, const struct usb_device_id *id)
 --
 drivers/input/misc/powermate.c-353-
 drivers/input/misc/powermate.c:354:	input_dev->phys = pm->phys;
 drivers/input/misc/powermate.c-355-	usb_to_input_id(udev, &input_dev->id);
 --
 drivers/input/misc/sparcspkr.c=148=static int sparcspkr_probe(struct device *dev)
 --
 drivers/input/misc/sparcspkr.c-158-	input_dev->name = state->name;
 drivers/input/misc/sparcspkr.c:159:	input_dev->phys = "sparc/input0";
 drivers/input/misc/sparcspkr.c-160-	input_dev->id.bustype = BUS_ISA;
 --
 drivers/input/misc/stpmic1_onkey.c=50=static int stpmic1_onkey_probe(struct platform_device *pdev)
 --
 drivers/input/misc/stpmic1_onkey.c-109-	input_dev->name = "pmic_onkey";
 drivers/input/misc/stpmic1_onkey.c:110:	input_dev->phys = "pmic_onkey/input0";
 drivers/input/misc/stpmic1_onkey.c-111-
 --
 drivers/input/misc/yealink.c=815=static int usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
 --
 drivers/input/misc/yealink.c-906-	input_dev->name = nfo->name;
 drivers/input/misc/yealink.c:907:	input_dev->phys = yld->phys;
 drivers/input/misc/yealink.c-908-	usb_to_input_id(udev, &input_dev->id);
 --
 drivers/input/mouse/appletouch.c=829=static int atp_probe(struct usb_interface *iface,
 --
 drivers/input/mouse/appletouch.c-892-	input_dev->name = "appletouch";
 drivers/input/mouse/appletouch.c:893:	input_dev->phys = dev->phys;
 drivers/input/mouse/appletouch.c-894-	usb_to_input_id(dev->udev, &input_dev->id);
 --
 drivers/input/mouse/bcm5974.c=885=static int bcm5974_probe(struct usb_interface *iface,
 --
 drivers/input/mouse/bcm5974.c-956-	input_dev->name = "bcm5974";
 drivers/input/mouse/bcm5974.c:957:	input_dev->phys = dev->phys;
 drivers/input/mouse/bcm5974.c-958-	usb_to_input_id(dev->udev, &input_dev->id);
 --
 drivers/input/mouse/psmouse-base.c=1517=static int psmouse_switch_protocol(struct psmouse *psmouse,
 --
 drivers/input/mouse/psmouse-base.c-1563-	input_dev->name = psmouse->devname;
 drivers/input/mouse/psmouse-base.c:1564:	input_dev->phys = psmouse->phys;
 drivers/input/mouse/psmouse-base.c-1565-	input_dev->id.bustype = BUS_I8042;
 --
 drivers/input/mouse/sermouse.c=227=static int sermouse_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/mouse/sermouse.c-243-	input_dev->name = sermouse_protocols[sermouse->type];
 drivers/input/mouse/sermouse.c:244:	input_dev->phys = sermouse->phys;
 drivers/input/mouse/sermouse.c-245-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/mouse/synaptics_usb.c=291=static int synusb_probe(struct usb_interface *intf,
 --
 drivers/input/mouse/synaptics_usb.c-378-	input_dev->name = synusb->name;
 drivers/input/mouse/synaptics_usb.c:379:	input_dev->phys = synusb->phys;
 drivers/input/mouse/synaptics_usb.c-380-	usb_to_input_id(udev, &input_dev->id);
 --
 drivers/input/mouse/vsxxxaa.c=453=static int vsxxxaa_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/mouse/vsxxxaa.c-470-	input_dev->name = mouse->name;
 drivers/input/mouse/vsxxxaa.c:471:	input_dev->phys = mouse->phys;
 drivers/input/mouse/vsxxxaa.c-472-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/tablet/acecad.c=111=static int usb_acecad_probe(struct usb_interface *intf, const struct usb_device_id *id)
 --
 drivers/input/tablet/acecad.c-166-	input_dev->name = acecad->name;
 drivers/input/tablet/acecad.c:167:	input_dev->phys = acecad->phys;
 drivers/input/tablet/acecad.c-168-	usb_to_input_id(dev, &input_dev->id);
 --
 drivers/input/tablet/hanwang.c=313=static int hanwang_probe(struct usb_interface *intf, const struct usb_device_id *id)
 --
 drivers/input/tablet/hanwang.c-357-	input_dev->name = hanwang->name;
 drivers/input/tablet/hanwang.c:358:	input_dev->phys = hanwang->phys;
 drivers/input/tablet/hanwang.c-359-	usb_to_input_id(dev, &input_dev->id);
 --
 drivers/input/tablet/kbtab.c=109=static int kbtab_probe(struct usb_interface *intf, const struct usb_device_id *id)
 --
 drivers/input/tablet/kbtab.c-143-	input_dev->name = "KB Gear Tablet";
 drivers/input/tablet/kbtab.c:144:	input_dev->phys = kbtab->phys;
 drivers/input/tablet/kbtab.c-145-	usb_to_input_id(dev, &input_dev->id);
 --
 drivers/input/tablet/pegasus_notetaker.c=274=static int pegasus_probe(struct usb_interface *intf,
 --
 drivers/input/tablet/pegasus_notetaker.c-367-	input_dev->name = pegasus->name;
 drivers/input/tablet/pegasus_notetaker.c:368:	input_dev->phys = pegasus->phys;
 drivers/input/tablet/pegasus_notetaker.c-369-	usb_to_input_id(dev, &input_dev->id);
 --
 drivers/input/tablet/wacom_serial4.c=518=static int wacom_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/tablet/wacom_serial4.c-533-	snprintf(wacom->phys, sizeof(wacom->phys), "%s/input0", serio->phys);
 drivers/input/tablet/wacom_serial4.c:534:	input_dev->phys = wacom->phys;
 drivers/input/tablet/wacom_serial4.c-535-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/touchscreen/ad7877.c=670=static int ad7877_probe(struct spi_device *spi)
 --
 drivers/input/touchscreen/ad7877.c-734-	input_dev->name = "AD7877 Touchscreen";
 drivers/input/touchscreen/ad7877.c:735:	input_dev->phys = ts->phys;
 drivers/input/touchscreen/ad7877.c-736-	input_dev->dev.parent = &spi->dev;
 --
 drivers/input/touchscreen/ad7879.c=527=int ad7879_probe(struct device *dev, struct regmap *regmap,
 --
 drivers/input/touchscreen/ad7879.c-562-	input_dev->name = "AD7879 Touchscreen";
 drivers/input/touchscreen/ad7879.c:563:	input_dev->phys = ts->phys;
 drivers/input/touchscreen/ad7879.c-564-	input_dev->dev.parent = dev;
 --
 drivers/input/touchscreen/ads7846.c=1213=static int ads7846_probe(struct spi_device *spi)
 --
 drivers/input/touchscreen/ads7846.c-1309-	input_dev->name = ts->name;
 drivers/input/touchscreen/ads7846.c:1310:	input_dev->phys = ts->phys;
 drivers/input/touchscreen/ads7846.c-1311-
 --
 drivers/input/touchscreen/apple_z2.c=352=static int apple_z2_probe(struct spi_device *spi)
 --
 drivers/input/touchscreen/apple_z2.c-393-	z2->input_dev->name = (char *)spi_get_device_id(spi)->driver_data;
 drivers/input/touchscreen/apple_z2.c:394:	z2->input_dev->phys = "apple_z2";
 drivers/input/touchscreen/apple_z2.c-395-	z2->input_dev->id.bustype = BUS_SPI;
 --
 drivers/input/touchscreen/atmel_mxt_ts.c=2092=static int mxt_initialize_input_device(struct mxt_data *data)
 --
 drivers/input/touchscreen/atmel_mxt_ts.c-2138-	input_dev->name = "Atmel maXTouch Touchscreen";
 drivers/input/touchscreen/atmel_mxt_ts.c:2139:	input_dev->phys = data->phys;
 drivers/input/touchscreen/atmel_mxt_ts.c-2140-	input_dev->id.bustype = BUS_I2C;
 --
 drivers/input/touchscreen/auo-pixcir-ts.c=485=static int auo_pixcir_probe(struct i2c_client *client)
 --
 drivers/input/touchscreen/auo-pixcir-ts.c-521-	input_dev->name = "AUO-Pixcir touchscreen";
 drivers/input/touchscreen/auo-pixcir-ts.c:522:	input_dev->phys = ts->phys;
 drivers/input/touchscreen/auo-pixcir-ts.c-523-	input_dev->id.bustype = BUS_I2C;
 --
 drivers/input/touchscreen/cy8ctmg110_ts.c=171=static int cy8ctmg110_probe(struct i2c_client *client)
 --
 drivers/input/touchscreen/cy8ctmg110_ts.c-195-	input_dev->name = CY8CTMG110_DRIVER_NAME " Touchscreen";
 drivers/input/touchscreen/cy8ctmg110_ts.c:196:	input_dev->phys = ts->phys;
 drivers/input/touchscreen/cy8ctmg110_ts.c-197-	input_dev->id.bustype = BUS_I2C;
 --
 drivers/input/touchscreen/dynapro.c=107=static int dynapro_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/touchscreen/dynapro.c-125-	input_dev->name = "Dynapro Serial TouchScreen";
 drivers/input/touchscreen/dynapro.c:126:	input_dev->phys = pdynapro->phys;
 drivers/input/touchscreen/dynapro.c-127-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/touchscreen/egalax_ts_serial.c=96=static int egalax_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/touchscreen/egalax_ts_serial.c-114-	input_dev->name = "EETI eGalaxTouch Serial TouchScreen";
 drivers/input/touchscreen/egalax_ts_serial.c:115:	input_dev->phys = egalax->phys;
 drivers/input/touchscreen/egalax_ts_serial.c-116-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/touchscreen/elo.c=304=static int elo_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/touchscreen/elo.c-325-	input_dev->name = "Elo Serial TouchScreen";
 drivers/input/touchscreen/elo.c:326:	input_dev->phys = elo->phys;
 drivers/input/touchscreen/elo.c-327-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/touchscreen/fujitsu_ts.c=96=static int fujitsu_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/touchscreen/fujitsu_ts.c-114-	input_dev->name = "Fujitsu Serial Touchscreen";
 drivers/input/touchscreen/fujitsu_ts.c:115:	input_dev->phys = fujitsu->phys;
 drivers/input/touchscreen/fujitsu_ts.c-116-	input_dev->id.bustype = BUS_RS232;
 --
 drivers/input/touchscreen/goodix.c=1131=static int goodix_configure_dev(struct goodix_ts_data *ts)
 --
 drivers/input/touchscreen/goodix.c-1145-	ts->input_dev->name = "Goodix Capacitive TouchScreen";
 drivers/input/touchscreen/goodix.c:1146:	ts->input_dev->phys = "input/ts";
 drivers/input/touchscreen/goodix.c-1147-	ts->input_dev->id.bustype = BUS_I2C;
 --
 drivers/input/touchscreen/goodix_berlin_core.c=605=static int goodix_berlin_input_dev_config(struct goodix_berlin_core *cd,
 --
]
]

gemini-3-flash-preview

							input: 83499
							output: 50
							thoughts: 825
						

**Debugging a KASAN Report: A Deep Dive**

Okay, still hitting a wall with `mac80211` and `cfg80211`, ugh. Let's revisit the memory allocation stack. Hmm, looks like we're allocating with `kzalloc_noprof` and then hitting `ieee802_11_parse_elems_full` and then eventually `ieee80211_inform_bss`. The freeing happens within `ieee80211_inform_bss` and the `kfree` function. The crash is happening in `input_devices_seq_show`.

The report indicates that a pointer `dev->phys` is the culprit. That means that this address had to have been assigned somewhere. Aha! I see that `input_devices_seq_show` is being called for `syz.1.395`, which means it is reading `/proc/bus/input/devices`.

So, could an input device's `phys` field be pointing to a string allocated by `ieee80211_inform_bss`? But, wait, that code immediately frees the memory! This must mean that `ieee80211_inform_bss` isn't allocating AND assigning the `phys` pointer. It must be reusing memory from a previous allocation/free cycle. That would explain it.

But hold on! KASAN is saying the allocation and free *were* done by `ieee80211_inform_bss`! So the access is occurring *after* it's been freed by `ieee80211_inform_bss`. This means `dev->phys` *already* had that value *before* `ieee80211_inform_bss` even started, or, perhaps, was assigned by it. This is a crucial distinction.

Now, `ieee80211_inform_bss` is part of `mac80211`, it doesn't even know anything about `input_dev`s. This is getting interesting. Let's see... `ieee80211_inform_bss` calls `cfg80211_inform_single_bss_data`, right? No, wait! Let me check the call stack again... Okay, *actually*, `cfg80211_inform_single_bss_data` calls `rdev_inform_bss`, which then calls `ieee80211_inform_bss`. So let's look at `cfg80211_inform_single_bss_data` in `net/wireless/scan.c`. Gotta see what's going on here.

map[ContextFile:net/wireless/scan.c IncludeLines:true Name:cfg80211_inform_single_bss_data]

map[SourceCode:2252:	/* Returned bss is reference counted and must be cleaned up appropriately. */
2253:	static struct cfg80211_bss *
2254:	cfg80211_inform_single_bss_data(struct wiphy *wiphy,
2255:					struct cfg80211_inform_single_bss_data *data,
2256:					gfp_t gfp)
2257:	{
2258:		struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
2259:		struct cfg80211_inform_bss *drv_data = data->drv_data;
2260:		struct cfg80211_bss_ies *ies;
2261:		struct ieee80211_channel *channel;
2262:		struct cfg80211_internal_bss tmp = {}, *res;
2263:		int bss_type;
2264:		bool signal_valid;
2265:		unsigned long ts;
2266:	
2267:		if (WARN_ON(!wiphy))
2268:			return NULL;
2269:	
2270:		if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
2271:			    (drv_data->signal < 0 || drv_data->signal > 100)))
2272:			return NULL;
2273:	
2274:		if (WARN_ON(data->bss_source != BSS_SOURCE_DIRECT && !data->source_bss))
2275:			return NULL;
2276:	
2277:		channel = data->channel;
2278:		if (!channel)
2279:			channel = cfg80211_get_bss_channel(wiphy, data->ie, data->ielen,
2280:							   drv_data->chan);
2281:		if (!channel)
2282:			return NULL;
2283:	
2284:		if (channel->band == NL80211_BAND_6GHZ &&
2285:		    !cfg80211_6ghz_power_type_valid(data->ie, data->ielen,
2286:						    channel->flags)) {
2287:			data->use_for = 0;
2288:			data->cannot_use_reasons =
2289:				NL80211_BSS_CANNOT_USE_6GHZ_PWR_MISMATCH;
2290:		}
2291:	
2292:		memcpy(tmp.pub.bssid, data->bssid, ETH_ALEN);
2293:		tmp.pub.channel = channel;
2294:		if (data->bss_source != BSS_SOURCE_STA_PROFILE)
2295:			tmp.pub.signal = drv_data->signal;
2296:		else
2297:			tmp.pub.signal = 0;
2298:		tmp.pub.beacon_interval = data->beacon_interval;
2299:		tmp.pub.capability = data->capability;
2300:		tmp.pub.ts_boottime = drv_data->boottime_ns;
2301:		tmp.parent_tsf = drv_data->parent_tsf;
2302:		ether_addr_copy(tmp.parent_bssid, drv_data->parent_bssid);
2303:		tmp.pub.chains = drv_data->chains;
2304:		memcpy(tmp.pub.chain_signal, drv_data->chain_signal,
2305:		       IEEE80211_MAX_CHAINS);
2306:		tmp.pub.use_for = data->use_for;
2307:		tmp.pub.cannot_use_reasons = data->cannot_use_reasons;
2308:		tmp.bss_source = data->bss_source;
2309:	
2310:		switch (data->bss_source) {
2311:		case BSS_SOURCE_MBSSID:
2312:			tmp.pub.transmitted_bss = data->source_bss;
2313:			fallthrough;
2314:		case BSS_SOURCE_STA_PROFILE:
2315:			ts = bss_from_pub(data->source_bss)->ts;
2316:			tmp.pub.bssid_index = data->bssid_index;
2317:			tmp.pub.max_bssid_indicator = data->max_bssid_indicator;
2318:			break;
2319:		case BSS_SOURCE_DIRECT:
2320:			ts = jiffies;
2321:	
2322:			if (channel->band == NL80211_BAND_60GHZ) {
2323:				bss_type = data->capability &
2324:					   WLAN_CAPABILITY_DMG_TYPE_MASK;
2325:				if (bss_type == WLAN_CAPABILITY_DMG_TYPE_AP ||
2326:				    bss_type == WLAN_CAPABILITY_DMG_TYPE_PBSS)
2327:					regulatory_hint_found_beacon(wiphy, channel,
2328:								     gfp);
2329:			} else {
2330:				if (data->capability & WLAN_CAPABILITY_ESS)
2331:					regulatory_hint_found_beacon(wiphy, channel,
2332:								     gfp);
2333:			}
2334:			break;
2335:		}
2336:	
2337:		/*
2338:		 * If we do not know here whether the IEs are from a Beacon or Probe
2339:		 * Response frame, we need to pick one of the options and only use it
2340:		 * with the driver that does not provide the full Beacon/Probe Response
2341:		 * frame. Use Beacon frame pointer to avoid indicating that this should
2342:		 * override the IEs pointer should we have received an earlier
2343:		 * indication of Probe Response data.
2344:		 */
2345:		ies = kzalloc(sizeof(*ies) + data->ielen, gfp);
2346:		if (!ies)
2347:			return NULL;
2348:		ies->len = data->ielen;
2349:		ies->tsf = data->tsf;
2350:		ies->from_beacon = false;
2351:		memcpy(ies->data, data->ie, data->ielen);
2352:	
2353:		switch (data->ftype) {
2354:		case CFG80211_BSS_FTYPE_BEACON:
2355:		case CFG80211_BSS_FTYPE_S1G_BEACON:
2356:			ies->from_beacon = true;
2357:			fallthrough;
2358:		case CFG80211_BSS_FTYPE_UNKNOWN:
2359:			rcu_assign_pointer(tmp.pub.beacon_ies, ies);
2360:			break;
2361:		case CFG80211_BSS_FTYPE_PRESP:
2362:			rcu_assign_pointer(tmp.pub.proberesp_ies, ies);
2363:			break;
2364:		}
2365:		rcu_assign_pointer(tmp.pub.ies, ies);
2366:	
2367:		signal_valid = drv_data->chan == channel;
2368:		spin_lock_bh(&rdev->bss_lock);
2369:		res = __cfg80211_bss_update(rdev, &tmp, signal_valid, ts);
2370:		if (!res)
2371:			goto drop;
2372:	
2373:		rdev_inform_bss(rdev, &res->pub, ies, drv_data->drv_data);
2374:	
2375:		if (data->bss_source == BSS_SOURCE_MBSSID) {
2376:			/* this is a nontransmitting bss, we need to add it to
2377:			 * transmitting bss' list if it is not there
2378:			 */
2379:			if (cfg80211_add_nontrans_list(data->source_bss, &res->pub)) {
2380:				if (__cfg80211_unlink_bss(rdev, res)) {
2381:					rdev->bss_generation++;
2382:					res = NULL;
2383:				}
2384:			}
2385:	
2386:			if (!res)
2387:				goto drop;
2388:		}
2389:		spin_unlock_bh(&rdev->bss_lock);
2390:	
2391:		trace_cfg80211_return_bss(&res->pub);
2392:		/* __cfg80211_bss_update gives us a referenced result */
2393:		return &res->pub;
2394:	
2395:	drop:
2396:		spin_unlock_bh(&rdev->bss_lock);
2397:		return NULL;
2398:	}
 SourceFile:net/wireless/scan.c]

gemini-3-flash-preview

							input: 87506
							output: 19
							thoughts: 1340
						

**Deconstructing the Kernel Panic: A Deep Dive**

Okay, so I'm looking at this crash, and the call stack is leading me on a wild goose chase initially. I see `rdev_inform_bss` calling `ieee80211_inform_bss` at line 2373. That's a key function for informing the system about Basic Service Sets. The `ies` object, where information elements are stored, is allocated earlier, but that's *not* the one that was freed. The free is happening inside `ieee80211_inform_bss`, specifically, the `ieee80211_elems_parse` object.

Initially, I thought, could an `input_dev`'s `phys` field be pointing to a string that was corrupted or overwritten, maybe even pointing to that temporary `ieee80211_elems_parse` object? But that doesn't quite add up.

I went back to the `input_devices_seq_show` function, where the `phys` field is accessed. I see that `dev->phys` is set to `ffff888059a15a20`. If I could find the `input_dev` with that `phys`, I might be onto something. However, I can't really do that.

My mind then wandered to the idea that maybe `ieee80211_inform_bss` was being called for a BSS that was masquerading as an input device. That's absurd, right?

But then I traced back from the allocation stack. This is really interesting: the stack starts with `rtnetlink_rcv_msg`. So, a netlink message triggered this somehow. That means someone sent a message to change network interface flags. This is leading to `inetdev_event`, which ends up calling `ip_mc_clear_src`, which then calls `spin_unlock_bh`, which then calls `do_softirq`. Then `ieee80211_handle_queued_frames` calls `ieee80211_rx` and so on, eventually calling `rdev_inform_bss`.

So, the allocation and subsequent free occurred within a softirq triggered by a netlink call. That's the crux of it.

Now, the question is why does the `input_dev`'s `phys` field have such a strange value?

I have another theory: what if the `input_dev` itself is corrupted? What if some code is writing to an `input_dev`, but it's actually writing to something else entirely?

I went back to the code that reads `dev->phys`. If `dev` is a valid `input_dev`, then that `phys` value was definitely set at some point. Now I need to find the code that sets `input_dev->phys` to something that could possibly be a temporary object. So, I need to search `drivers/input` carefully, looking for something that sets the `.phys` field. I will search carefully. I will.

map[Expression:\.phys =.*,]

map[Output:arch/x86/mm/mmio-mod.c=219=static void ioremap_trace_core(resource_size_t offset, unsigned long size,
--
arch/x86/mm/mmio-mod.c-225-	struct mmiotrace_map map = {
arch/x86/mm/mmio-mod.c:226:		.phys = offset,
arch/x86/mm/mmio-mod.c-227-		.virt = (unsigned long)addr,
--
arch/x86/mm/mmio-mod.c-244-		},
arch/x86/mm/mmio-mod.c:245:		.phys = offset,
arch/x86/mm/mmio-mod.c-246-		.id = atomic_inc_return(&next_id)
--
arch/x86/mm/mmio-mod.c=278=static void iounmap_trace_core(volatile void __iomem *addr)
--
arch/x86/mm/mmio-mod.c-280-	struct mmiotrace_map map = {
arch/x86/mm/mmio-mod.c:281:		.phys = 0,
arch/x86/mm/mmio-mod.c-282-		.virt = (unsigned long)addr,
--
drivers/atm/he.c=770=static int he_init_group(struct he_dev *he_dev, int group)
--
drivers/atm/he.c-827-		he_dev->rbpl_base[i].idx =  i << RBP_IDX_OFFSET;
drivers/atm/he.c:828:		he_dev->rbpl_base[i].phys = mapping + offsetof(struct he_buff, data);
drivers/atm/he.c-829-	}
--
drivers/dma/timb_dma.c=322=static struct timb_dma_desc *td_alloc_init_desc(struct timb_dma_chan *td_chan)
--
drivers/dma/timb_dma.c-341-
drivers/dma/timb_dma.c:342:	td_desc->txd.phys = dma_map_single(chan2dmadev(chan),
drivers/dma/timb_dma.c-343-		td_desc->desc_list, td_desc->desc_list_len, DMA_TO_DEVICE);
--
drivers/dma/txx9dmac.c=189=static struct txx9dmac_desc *txx9dmac_desc_alloc(struct txx9dmac_chan *dc,
--
drivers/dma/txx9dmac.c-202-	desc->txd.flags = DMA_CTRL_ACK;
drivers/dma/txx9dmac.c:203:	desc->txd.phys = dma_map_single(chan2parent(&dc->chan), &desc->hwdesc,
drivers/dma/txx9dmac.c-204-					ddev->descsize, DMA_TO_DEVICE);
--
drivers/firmware/google/memconsole-coreboot.c=40=static ssize_t memconsole_coreboot_read(char *buf, loff_t pos, size_t count)
--
drivers/firmware/google/memconsole-coreboot.c-54-			cursor = 0;
drivers/firmware/google/memconsole-coreboot.c:55:		seg[0] = (struct seg){.phys = cursor, .len = size - cursor};
drivers/firmware/google/memconsole-coreboot.c:56:		seg[1] = (struct seg){.phys = 0, .len = cursor};
drivers/firmware/google/memconsole-coreboot.c-57-	} else {
drivers/firmware/google/memconsole-coreboot.c:58:		seg[0] = (struct seg){.phys = 0, .len = min(cursor, size)};
drivers/firmware/google/memconsole-coreboot.c-59-	}
--
drivers/firmware/tegra/ivc.c=646=int tegra_ivc_init(struct tegra_ivc *ivc, struct device *peer, const struct iosys_map *rx,
--
drivers/firmware/tegra/ivc.c-672-	if (peer) {
drivers/firmware/tegra/ivc.c:673:		ivc->rx.phys = dma_map_single(peer, iosys_map_get_vaddr(rx), queue_size,
drivers/firmware/tegra/ivc.c-674-					      DMA_BIDIRECTIONAL);
--
drivers/firmware/tegra/ivc.c-677-
drivers/firmware/tegra/ivc.c:678:		ivc->tx.phys = dma_map_single(peer, iosys_map_get_vaddr(tx), queue_size,
drivers/firmware/tegra/ivc.c-679-					      DMA_BIDIRECTIONAL);
--
drivers/input/misc/pm8941-pwrkey.c=423=static const struct pm8941_data pwrkey_data = {
--
drivers/input/misc/pm8941-pwrkey.c-426-	.name = "pm8941_pwrkey",
drivers/input/misc/pm8941-pwrkey.c:427:	.phys = "pm8941_pwrkey/input0",
drivers/input/misc/pm8941-pwrkey.c-428-	.supports_ps_hold_poff_config = true,
--
drivers/input/misc/pm8941-pwrkey.c=434=static const struct pm8941_data resin_data = {
--
drivers/input/misc/pm8941-pwrkey.c-437-	.name = "pm8941_resin",
drivers/input/misc/pm8941-pwrkey.c:438:	.phys = "pm8941_resin/input0",
drivers/input/misc/pm8941-pwrkey.c-439-	.supports_ps_hold_poff_config = true,
--
drivers/input/misc/pm8941-pwrkey.c=445=static const struct pm8941_data pon_gen3_pwrkey_data = {
--
drivers/input/misc/pm8941-pwrkey.c-447-	.name = "pmic_pwrkey",
drivers/input/misc/pm8941-pwrkey.c:448:	.phys = "pmic_pwrkey/input0",
drivers/input/misc/pm8941-pwrkey.c-449-	.supports_ps_hold_poff_config = false,
--
drivers/input/misc/pm8941-pwrkey.c=455=static const struct pm8941_data pon_gen3_resin_data = {
--
drivers/input/misc/pm8941-pwrkey.c-457-	.name = "pmic_resin",
drivers/input/misc/pm8941-pwrkey.c:458:	.phys = "pmic_resin/input0",
drivers/input/misc/pm8941-pwrkey.c-459-	.supports_ps_hold_poff_config = false,
--
drivers/media/pci/cobalt/cobalt-flash.c=18=static struct map_info cobalt_flash_map = {
--
drivers/media/pci/cobalt/cobalt-flash.c-21-	.size =		0x4000000, /* 64MB */
drivers/media/pci/cobalt/cobalt-flash.c:22:	.phys =		0,         /* offset  */
drivers/media/pci/cobalt/cobalt-flash.c-23-};
--
drivers/mtd/maps/dc21285.c=139=static struct map_info dc21285_map = {
drivers/mtd/maps/dc21285.c-140-	.name = "DC21285 flash",
drivers/mtd/maps/dc21285.c:141:	.phys = NO_XIP,
drivers/mtd/maps/dc21285.c-142-	.size = 16*1024*1024,
--
drivers/mtd/maps/l440gx.c=48=static struct map_info l440gx_map = {
--
drivers/mtd/maps/l440gx.c-51-	.bankwidth = BUSWIDTH,
drivers/mtd/maps/l440gx.c:52:	.phys = WINDOW_ADDR,
drivers/mtd/maps/l440gx.c-53-#if 0
--
drivers/mtd/maps/netsc520.c=69=static struct map_info netsc520_map = {
--
drivers/mtd/maps/netsc520.c-72-	.bankwidth = 4,
drivers/mtd/maps/netsc520.c:73:	.phys = WINDOW_ADDR,
drivers/mtd/maps/netsc520.c-74-};
--
drivers/mtd/maps/pci.c=77=static const struct map_info mtd_pci_map = {
drivers/mtd/maps/pci.c:78:	.phys =		NO_XIP,
drivers/mtd/maps/pci.c-79-	.copy_from =	mtd_pci_copyfrom,
--
drivers/mtd/maps/sbc_gxx.c=154=static struct map_info sbc_gxx_map = {
drivers/mtd/maps/sbc_gxx.c-155-	.name = "SBC-GXx flash",
drivers/mtd/maps/sbc_gxx.c:156:	.phys = NO_XIP,
drivers/mtd/maps/sbc_gxx.c-157-	.size = MAX_SIZE_KiB*1024, /* this must be set to a maximum possible amount
--
drivers/mtd/maps/tsunami_flash.c=62=static struct map_info tsunami_flash_map = {
--
drivers/mtd/maps/tsunami_flash.c-64-	.size = MAX_TIG_FLASH_SIZE,
drivers/mtd/maps/tsunami_flash.c:65:	.phys = NO_XIP,
drivers/mtd/maps/tsunami_flash.c-66-	.bankwidth = 1,
--
drivers/nvdimm/bus.c=192=static void nvdimm_clear_badblocks_regions(struct nvdimm_bus *nvdimm_bus,
--
drivers/nvdimm/bus.c-195-	struct clear_badblocks_context ctx = {
drivers/nvdimm/bus.c:196:		.phys = phys,
drivers/nvdimm/bus.c-197-		.cleared = cleared,
--
drivers/platform/surface/surface_aggregator_tabletsw.c=301=static const struct ssam_tablet_sw_desc ssam_kip_sw_desc = {
--
drivers/platform/surface/surface_aggregator_tabletsw.c-303-		.name = "Microsoft Surface KIP Tablet Mode Switch",
drivers/platform/surface/surface_aggregator_tabletsw.c:304:		.phys = "ssam/01:0e:01:00:01/input0",
drivers/platform/surface/surface_aggregator_tabletsw.c-305-	},
--
drivers/platform/surface/surface_aggregator_tabletsw.c=600=static const struct ssam_tablet_sw_desc ssam_pos_sw_desc = {
--
drivers/platform/surface/surface_aggregator_tabletsw.c-602-		.name = "Microsoft Surface POS Tablet Mode Switch",
drivers/platform/surface/surface_aggregator_tabletsw.c:603:		.phys = "ssam/01:26:01:00:01/input0",
drivers/platform/surface/surface_aggregator_tabletsw.c-604-	},
--
drivers/tty/serial/msm_serial.c=620=static void msm_start_rx_dma(struct msm_port *msm_port)
--
drivers/tty/serial/msm_serial.c-632-
drivers/tty/serial/msm_serial.c:633:	dma->rx.phys = dma_map_single(uart->dev, dma->rx.virt,
drivers/tty/serial/msm_serial.c-634-				   UARTDM_RX_SIZE, dma->dir);
--
sound/core/pcm_misc.c=50=static const struct pcm_format_data pcm_formats[(INT)SNDRV_PCM_FORMAT_LAST+1] = {
sound/core/pcm_misc.c-51-	[SNDRV_PCM_FORMAT_S8] = {
sound/core/pcm_misc.c:52:		.width = 8, .phys = 8, .le = -1, .signd = 1,
sound/core/pcm_misc.c-53-		.silence = {},
--
sound/core/pcm_misc.c-55-	[SNDRV_PCM_FORMAT_U8] = {
sound/core/pcm_misc.c:56:		.width = 8, .phys = 8, .le = -1, .signd = 0,
sound/core/pcm_misc.c-57-		.silence = { 0x80 },
--
sound/core/pcm_misc.c-59-	[SNDRV_PCM_FORMAT_S16_LE] = {
sound/core/pcm_misc.c:60:		.width = 16, .phys = 16, .le = 1, .signd = 1,
sound/core/pcm_misc.c-61-		.silence = {},
--
sound/core/pcm_misc.c-63-	[SNDRV_PCM_FORMAT_S16_BE] = {
sound/core/pcm_misc.c:64:		.width = 16, .phys = 16, .le = 0, .signd = 1,
sound/core/pcm_misc.c-65-		.silence = {},
--
sound/core/pcm_misc.c-67-	[SNDRV_PCM_FORMAT_U16_LE] = {
sound/core/pcm_misc.c:68:		.width = 16, .phys = 16, .le = 1, .signd = 0,
sound/core/pcm_misc.c-69-		.silence = { 0x00, 0x80 },
--
sound/core/pcm_misc.c-71-	[SNDRV_PCM_FORMAT_U16_BE] = {
sound/core/pcm_misc.c:72:		.width = 16, .phys = 16, .le = 0, .signd = 0,
sound/core/pcm_misc.c-73-		.silence = { 0x80, 0x00 },
--
sound/core/pcm_misc.c-75-	[SNDRV_PCM_FORMAT_S24_LE] = {
sound/core/pcm_misc.c:76:		.width = 24, .phys = 32, .le = 1, .signd = 1,
sound/core/pcm_misc.c-77-		.silence = {},
--
sound/core/pcm_misc.c-79-	[SNDRV_PCM_FORMAT_S24_BE] = {
sound/core/pcm_misc.c:80:		.width = 24, .phys = 32, .le = 0, .signd = 1,
sound/core/pcm_misc.c-81-		.silence = {},
--
sound/core/pcm_misc.c-83-	[SNDRV_PCM_FORMAT_U24_LE] = {
sound/core/pcm_misc.c:84:		.width = 24, .phys = 32, .le = 1, .signd = 0,
sound/core/pcm_misc.c-85-		.silence = { 0x00, 0x00, 0x80 },
--
sound/core/pcm_misc.c-87-	[SNDRV_PCM_FORMAT_U24_BE] = {
sound/core/pcm_misc.c:88:		.width = 24, .phys = 32, .le = 0, .signd = 0,
sound/core/pcm_misc.c-89-		.silence = { 0x00, 0x80, 0x00, 0x00 },
--
sound/core/pcm_misc.c-91-	[SNDRV_PCM_FORMAT_S32_LE] = {
sound/core/pcm_misc.c:92:		.width = 32, .phys = 32, .le = 1, .signd = 1,
sound/core/pcm_misc.c-93-		.silence = {},
--
sound/core/pcm_misc.c-95-	[SNDRV_PCM_FORMAT_S32_BE] = {
sound/core/pcm_misc.c:96:		.width = 32, .phys = 32, .le = 0, .signd = 1,
sound/core/pcm_misc.c-97-		.silence = {},
--
sound/core/pcm_misc.c-99-	[SNDRV_PCM_FORMAT_U32_LE] = {
sound/core/pcm_misc.c:100:		.width = 32, .phys = 32, .le = 1, .signd = 0,
sound/core/pcm_misc.c-101-		.silence = { 0x00, 0x00, 0x00, 0x80 },
--
sound/core/pcm_misc.c-103-	[SNDRV_PCM_FORMAT_U32_BE] = {
sound/core/pcm_misc.c:104:		.width = 32, .phys = 32, .le = 0, .signd = 0,
sound/core/pcm_misc.c-105-		.silence = { 0x80, 0x00, 0x00, 0x00 },
--
sound/core/pcm_misc.c-107-	[SNDRV_PCM_FORMAT_FLOAT_LE] = {
sound/core/pcm_misc.c:108:		.width = 32, .phys = 32, .le = 1, .signd = -1,
sound/core/pcm_misc.c-109-		.silence = {},
--
sound/core/pcm_misc.c-111-	[SNDRV_PCM_FORMAT_FLOAT_BE] = {
sound/core/pcm_misc.c:112:		.width = 32, .phys = 32, .le = 0, .signd = -1,
sound/core/pcm_misc.c-113-		.silence = {},
--
sound/core/pcm_misc.c-115-	[SNDRV_PCM_FORMAT_FLOAT64_LE] = {
sound/core/pcm_misc.c:116:		.width = 64, .phys = 64, .le = 1, .signd = -1,
sound/core/pcm_misc.c-117-		.silence = {},
--
sound/core/pcm_misc.c-119-	[SNDRV_PCM_FORMAT_FLOAT64_BE] = {
sound/core/pcm_misc.c:120:		.width = 64, .phys = 64, .le = 0, .signd = -1,
sound/core/pcm_misc.c-121-		.silence = {},
--
sound/core/pcm_misc.c-123-	[SNDRV_PCM_FORMAT_IEC958_SUBFRAME_LE] = {
sound/core/pcm_misc.c:124:		.width = 32, .phys = 32, .le = 1, .signd = -1,
sound/core/pcm_misc.c-125-		.silence = {},
--
sound/core/pcm_misc.c-127-	[SNDRV_PCM_FORMAT_IEC958_SUBFRAME_BE] = {
sound/core/pcm_misc.c:128:		.width = 32, .phys = 32, .le = 0, .signd = -1,
sound/core/pcm_misc.c-129-		.silence = {},
--
sound/core/pcm_misc.c-131-	[SNDRV_PCM_FORMAT_MU_LAW] = {
sound/core/pcm_misc.c:132:		.width = 8, .phys = 8, .le = -1, .signd = -1,
sound/core/pcm_misc.c-133-		.silence = { 0x7f },
--
sound/core/pcm_misc.c-135-	[SNDRV_PCM_FORMAT_A_LAW] = {
sound/core/pcm_misc.c:136:		.width = 8, .phys = 8, .le = -1, .signd = -1,
sound/core/pcm_misc.c-137-		.silence = { 0x55 },
--
sound/core/pcm_misc.c-139-	[SNDRV_PCM_FORMAT_IMA_ADPCM] = {
sound/core/pcm_misc.c:140:		.width = 4, .phys = 4, .le = -1, .signd = -1,
sound/core/pcm_misc.c-141-		.silence = {},
--
sound/core/pcm_misc.c-143-	[SNDRV_PCM_FORMAT_G723_24] = {
sound/core/pcm_misc.c:144:		.width = 3, .phys = 3, .le = -1, .signd = -1,
sound/core/pcm_misc.c-145-		.silence = {},
--
sound/core/pcm_misc.c-147-	[SNDRV_PCM_FORMAT_G723_40] = {
sound/core/pcm_misc.c:148:		.width = 5, .phys = 5, .le = -1, .signd = -1,
sound/core/pcm_misc.c-149-		.silence = {},
--
sound/core/pcm_misc.c-151-	[SNDRV_PCM_FORMAT_DSD_U8] = {
sound/core/pcm_misc.c:152:		.width = 8, .phys = 8, .le = 1, .signd = 0,
sound/core/pcm_misc.c-153-		.silence = { 0x69 },
--
sound/core/pcm_misc.c-155-	[SNDRV_PCM_FORMAT_DSD_U16_LE] = {
sound/core/pcm_misc.c:156:		.width = 16, .phys = 16, .le = 1, .signd = 0,
sound/core/pcm_misc.c-157-		.silence = { 0x69, 0x69 },
--
sound/core/pcm_misc.c-159-	[SNDRV_PCM_FORMAT_DSD_U32_LE] = {
sound/core/pcm_misc.c:160:		.width = 32, .phys = 32, .le = 1, .signd = 0,
sound/core/pcm_misc.c-161-		.silence = { 0x69, 0x69, 0x69, 0x69 },
--
sound/core/pcm_misc.c-163-	[SNDRV_PCM_FORMAT_DSD_U16_BE] = {
sound/core/pcm_misc.c:164:		.width = 16, .phys = 16, .le = 0, .signd = 0,
sound/core/pcm_misc.c-165-		.silence = { 0x69, 0x69 },
--
sound/core/pcm_misc.c-167-	[SNDRV_PCM_FORMAT_DSD_U32_BE] = {
sound/core/pcm_misc.c:168:		.width = 32, .phys = 32, .le = 0, .signd = 0,
sound/core/pcm_misc.c-169-		.silence = { 0x69, 0x69, 0x69, 0x69 },
--
sound/core/pcm_misc.c-178-	[SNDRV_PCM_FORMAT_S20_LE] = {
sound/core/pcm_misc.c:179:		.width = 20, .phys = 32, .le = 1, .signd = 1,
sound/core/pcm_misc.c-180-		.silence = {},
--
sound/core/pcm_misc.c-182-	[SNDRV_PCM_FORMAT_S20_BE] = {
sound/core/pcm_misc.c:183:		.width = 20, .phys = 32, .le = 0, .signd = 1,
sound/core/pcm_misc.c-184-		.silence = {},
--
sound/core/pcm_misc.c-186-	[SNDRV_PCM_FORMAT_U20_LE] = {
sound/core/pcm_misc.c:187:		.width = 20, .phys = 32, .le = 1, .signd = 0,
sound/core/pcm_misc.c-188-		.silence = { 0x00, 0x00, 0x08, 0x00 },
--
sound/core/pcm_misc.c-190-	[SNDRV_PCM_FORMAT_U20_BE] = {
sound/core/pcm_misc.c:191:		.width = 20, .phys = 32, .le = 0, .signd = 0,
sound/core/pcm_misc.c-192-		.silence = { 0x00, 0x08, 0x00, 0x00 },
--
sound/core/pcm_misc.c-198-	[SNDRV_PCM_FORMAT_S24_3LE] = {
sound/core/pcm_misc.c:199:		.width = 24, .phys = 24, .le = 1, .signd = 1,
sound/core/pcm_misc.c-200-		.silence = {},
--
sound/core/pcm_misc.c-202-	[SNDRV_PCM_FORMAT_S24_3BE] = {
sound/core/pcm_misc.c:203:		.width = 24, .phys = 24, .le = 0, .signd = 1,
sound/core/pcm_misc.c-204-		.silence = {},
--
sound/core/pcm_misc.c-206-	[SNDRV_PCM_FORMAT_U24_3LE] = {
sound/core/pcm_misc.c:207:		.width = 24, .phys = 24, .le = 1, .signd = 0,
sound/core/pcm_misc.c-208-		.silence = { 0x00, 0x00, 0x80 },
--
sound/core/pcm_misc.c-210-	[SNDRV_PCM_FORMAT_U24_3BE] = {
sound/core/pcm_misc.c:211:		.width = 24, .phys = 24, .le = 0, .signd = 0,
sound/core/pcm_misc.c-212-		.silence = { 0x80, 0x00, 0x00 },
--
sound/core/pcm_misc.c-214-	[SNDRV_PCM_FORMAT_S20_3LE] = {
sound/core/pcm_misc.c:215:		.width = 20, .phys = 24, .le = 1, .signd = 1,
sound/core/pcm_misc.c-216-		.silence = {},
--
sound/core/pcm_misc.c-218-	[SNDRV_PCM_FORMAT_S20_3BE] = {
sound/core/pcm_misc.c:219:		.width = 20, .phys = 24, .le = 0, .signd = 1,
sound/core/pcm_misc.c-220-		.silence = {},
--
sound/core/pcm_misc.c-222-	[SNDRV_PCM_FORMAT_U20_3LE] = {
sound/core/pcm_misc.c:223:		.width = 20, .phys = 24, .le = 1, .signd = 0,
sound/core/pcm_misc.c-224-		.silence = { 0x00, 0x00, 0x08 },
--
sound/core/pcm_misc.c-226-	[SNDRV_PCM_FORMAT_U20_3BE] = {
sound/core/pcm_misc.c:227:		.width = 20, .phys = 24, .le = 0, .signd = 0,
sound/core/pcm_misc.c-228-		.silence = { 0x08, 0x00, 0x00 },
--
sound/core/pcm_misc.c-230-	[SNDRV_PCM_FORMAT_S18_3LE] = {
sound/core/pcm_misc.c:231:		.width = 18, .phys = 24, .le = 1, .signd = 1,
sound/core/pcm_misc.c-232-		.silence = {},
--
sound/core/pcm_misc.c-234-	[SNDRV_PCM_FORMAT_S18_3BE] = {
sound/core/pcm_misc.c:235:		.width = 18, .phys = 24, .le = 0, .signd = 1,
sound/core/pcm_misc.c-236-		.silence = {},
--
sound/core/pcm_misc.c-238-	[SNDRV_PCM_FORMAT_U18_3LE] = {
sound/core/pcm_misc.c:239:		.width = 18, .phys = 24, .le = 1, .signd = 0,
sound/core/pcm_misc.c-240-		.silence = { 0x00, 0x00, 0x02 },
--
sound/core/pcm_misc.c-242-	[SNDRV_PCM_FORMAT_U18_3BE] = {
sound/core/pcm_misc.c:243:		.width = 18, .phys = 24, .le = 0, .signd = 0,
sound/core/pcm_misc.c-244-		.silence = { 0x02, 0x00, 0x00 },
--
sound/core/pcm_misc.c-246-	[SNDRV_PCM_FORMAT_G723_24_1B] = {
sound/core/pcm_misc.c:247:		.width = 3, .phys = 8, .le = -1, .signd = -1,
sound/core/pcm_misc.c-248-		.silence = {},
--
sound/core/pcm_misc.c-250-	[SNDRV_PCM_FORMAT_G723_40_1B] = {
sound/core/pcm_misc.c:251:		.width = 5, .phys = 8, .le = -1, .signd = -1,
sound/core/pcm_misc.c-252-		.silence = {},
--
sound/pci/mixart/mixart.c=1212=static int snd_mixart_probe(struct pci_dev *pci,
--
sound/pci/mixart/mixart.c-1262-	for (i = 0; i < 2; i++) {
sound/pci/mixart/mixart.c:1263:		mgr->mem[i].phys = pci_resource_start(pci, i);
sound/pci/mixart/mixart.c-1264-		mgr->mem[i].virt = pci_ioremap_bar(pci, i);
]

gemini-3-flash-preview

							input: 98151
							output: 19
							thoughts: 1217
						

**Analyzing a Kernel Crash in `input_devices_seq_show`**

Okay, let's break this down. I see a crash in `input_devices_seq_show`, specifically at the line accessing `dev->phys`. My initial thought was a classic use-after-free scenario, perhaps with a driver dynamically allocating the `phys` string using `devm_kasprintf` and the device then getting destroyed. However, quickly, I see that this isn't likely, because `pm8941-pwrkey.c` uses a static string for `.phys`. I'm starting to think it's a more interesting bug than I initially thought.

I initially thought that `ieee80211_inform_bss` might be the culprit. But it doesn't create any devices.

Then I realized that `path` is allocated and freed within `input_devices_seq_show`, but the crash occurs *before* the `kfree`. That means it's not a `path` problem; the issue is with `dev->phys` itself.

The key is this: the crash occurs while accessing the *contents* of `dev->phys`. KASAN indicates a read from a specific address (`ffff888059a15a20`). So, `dev->phys` must *point* to that freed memory location. This is crucial!

I thought maybe the `input_dev` struct itself was freed, and its memory re-used, which would lead to the corruption I see. But the sizes of `input_dev` and `ieee80211_elems_parse` preclude this. They're on different kmalloc slabs.

Okay, let's re-evaluate. I need to understand how the bad pointer got into `dev->phys`. Who is writing to this memory location? I need to think outside the box. Is the struct `input_dev` even correct? I have to consider the possibility of a corrupted `input_dev_list`.

This is where it gets interesting. I see that `v` in the `seq_file` iterator isn't necessarily a valid `struct input_dev`. It's pulled from `input_dev_list`. If `input_dev_list` is corrupted, the `container_of` macro could be misinterpreting memory.

If `v` points to the freed object (e.g., `ffff888059a15800`), and `node` is at offset 1904 bytes within `input_dev`, then `container_of` will result in a garbage `dev` address. The offset calculation from `v` to `dev` is, in fact, not what I'm seeing. This hypothesis is not correct.

But, the address of interest is `ffff888059a15a20`, which is the *content* of `dev->phys`. So `dev->phys` must contain *that* address. If `dev` is a valid `input_dev`, then offset 8 must point to this address.

Now, I'm thinking about other possible root causes. Is there anything in the `mac80211` code that could somehow set the `phys` field of an `input_dev` to an address belonging to `mac80211` memory? I need to consider all the places that could write this value. I'll search for uses of `input_register_device` within the network code. Then, I check all of the places where `ieee80211_inform_bss` is called. It looks like my attention should be on the `cfg80211` code. Let's see...

map[Expression:input_register_device]

map[Output:
Full output is too long, showing 500 out of 2999 lines.
Use more precise expression if possible.

[Documentation/input/input-programming.rst=10=pressed or released a BUTTON_IRQ happens. The driver could look like::
 --
 Documentation/input/input-programming.rst-46-
 Documentation/input/input-programming.rst:47:	    error = input_register_device(button_dev);
 Documentation/input/input-programming.rst-48-	    if (error) {
 --
 Documentation/input/input-programming.rst=94=Then the example driver registers the input device structure by calling::
 Documentation/input/input-programming.rst-95-
 Documentation/input/input-programming.rst:96:	input_register_device(button_dev);
 Documentation/input/input-programming.rst-97-
 --
 Documentation/input/input-programming.rst=99=calls device handler modules _connect functions to tell them a new input
 Documentation/input/input-programming.rst:100:device has appeared. input_register_device() may sleep and therefore must
 Documentation/input/input-programming.rst-101-not be called from an interrupt or with a spinlock held.
 --
 Documentation/input/input-programming.rst=241=However EV_ABS requires a little special care. Before calling
 Documentation/input/input-programming.rst:242:input_register_device, you have to fill additional fields in the input_dev
 Documentation/input/input-programming.rst-243-struct for each absolute axis your device has. If our button device had also
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c=435=static int setup_power_button(struct platform_device *pdev)
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c-450-
 arch/x86/platform/olpc/olpc-xo1-sci.c:451:	r = input_register_device(power_button_idev);
 arch/x86/platform/olpc/olpc-xo1-sci.c-452-	if (r) {
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c=465=static int setup_ebook_switch(struct platform_device *pdev)
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c-480-
 arch/x86/platform/olpc/olpc-xo1-sci.c:481:	r = input_register_device(ebook_switch_idev);
 arch/x86/platform/olpc/olpc-xo1-sci.c-482-	if (r) {
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c=495=static int setup_lid_switch(struct platform_device *pdev)
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c-510-
 arch/x86/platform/olpc/olpc-xo1-sci.c:511:	r = input_register_device(lid_switch_idev);
 arch/x86/platform/olpc/olpc-xo1-sci.c-512-	if (r) {
 --
 drivers/accessibility/speakup/fakekey.c=22=int speakup_add_virtual_keyboard(void)
 --
 drivers/accessibility/speakup/fakekey.c-38-
 drivers/accessibility/speakup/fakekey.c:39:	err = input_register_device(virt_keyboard);
 drivers/accessibility/speakup/fakekey.c-40-	if (err) {
 --
 drivers/acpi/acpi_video.c=1894=static int acpi_video_bus_add_notify_handler(struct acpi_video_bus *video)
 --
 drivers/acpi/acpi_video.c-1927-
 drivers/acpi/acpi_video.c:1928:	error = input_register_device(input);
 drivers/acpi/acpi_video.c-1929-	if (error)
 --
 drivers/acpi/button.c=534=static int acpi_button_add(struct acpi_device *device)
 --
 drivers/acpi/button.c-620-	input_set_drvdata(input, device);
 drivers/acpi/button.c:621:	error = input_register_device(input);
 drivers/acpi/button.c-622-	if (error) {
 --
 drivers/auxdisplay/ht16k33.c=493=static int ht16k33_keypad_probe(struct i2c_client *client,
 --
 drivers/auxdisplay/ht16k33.c-557-
 drivers/auxdisplay/ht16k33.c:558:	return input_register_device(keypad->dev);
 drivers/auxdisplay/ht16k33.c-559-}
 --
 drivers/char/sonypi.c=1147=static int sonypi_create_input_devices(struct platform_device *pdev)
 --
 drivers/char/sonypi.c-1183-
 drivers/char/sonypi.c:1184:	error = input_register_device(jog_dev);
 drivers/char/sonypi.c-1185-	if (error)
 --
 drivers/char/sonypi.c-1187-
 drivers/char/sonypi.c:1188:	error = input_register_device(key_dev);
 drivers/char/sonypi.c-1189-	if (error)
 --
 drivers/extcon/extcon-max77693.c=1068=static int max77693_muic_probe(struct platform_device *pdev)
 --
 drivers/extcon/extcon-max77693.c-1120-
 drivers/extcon/extcon-max77693.c:1121:	ret = input_register_device(info->dock);
 drivers/extcon/extcon-max77693.c-1122-	if (ret < 0) {
 --
 drivers/hid/hid-alps.c=674=static int alps_input_configured(struct hid_device *hdev, struct hid_input *hi)
 --
 drivers/hid/hid-alps.c-761-
 drivers/hid/hid-alps.c:762:		if (input_register_device(data->input2)) {
 drivers/hid/hid-alps.c-763-			input_free_device(input2);
 --
 drivers/hid/hid-elan.c=152=static int elan_input_configured(struct hid_device *hdev, struct hid_input *hi)
 --
 drivers/hid/hid-elan.c-196-
 drivers/hid/hid-elan.c:197:	ret = input_register_device(input);
 drivers/hid/hid-elan.c-198-	if (ret) {
 --
 drivers/hid/hid-google-hammer.c=177=static int __cbas_ec_probe(struct platform_device *pdev)
 --
 drivers/hid/hid-google-hammer.c-199-
 drivers/hid/hid-google-hammer.c:200:	error = input_register_device(input);
 drivers/hid/hid-google-hammer.c-201-	if (error) {
 --
 drivers/hid/hid-input.c=2292=int hidinput_connect(struct hid_device *hid, unsigned int force)
 --
 drivers/hid/hid-input.c-2370-
 drivers/hid/hid-input.c:2371:		if (input_register_device(hidinput->input))
 drivers/hid/hid-input.c-2372-			goto out_unwind;
 --
 drivers/hid/hid-letsketch.c=103=static int letsketch_setup_input_tablet(struct letsketch_data *data)
 --
 drivers/hid/hid-letsketch.c-125-
 drivers/hid/hid-letsketch.c:126:	return input_register_device(data->input_tablet);
 drivers/hid/hid-letsketch.c-127-}
 --
 drivers/hid/hid-letsketch.c=129=static int letsketch_setup_input_tablet_pad(struct letsketch_data *data)
 --
 drivers/hid/hid-letsketch.c-152-
 drivers/hid/hid-letsketch.c:153:	return input_register_device(data->input_tablet_pad);
 drivers/hid/hid-letsketch.c-154-}
 --
 drivers/hid/hid-lg-g15.c=1113=static int lg_g15_probe(struct hid_device *hdev, const struct hid_device_id *id)
 --
 drivers/hid/hid-lg-g15.c-1258-		lg_g15_init_input_dev(hdev, g15->input, "Logitech Z-10 LCD Menu Keys");
 drivers/hid/hid-lg-g15.c:1259:		ret = input_register_device(g15->input);
 drivers/hid/hid-lg-g15.c-1260-		if (ret)
 --
 drivers/hid/hid-lg-g15.c-1280-				      input_js, "Logitech G13 Thumbstick");
 drivers/hid/hid-lg-g15.c:1281:		ret = input_register_device(input);
 drivers/hid/hid-lg-g15.c-1282-		if (ret)
 drivers/hid/hid-lg-g15.c-1283-			goto error_hw_stop;
 drivers/hid/hid-lg-g15.c:1284:		ret = input_register_device(input_js);
 drivers/hid/hid-lg-g15.c-1285-		if (ret)
 --
 drivers/hid/hid-lg-g15.c-1324-
 drivers/hid/hid-lg-g15.c:1325:	ret = input_register_device(input);
 drivers/hid/hid-lg-g15.c-1326-	if (ret)
 --
 drivers/hid/hid-logitech-hidpp.c=4171=static void hidpp_connect_event(struct work_struct *work)
 --
 drivers/hid/hid-logitech-hidpp.c-4282-
 drivers/hid/hid-logitech-hidpp.c:4283:	ret = input_register_device(input);
 drivers/hid/hid-logitech-hidpp.c-4284-	if (ret) {
 --
 drivers/hid/hid-nintendo.c=2055=static int joycon_imu_input_create(struct joycon_ctlr *ctlr)
 --
 drivers/hid/hid-nintendo.c-2114-
 drivers/hid/hid-nintendo.c:2115:	ret = input_register_device(ctlr->imu_input);
 drivers/hid/hid-nintendo.c-2116-	if (ret)
 --
 drivers/hid/hid-nintendo.c=2122=static int joycon_input_create(struct joycon_ctlr *ctlr)
 --
 drivers/hid/hid-nintendo.c-2140-
 drivers/hid/hid-nintendo.c:2141:	ret = input_register_device(ctlr->input);
 drivers/hid/hid-nintendo.c-2142-	if (ret)
 --
 drivers/hid/hid-nvidia-shield.c=271=static struct input_dev *shield_haptics_create(
 --
 drivers/hid/hid-nvidia-shield.c-289-
 drivers/hid/hid-nvidia-shield.c:290:	ret = input_register_device(haptics);
 drivers/hid/hid-nvidia-shield.c-291-	if (ret)
 --
 drivers/hid/hid-picolcd_core.c=407=static int picolcd_init_keys(struct picolcd_data *data,
 --
 drivers/hid/hid-picolcd_core.c-443-		input_set_capability(idev, EV_KEY, data->keycode[i]);
 drivers/hid/hid-picolcd_core.c:444:	error = input_register_device(idev);
 drivers/hid/hid-picolcd_core.c-445-	if (error) {
 --
 drivers/hid/hid-playstation.c=745=ps_gamepad_create(struct hid_device *hdev,
 --
 drivers/hid/hid-playstation.c-775-
 drivers/hid/hid-playstation.c:776:	ret = input_register_device(gamepad);
 drivers/hid/hid-playstation.c-777-	if (ret)
 --
 drivers/hid/hid-playstation.c=894=static struct input_dev *ps_sensors_create(struct hid_device *hdev, int accel_range,
 --
 drivers/hid/hid-playstation.c-923-
 drivers/hid/hid-playstation.c:924:	ret = input_register_device(sensors);
 drivers/hid/hid-playstation.c-925-	if (ret)
 --
 drivers/hid/hid-playstation.c=931=static struct input_dev *ps_touchpad_create(struct hid_device *hdev, int width,
 --
 drivers/hid/hid-playstation.c-951-
 drivers/hid/hid-playstation.c:952:	ret = input_register_device(touchpad);
 drivers/hid/hid-playstation.c-953-	if (ret)
 --
 drivers/hid/hid-playstation.c=959=static struct input_dev *ps_headset_jack_create(struct hid_device *hdev)
 --
 drivers/hid/hid-playstation.c-970-
 drivers/hid/hid-playstation.c:971:	ret = input_register_device(jack);
 drivers/hid/hid-playstation.c-972-	if (ret)
 --
 drivers/hid/hid-sony.c=1008=static int sony_register_touchpad(struct sony_sc *sc, int touch_count,
 --
 drivers/hid/hid-sony.c-1067-
 drivers/hid/hid-sony.c:1068:	ret = input_register_device(sc->touchpad);
 drivers/hid/hid-sony.c-1069-	if (ret < 0)
 --
 drivers/hid/hid-sony.c=1075=static int sony_register_sensors(struct sony_sc *sc)
 --
 drivers/hid/hid-sony.c-1120-
 drivers/hid/hid-sony.c:1121:	ret = input_register_device(sc->sensor_dev);
 drivers/hid/hid-sony.c-1122-	if (ret < 0)
 --
 drivers/hid/hid-steam.c=706=static int steam_input_register(struct steam_device *steam)
 --
 drivers/hid/hid-steam.c-821-
 drivers/hid/hid-steam.c:822:	ret = input_register_device(input);
 drivers/hid/hid-steam.c-823-	if (ret)
 --
 drivers/hid/hid-steam.c=834=static int steam_sensors_register(struct steam_device *steam)
 --
 drivers/hid/hid-steam.c-889-
 drivers/hid/hid-steam.c:890:	ret = input_register_device(sensors);
 drivers/hid/hid-steam.c-891-	if (ret)
 --
 drivers/hid/hid-udraw-ps3.c=407=static int udraw_probe(struct hid_device *hdev, const struct hid_device_id *id)
 --
 drivers/hid/hid-udraw-ps3.c-435-
 drivers/hid/hid-udraw-ps3.c:436:	ret = input_register_device(udraw->joy_input_dev) ||
 drivers/hid/hid-udraw-ps3.c:437:		input_register_device(udraw->touch_input_dev) ||
 drivers/hid/hid-udraw-ps3.c:438:		input_register_device(udraw->pen_input_dev) ||
 drivers/hid/hid-udraw-ps3.c:439:		input_register_device(udraw->accel_input_dev);
 drivers/hid/hid-udraw-ps3.c-440-	if (ret) {
 --
 drivers/hid/hid-wiimote-core.c=624=static void wiimote_modules_load(struct wiimote_data *wdata,
 --
 drivers/hid/hid-wiimote-core.c-665-	if (wdata->input) {
 drivers/hid/hid-wiimote-core.c:666:		ret = input_register_device(wdata->input);
 drivers/hid/hid-wiimote-core.c-667-		if (ret)
 --
 drivers/hid/hid-wiimote-modules.c=481=static int wiimod_accel_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-507-
 drivers/hid/hid-wiimote-modules.c:508:	ret = input_register_device(wdata->accel);
 drivers/hid/hid-wiimote-modules.c-509-	if (ret) {
 --
 drivers/hid/hid-wiimote-modules.c=733=static int wiimod_ir_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-769-
 drivers/hid/hid-wiimote-modules.c:770:	ret = input_register_device(wdata->ir);
 drivers/hid/hid-wiimote-modules.c-771-	if (ret) {
 --
 drivers/hid/hid-wiimote-modules.c=928=static int wiimod_nunchuk_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-968-
 drivers/hid/hid-wiimote-modules.c:969:	ret = input_register_device(wdata->extension.input);
 drivers/hid/hid-wiimote-modules.c-970-	if (ret)
 --
 drivers/hid/hid-wiimote-modules.c=1222=static int wiimod_classic_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-1265-
 drivers/hid/hid-wiimote-modules.c:1266:	ret = input_register_device(wdata->extension.input);
 drivers/hid/hid-wiimote-modules.c-1267-	if (ret)
 --
 drivers/hid/hid-wiimote-modules.c=1467=static int wiimod_bboard_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-1535-
 drivers/hid/hid-wiimote-modules.c:1536:	ret = input_register_device(wdata->extension.input);
 drivers/hid/hid-wiimote-modules.c-1537-	if (ret)
 --
 drivers/hid/hid-wiimote-modules.c=1862=static int wiimod_pro_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-1925-
 drivers/hid/hid-wiimote-modules.c:1926:	ret = input_register_device(wdata->extension.input);
 drivers/hid/hid-wiimote-modules.c-1927-	if (ret)
 --
 drivers/hid/hid-wiimote-modules.c=2108=static int wiimod_drums_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-2159-
 drivers/hid/hid-wiimote-modules.c:2160:	ret = input_register_device(wdata->extension.input);
 drivers/hid/hid-wiimote-modules.c-2161-	if (ret)
 --
 drivers/hid/hid-wiimote-modules.c=2338=static int wiimod_guitar_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-2375-
 drivers/hid/hid-wiimote-modules.c:2376:	ret = input_register_device(wdata->extension.input);
 drivers/hid/hid-wiimote-modules.c-2377-	if (ret)
 --
 drivers/hid/hid-wiimote-modules.c=2557=static int wiimod_turntable_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-2599-			     ABS_HAT3X, 0, 7, 0, 0);	 
 drivers/hid/hid-wiimote-modules.c:2600:	ret = input_register_device(wdata->extension.input);
 drivers/hid/hid-wiimote-modules.c-2601-	if (ret)
 --
 drivers/hid/hid-wiimote-modules.c=2797=static int wiimod_mp_probe(const struct wiimod_ops *ops,
 --
 drivers/hid/hid-wiimote-modules.c-2826-
 drivers/hid/hid-wiimote-modules.c:2827:	ret = input_register_device(wdata->mp);
 drivers/hid/hid-wiimote-modules.c-2828-	if (ret)
 --
 drivers/hid/usbhid/usbkbd.c=261=static int usb_kbd_probe(struct usb_interface *iface,
 --
 drivers/hid/usbhid/usbkbd.c-352-
 drivers/hid/usbhid/usbkbd.c:353:	error = input_register_device(kbd->dev);
 drivers/hid/usbhid/usbkbd.c-354-	if (error)
 --
 drivers/hid/usbhid/usbmouse.c=106=static int usb_mouse_probe(struct usb_interface *intf, const struct usb_device_id *id)
 --
 drivers/hid/usbhid/usbmouse.c-185-
 drivers/hid/usbhid/usbmouse.c:186:	error = input_register_device(mouse->dev);
 drivers/hid/usbhid/usbmouse.c-187-	if (error)
 --
 drivers/hid/wacom_sys.c=2163=static int wacom_register_inputs(struct wacom *wacom)
 --
 drivers/hid/wacom_sys.c-2173-	if (pen_input_dev) {
 drivers/hid/wacom_sys.c:2174:		error = input_register_device(pen_input_dev);
 drivers/hid/wacom_sys.c-2175-		if (error)
 --
 drivers/hid/wacom_sys.c-2179-	if (touch_input_dev) {
 drivers/hid/wacom_sys.c:2180:		error = input_register_device(touch_input_dev);
 drivers/hid/wacom_sys.c-2181-		if (error)
 --
 drivers/hid/wacom_sys.c-2185-	if (pad_input_dev) {
 drivers/hid/wacom_sys.c:2186:		error = input_register_device(pad_input_dev);
 drivers/hid/wacom_sys.c-2187-		if (error)
 --
 drivers/hid/wacom_sys.c=2633=static int wacom_remote_create_one(struct wacom *wacom, u32 serial,
 --
 drivers/hid/wacom_sys.c-2679-
 drivers/hid/wacom_sys.c:2680:	error = input_register_device(remote->remotes[index].input);
 drivers/hid/wacom_sys.c-2681-	if (error)
 --
 drivers/hwmon/applesmc.c=1175=static int applesmc_create_accelerometer(void)
 --
 drivers/hwmon/applesmc.c-1209-
 drivers/hwmon/applesmc.c:1210:	ret = input_register_device(applesmc_idev);
 drivers/hwmon/applesmc.c-1211-	if (ret)
 --
 drivers/iio/adc/at91_adc.c=930=static int at91_ts_register(struct iio_dev *idev,
 --
 drivers/iio/adc/at91_adc.c-974-
 drivers/iio/adc/at91_adc.c:975:	ret = input_register_device(input);
 drivers/iio/adc/at91_adc.c-976-	if (ret)
 --
 drivers/input/input.c=358=void input_handle_event(struct input_dev *dev,
 --
 drivers/input/input.c-385- * allocated with input_allocate_device(), even before it is registered
 drivers/input/input.c:386: * with input_register_device(), but the event will not reach any of the
 drivers/input/input.c-387- * input handlers. Such early invocation of input_event() may be used
 --
 drivers/input/input.c=437=void input_alloc_absinfo(struct input_dev *dev)
 --
 drivers/input/input.c-447-		 * We will handle this allocation failure in
 drivers/input/input.c:448:		 * input_register_device() when we refuse to register input
 drivers/input/input.c-449-		 * device with ABS bits but without absinfo.
 --
 drivers/input/input.c=1993=EXPORT_SYMBOL(devm_input_allocate_device);
 --
 drivers/input/input.c-1998- *
 drivers/input/input.c:1999: * This function should only be used if input_register_device()
 drivers/input/input.c-2000- * was not called yet or if it failed. Once device was registered
 --
 drivers/input/input.c=2260=static int input_device_tune_vals(struct input_dev *dev)
 --
 drivers/input/input.c-2289-/**
 drivers/input/input.c:2290: * input_register_device - register device with input core
 drivers/input/input.c-2291- * @dev: device to be registered
 --
 drivers/input/input.c-2311- */
 drivers/input/input.c:2312:int input_register_device(struct input_dev *dev)
 drivers/input/input.c-2313-{
 --
 drivers/input/input.c-2395-}
 drivers/input/input.c:2396:EXPORT_SYMBOL(input_register_device);
 drivers/input/input.c-2397-
 --
 drivers/input/joystick/a3d.c=243=static int a3d_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/a3d.c-358-
 drivers/input/joystick/a3d.c:359:	err = input_register_device(a3d->dev);
 drivers/input/joystick/a3d.c-360-	if (err)
 --
 drivers/input/joystick/adafruit-seesaw.c=223=static int seesaw_probe(struct i2c_client *client)
 --
 drivers/input/joystick/adafruit-seesaw.c-296-
 drivers/input/joystick/adafruit-seesaw.c:297:	err = input_register_device(seesaw->input_dev);
 drivers/input/joystick/adafruit-seesaw.c-298-	if (err) {
 --
 drivers/input/joystick/adc-joystick.c=227=static int adc_joystick_probe(struct platform_device *pdev)
 --
 drivers/input/joystick/adc-joystick.c-304-
 drivers/input/joystick/adc-joystick.c:305:	error = input_register_device(input);
 drivers/input/joystick/adc-joystick.c-306-	if (error) {
 --
 drivers/input/joystick/adi.c=453=static int adi_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/adi.c-504-			adi_init_center(port->adi + i);
 drivers/input/joystick/adi.c:505:			err = input_register_device(port->adi[i].dev);
 drivers/input/joystick/adi.c-506-			if (err)
 --
 drivers/input/joystick/amijoy.c=86=static int __init amijoy_init(void)
 --
 drivers/input/joystick/amijoy.c-128-
 drivers/input/joystick/amijoy.c:129:		err = input_register_device(amijoy_dev[i]);
 drivers/input/joystick/amijoy.c-130-		if (err) {
 --
 drivers/input/joystick/analog.c=363=static int analog_init_device(struct analog_port *port, struct analog *analog, int index)
 --
 drivers/input/joystick/analog.c-441-
 drivers/input/joystick/analog.c:442:	error = input_register_device(analog->dev);
 drivers/input/joystick/analog.c-443-	if (error) {
 --
 drivers/input/joystick/as5011.c=215=static int as5011_probe(struct i2c_client *client)
 --
 drivers/input/joystick/as5011.c-306-
 drivers/input/joystick/as5011.c:307:	error = input_register_device(as5011->input_dev);
 drivers/input/joystick/as5011.c-308-	if (error) {
 --
 drivers/input/joystick/cobra.c=136=static int cobra_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/cobra.c-204-
 drivers/input/joystick/cobra.c:205:		err = input_register_device(cobra->dev[i]);
 drivers/input/joystick/cobra.c-206-		if (err)
 --
 drivers/input/joystick/db9.c=541=static void db9_attach(struct parport *pp)
 --
 drivers/input/joystick/db9.c-630-
 drivers/input/joystick/db9.c:631:		if (input_register_device(input_dev))
 drivers/input/joystick/db9.c-632-			goto err_free_dev;
 --
 drivers/input/joystick/fsia6b.c=127=static int fsia6b_serio_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/fsia6b.c-184-
 drivers/input/joystick/fsia6b.c:185:	err = input_register_device(fsia6b->dev);
 drivers/input/joystick/fsia6b.c-186-	if (err)
 --
 drivers/input/joystick/gamecon.c=795=static int gc_setup_pad(struct gc *gc, int idx, int pad_type)
 --
 drivers/input/joystick/gamecon.c-904-
 drivers/input/joystick/gamecon.c:905:	err = input_register_device(pad->dev);
 drivers/input/joystick/gamecon.c-906-	if (err)
 --
 drivers/input/joystick/gf2k.c=218=static int gf2k_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/gf2k.c-323-
 drivers/input/joystick/gf2k.c:324:	err = input_register_device(gf2k->dev);
 drivers/input/joystick/gf2k.c-325-	if (err)
 --
 drivers/input/joystick/grip.c=279=static int grip_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/grip.c-367-
 drivers/input/joystick/grip.c:368:		err = input_register_device(grip->dev[i]);
 drivers/input/joystick/grip.c-369-		if (err)
 --
 drivers/input/joystick/grip_mp.c=584=static int register_slot(int slot, struct grip_mp *grip)
 --
 drivers/input/joystick/grip_mp.c-615-
 drivers/input/joystick/grip_mp.c:616:	err = input_register_device(port->dev);
 drivers/input/joystick/grip_mp.c-617-	if (err) {
 --
 drivers/input/joystick/guillemot.c=158=static int guillemot_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/guillemot.c-231-
 drivers/input/joystick/guillemot.c:232:	err = input_register_device(guillemot->dev);
 drivers/input/joystick/guillemot.c-233-	if (err)
 --
 drivers/input/joystick/iforce/iforce-main.c=212=int iforce_init_device(struct device *parent, u16 bustype,
 --
 drivers/input/joystick/iforce/iforce-main.c-390-
 drivers/input/joystick/iforce/iforce-main.c:391:	error = input_register_device(iforce->dev);
 drivers/input/joystick/iforce/iforce-main.c-392-	if (error)
 --
 drivers/input/joystick/interact.c=187=static int interact_connect(struct gameport *gameport, struct gameport_driver *drv)
 --
 drivers/input/joystick/interact.c-261-
 drivers/input/joystick/interact.c:262:	err = input_register_device(interact->dev);
 drivers/input/joystick/interact.c-263-	if (err)
 --
 drivers/input/joystick/magellan.c=128=static int magellan_connect(struct serio *serio, struct serio_driver *drv)
 --
 drivers/input/joystick/magellan.c-164-
 drivers/input/joystick/magellan.c:165:	err = input_register_device(magellan->dev);
 drivers/input/joystick/magellan.c-166-	if (err)
 --
 drivers/input/joystick/maplecontrol.c=82=static int probe_maple_controller(struct device *dev)
 --
 drivers/input/joystick/maplecontrol.c-143-
 drivers/input/joystick/maplecontrol.c:144:	error = input_register_device(idev);
 drivers/input/joystick/maplecontrol.c-145-	if (error)
 --
 drivers/input/joystick/n64joy.c=238=static int __init n64joy_probe(struct platform_device *pdev)
 --
 drivers/input/joystick/n64joy.c-307-
 drivers/input/joystick/n64joy.c:308:			err = input_register_device(dev);
 drivers/input/joystick/n64joy.c-309-			if (err) {
 --
 drivers/input/joystick/psxpad-spi.c=285=static int psxpad_spi_probe(struct spi_device *spi)
 --
 drivers/input/joystick/psxpad-spi.c-368-	/* register input poll device */
 drivers/input/joystick/psxpad-spi.c:369:	err = input_register_device(idev);
 drivers/input/joystick/psxpad-spi.c-370-	if (err) {
 --
 drivers/input/joystick/pxrc.c=117=static int pxrc_probe(struct usb_interface *intf,
 --
 drivers/input/joystick/pxrc.c-191-
 drivers/input/joystick/pxrc.c:192:	error = input_register_device(pxrc->input);
 drivers/input/joystick/pxrc.c-193-	if (error)
 --
 drivers/input/joystick/qwiic-joystick.c=62=static int qwiic_probe(struct i2c_client *client)
 --
 drivers/input/joystick/qwiic-joystick.c-110-
 drivers/input/joystick/qwiic-joystick.c:111:	err = input_register_device(priv->dev);
 drivers/input/joystick/qwiic-joystick.c-112-	if (err) {
 --
 drivers/input/joystick/sensehat-joystick.c=61=static int sensehat_joystick_probe(struct platform_device *pdev)
 --
 drivers/input/joystick/sensehat-joystick.c-93-
]
]

gemini-3-flash-preview

							input: 109962
							output: 18
							thoughts: 36
						

Okay, here's my take on those thoughts, tailored for an expert audience:

**Investigating Network Input Device Registration**

Alright, I was initially expecting to find a function like `input_register_device` within the `net/` directory, which is the logical place to look when working with network-related input devices. However, after a quick scan, it's not immediately apparent. Hmm... that's a bit odd.

Okay, instead of focusing on a specific registration function, let me broaden the search. I'll pivot my query and search the network code for any references to `input_dev` structures. That should reveal how network-related input devices are handled more generally, even if the registration mechanism is subtly different than what I anticipated. This approach will allow me to look for broader architectural patterns.

map[Expression:struct input_dev]

map[Output:
Full output is too long, showing 500 out of 11209 lines.
Use more precise expression if possible.

[Documentation/input/input-programming.rst=10=pressed or released a BUTTON_IRQ happens. The driver could look like::
 --
 Documentation/input/input-programming.rst-18-
 Documentation/input/input-programming.rst:19:    static struct input_dev *button_dev;
 Documentation/input/input-programming.rst-20-
 --
 Documentation/input/input-programming.rst=134=again. To do that, we would add this to our example driver::
 Documentation/input/input-programming.rst-135-
 Documentation/input/input-programming.rst:136:    static int button_open(struct input_dev *dev)
 Documentation/input/input-programming.rst-137-    {
 --
 Documentation/input/input-programming.rst-145-
 Documentation/input/input-programming.rst:146:    static void button_close(struct input_dev *dev)
 Documentation/input/input-programming.rst-147-    {
 --
 Documentation/input/input-programming.rst=217=It's reported to the input system via::
 Documentation/input/input-programming.rst-218-
 Documentation/input/input-programming.rst:219:	input_report_key(struct input_dev *dev, int code, int value)
 Documentation/input/input-programming.rst-220-
 --
 Documentation/input/input-programming.rst=235=set the corresponding bits and call the::
 Documentation/input/input-programming.rst-236-
 Documentation/input/input-programming.rst:237:	input_report_rel(struct input_dev *dev, int code, int value)
 Documentation/input/input-programming.rst-238-
 --
 Documentation/input/input-programming.rst=332=driver can handle these events, it has to set the respective bits in evbit,
 --
 Documentation/input/input-programming.rst-336-
 Documentation/input/input-programming.rst:337:    int button_event(struct input_dev *dev, unsigned int type,
 Documentation/input/input-programming.rst-338-		     unsigned int code, int value)
 --
 Documentation/input/input-programming.rst=354=the function::
 Documentation/input/input-programming.rst-355-
 Documentation/input/input-programming.rst:356:    int input_setup_polling(struct input_dev *dev,
 Documentation/input/input-programming.rst:357:        void (*poll_fn)(struct input_dev *dev))
 Documentation/input/input-programming.rst-358-
 --
 Documentation/input/input-programming.rst=362=There is also the function::
 Documentation/input/input-programming.rst-363-
 Documentation/input/input-programming.rst:364:    void input_set_poll_interval(struct input_dev *dev, unsigned int interval)
 Documentation/input/input-programming.rst-365-
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c=29=static unsigned long acpi_base;
 arch/x86/platform/olpc/olpc-xo1-sci.c:30:static struct input_dev *power_button_idev;
 arch/x86/platform/olpc/olpc-xo1-sci.c:31:static struct input_dev *ebook_switch_idev;
 arch/x86/platform/olpc/olpc-xo1-sci.c:32:static struct input_dev *lid_switch_idev;
 arch/x86/platform/olpc/olpc-xo1-sci.c-33-
 --
 drivers/accessibility/speakup/fakekey.c=18=static DEFINE_PER_CPU(int, reporting_keystroke);
 drivers/accessibility/speakup/fakekey.c-19-
 drivers/accessibility/speakup/fakekey.c:20:static struct input_dev *virt_keyboard;
 drivers/accessibility/speakup/fakekey.c-21-
 --
 drivers/acpi/acpi_video.c=157=struct acpi_video_bus {
 --
 drivers/acpi/acpi_video.c-168-	struct list_head entry;
 drivers/acpi/acpi_video.c:169:	struct input_dev *input;
 drivers/acpi/acpi_video.c-170-	char phys[32];	/* for input device */
 --
 drivers/acpi/acpi_video.c=1541=static void acpi_video_bus_notify(acpi_handle handle, u32 event, void *data)
 --
 drivers/acpi/acpi_video.c-1544-	struct acpi_video_bus *video = acpi_driver_data(device);
 drivers/acpi/acpi_video.c:1545:	struct input_dev *input;
 drivers/acpi/acpi_video.c-1546-	int keycode = 0;
 --
 drivers/acpi/acpi_video.c=1604=static void acpi_video_device_notify(acpi_handle handle, u32 event, void *data)
 --
 drivers/acpi/acpi_video.c-1608-	struct acpi_video_bus *bus;
 drivers/acpi/acpi_video.c:1609:	struct input_dev *input;
 drivers/acpi/acpi_video.c-1610-	int keycode = 0;
 --
 drivers/acpi/acpi_video.c=1894=static int acpi_video_bus_add_notify_handler(struct acpi_video_bus *video)
 drivers/acpi/acpi_video.c-1895-{
 drivers/acpi/acpi_video.c:1896:	struct input_dev *input;
 drivers/acpi/acpi_video.c-1897-	struct acpi_video_device *dev;
 --
 drivers/acpi/button.c=171=struct acpi_button {
 drivers/acpi/button.c-172-	unsigned int type;
 drivers/acpi/button.c:173:	struct input_dev *input;
 drivers/acpi/button.c-174-	char phys[32];			/* for input device */
 --
 drivers/acpi/button.c=440=static void acpi_button_notify(acpi_handle handle, u32 event, void *data)
 --
 drivers/acpi/button.c-443-	struct acpi_button *button;
 drivers/acpi/button.c:444:	struct input_dev *input;
 drivers/acpi/button.c-445-	int keycode;
 --
 drivers/acpi/button.c=498=static int acpi_button_resume(struct device *dev)
 drivers/acpi/button.c-499-{
 drivers/acpi/button.c:500:	struct input_dev *input;
 drivers/acpi/button.c-501-	struct acpi_device *device = to_acpi_device(dev);
 --
 drivers/acpi/button.c-521-
 drivers/acpi/button.c:522:static int acpi_lid_input_open(struct input_dev *input)
 drivers/acpi/button.c-523-{
 --
 drivers/acpi/button.c=534=static int acpi_button_add(struct acpi_device *device)
 --
 drivers/acpi/button.c-537-	struct acpi_button *button;
 drivers/acpi/button.c:538:	struct input_dev *input;
 drivers/acpi/button.c-539-	const char *hid = acpi_device_hid(device);
 --
 drivers/auxdisplay/ht16k33.c=69=struct ht16k33_keypad {
 drivers/auxdisplay/ht16k33.c-70-	struct i2c_client *client;
 drivers/auxdisplay/ht16k33.c:71:	struct input_dev *dev;
 drivers/auxdisplay/ht16k33.c-72-	uint32_t cols;
 --
 drivers/auxdisplay/ht16k33.c=365=static irqreturn_t ht16k33_keypad_irq_thread(int irq, void *dev)
 --
 drivers/auxdisplay/ht16k33.c-378-
 drivers/auxdisplay/ht16k33.c:379:static int ht16k33_keypad_start(struct input_dev *dev)
 drivers/auxdisplay/ht16k33.c-380-{
 --
 drivers/auxdisplay/ht16k33.c-389-
 drivers/auxdisplay/ht16k33.c:390:static void ht16k33_keypad_stop(struct input_dev *dev)
 drivers/auxdisplay/ht16k33.c-391-{
 --
 drivers/char/sonypi.c=460=struct sonypi_keypress {
 drivers/char/sonypi.c:461:	struct input_dev *dev;
 drivers/char/sonypi.c-462-	int key;
 --
 drivers/char/sonypi.c=465=static struct sonypi_device {
 --
 drivers/char/sonypi.c-481-	int model;
 drivers/char/sonypi.c:482:	struct input_dev *input_jog_dev;
 drivers/char/sonypi.c:483:	struct input_dev *input_key_dev;
 drivers/char/sonypi.c-484-	struct work_struct input_work;
 --
 drivers/char/sonypi.c=775=static void sonypi_report_input_event(u8 event)
 drivers/char/sonypi.c-776-{
 drivers/char/sonypi.c:777:	struct input_dev *jog_dev = sonypi_device.input_jog_dev;
 drivers/char/sonypi.c:778:	struct input_dev *key_dev = sonypi_device.input_key_dev;
 drivers/char/sonypi.c-779-	struct sonypi_keypress kp = { NULL };
 --
 drivers/char/sonypi.c=1147=static int sonypi_create_input_devices(struct platform_device *pdev)
 drivers/char/sonypi.c-1148-{
 drivers/char/sonypi.c:1149:	struct input_dev *jog_dev;
 drivers/char/sonypi.c:1150:	struct input_dev *key_dev;
 drivers/char/sonypi.c-1151-	int i;
 --
 drivers/extcon/extcon-max77693.c=66=struct max77693_muic_info {
 --
 drivers/extcon/extcon-max77693.c-88-	/* Button of dock device */
 drivers/extcon/extcon-max77693.c:89:	struct input_dev *dock;
 drivers/extcon/extcon-max77693.c-90-
 --
 drivers/extcon/extcon-max77693.c=532=static int max77693_muic_dock_button_handler(struct max77693_muic_info *info,
 --
 drivers/extcon/extcon-max77693.c-534-{
 drivers/extcon/extcon-max77693.c:535:	struct input_dev *dock = info->dock;
 drivers/extcon/extcon-max77693.c-536-	unsigned int code;
 --
 drivers/hid/hid-a4tech.c=73=static int a4_event(struct hid_device *hdev, struct hid_field *field,
 --
 drivers/hid/hid-a4tech.c-76-	struct a4tech_sc *a4 = hid_get_drvdata(hdev);
 drivers/hid/hid-a4tech.c:77:	struct input_dev *input;
 drivers/hid/hid-a4tech.c-78-
 --
 drivers/hid/hid-alps.c=96=struct alps_dev {
 drivers/hid/hid-alps.c:97:	struct input_dev *input;
 drivers/hid/hid-alps.c:98:	struct input_dev *input2;
 drivers/hid/hid-alps.c-99-	struct hid_device *hdev;
 --
 drivers/hid/hid-alps.c=609=static int T4_init(struct hid_device *hdev, struct alps_dev *pri_data)
 --
 drivers/hid/hid-alps.c-659-
 drivers/hid/hid-alps.c:660:static int alps_sp_open(struct input_dev *dev)
 drivers/hid/hid-alps.c-661-{
 --
 drivers/hid/hid-alps.c-666-
 drivers/hid/hid-alps.c:667:static void alps_sp_close(struct input_dev *dev)
 drivers/hid/hid-alps.c-668-{
 --
 drivers/hid/hid-alps.c=674=static int alps_input_configured(struct hid_device *hdev, struct hid_input *hi)
 --
 drivers/hid/hid-alps.c-676-	struct alps_dev *data = hid_get_drvdata(hdev);
 drivers/hid/hid-alps.c:677:	struct input_dev *input = hi->input, *input2;
 drivers/hid/hid-alps.c-678-	int ret;
 --
 drivers/hid/hid-apple.c=383=static bool apple_is_omoton_kb066(struct hid_device *hdev)
 --
 drivers/hid/hid-apple.c-388-
 drivers/hid/hid-apple.c:389:static inline void apple_setup_key_translation(struct input_dev *input,
 drivers/hid/hid-apple.c-390-		const struct apple_key_translation *table)
 --
 drivers/hid/hid-apple.c=398=static const struct apple_key_translation *apple_find_translation(
 --
 drivers/hid/hid-apple.c-410-
 drivers/hid/hid-apple.c:411:static void input_event_with_scancode(struct input_dev *input,
 drivers/hid/hid-apple.c-412-		__u8 type, __u16 code, unsigned int hid, __s32 value)
 --
 drivers/hid/hid-apple.c-419-
 drivers/hid/hid-apple.c:420:static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input,
 drivers/hid/hid-apple.c-421-		struct hid_usage *usage, __s32 value)
 --
 drivers/hid/hid-apple.c=657=static const __u8 *apple_report_fixup(struct hid_device *hdev, __u8 *rdesc,
 --
 drivers/hid/hid-apple.c-700-
 drivers/hid/hid-apple.c:701:static void apple_setup_input(struct input_dev *input)
 drivers/hid/hid-apple.c-702-{
 --
 drivers/hid/hid-appleir.c=107=struct appleir {
 drivers/hid/hid-appleir.c:108:	struct input_dev *input_dev;
 drivers/hid/hid-appleir.c-109-	struct hid_device *hid;
 --
 drivers/hid/hid-appleir.c=251=static int appleir_input_configured(struct hid_device *hid,
 --
 drivers/hid/hid-appleir.c-253-{
 drivers/hid/hid-appleir.c:254:	struct input_dev *input_dev = hidinput->input;
 drivers/hid/hid-appleir.c-255-	struct appleir *appleir = hid_get_drvdata(hid);
 --
 drivers/hid/hid-appletb-kbd.c=197=static int appletb_kbd_hid_event(struct hid_device *hdev, struct hid_field *field,
 --
 drivers/hid/hid-appletb-kbd.c-201-	struct key_entry *translation;
 drivers/hid/hid-appletb-kbd.c:202:	struct input_dev *input;
 drivers/hid/hid-appletb-kbd.c-203-	int slot;
 --
 drivers/hid/hid-appletb-kbd.c=255=static int appletb_kbd_inp_connect(struct input_handler *handler,
 drivers/hid/hid-appletb-kbd.c:256:			       struct input_dev *dev,
 drivers/hid/hid-appletb-kbd.c:257:			       const struct input_device_id *id)
 drivers/hid/hid-appletb-kbd.c-258-{
 --
 drivers/hid/hid-appletb-kbd.c=308=static int appletb_kbd_input_configured(struct hid_device *hdev, struct hid_input *hidinput)
 --
 drivers/hid/hid-appletb-kbd.c-310-	int idx;
 drivers/hid/hid-appletb-kbd.c:311:	struct input_dev *input = hidinput->input;
 drivers/hid/hid-appletb-kbd.c-312-
 --
 drivers/hid/hid-appletb-kbd.c-330-
 drivers/hid/hid-appletb-kbd.c:331:static const struct input_device_id appletb_kbd_input_devices[] = {
 drivers/hid/hid-appletb-kbd.c-332-	{
 --
 drivers/hid/hid-appletb-kbd.c=353=static bool appletb_kbd_match_internal_device(struct input_handler *handler,
 drivers/hid/hid-appletb-kbd.c:354:					  struct input_dev *inp_dev)
 drivers/hid/hid-appletb-kbd.c-355-{
 --
 drivers/hid/hid-asus.c=122=struct asus_drvdata {
 --
 drivers/hid/hid-asus.c-124-	struct hid_device *hdev;
 drivers/hid/hid-asus.c:125:	struct input_dev *input;
 drivers/hid/hid-asus.c:126:	struct input_dev *tp_kbd_input;
 drivers/hid/hid-asus.c-127-	struct asus_kbd_leds *kbd_backlight;
 --
 drivers/hid/hid-asus.c=198=static void asus_report_contact_down(struct asus_drvdata *drvdat,
 --
 drivers/hid/hid-asus.c-200-{
 drivers/hid/hid-asus.c:201:	struct input_dev *input = drvdat->input;
 drivers/hid/hid-asus.c-202-	int touch_major, pressure, x, y;
 --
 drivers/hid/hid-asus.c=869=static int asus_input_configured(struct hid_device *hdev, struct hid_input *hi)
 drivers/hid/hid-asus.c-870-{
 drivers/hid/hid-asus.c:871:	struct input_dev *input = hi->input;
 drivers/hid/hid-asus.c-872-	struct asus_drvdata *drvdata = hid_get_drvdata(hdev);
 --
 drivers/hid/hid-axff.c=27=struct axff_device {
 --
 drivers/hid/hid-axff.c-30-
 drivers/hid/hid-axff.c:31:static int axff_play(struct input_dev *dev, void *data, struct ff_effect *effect)
 drivers/hid/hid-axff.c-32-{
 --
 drivers/hid/hid-axff.c=62=static int axff_init(struct hid_device *hid)
 --
 drivers/hid/hid-axff.c-67-	struct list_head *report_list =&hid->report_enum[HID_OUTPUT_REPORT].report_list;
 drivers/hid/hid-axff.c:68:	struct input_dev *dev;
 drivers/hid/hid-axff.c-69-	int field_count = 0;
 --
 drivers/hid/hid-betopff.c=33=struct betopff_device {
 --
 drivers/hid/hid-betopff.c-36-
 drivers/hid/hid-betopff.c:37:static int hid_betopff_play(struct input_dev *dev, void *data,
 drivers/hid/hid-betopff.c-38-			 struct ff_effect *effect)
 --
 drivers/hid/hid-betopff.c=55=static int betopff_init(struct hid_device *hid)
 --
 drivers/hid/hid-betopff.c-61-			&hid->report_enum[HID_OUTPUT_REPORT].report_list;
 drivers/hid/hid-betopff.c:62:	struct input_dev *dev;
 drivers/hid/hid-betopff.c-63-	int error;
 --
 drivers/hid/hid-bigbenff.c=198=static void bigben_worker(struct work_struct *work)
 --
 drivers/hid/hid-bigbenff.c-265-
 drivers/hid/hid-bigbenff.c:266:static int hid_bigben_play_effect(struct input_dev *dev, void *data,
 drivers/hid/hid-bigbenff.c-267-			 struct ff_effect *effect)
 --
 drivers/hid/hid-chicony.c=26=static int ch_report_wireless(struct hid_report *report, u8 *data, int size)
 --
 drivers/hid/hid-chicony.c-28-	struct hid_device *hdev = report->device;
 drivers/hid/hid-chicony.c:29:	struct input_dev *input;
 drivers/hid/hid-chicony.c-30-
 --
 drivers/hid/hid-cmedia.c=85=struct cmhid {
 drivers/hid/hid-cmedia.c:86:	struct input_dev *input_dev;
 drivers/hid/hid-cmedia.c-87-	struct hid_device *hid;
 --
 drivers/hid/hid-cmedia.c=120=static int cmhid_input_configured(struct hid_device *hid,
 --
 drivers/hid/hid-cmedia.c-122-{
 drivers/hid/hid-cmedia.c:123:	struct input_dev *input_dev = hidinput->input;
 drivers/hid/hid-cmedia.c-124-	struct cmhid *cm = hid_get_drvdata(hid);
 --
 drivers/hid/hid-cougar.c=68=struct cougar_shared {
 --
 drivers/hid/hid-cougar.c-72-	struct hid_device *dev;
 drivers/hid/hid-cougar.c:73:	struct input_dev *input;
 drivers/hid/hid-cougar.c-74-};
 --
 drivers/hid/hid-creative-sb0540.c=117=struct creative_sb0540 {
 drivers/hid/hid-creative-sb0540.c:118:	struct input_dev *input_dev;
 drivers/hid/hid-creative-sb0540.c-119-	struct hid_device *hid;
 --
 drivers/hid/hid-creative-sb0540.c=185=static int creative_sb0540_input_configured(struct hid_device *hid,
 --
 drivers/hid/hid-creative-sb0540.c-187-{
 drivers/hid/hid-creative-sb0540.c:188:	struct input_dev *input_dev = hidinput->input;
 drivers/hid/hid-creative-sb0540.c-189-	struct creative_sb0540 *creative_sb0540 = hid_get_drvdata(hid);
 --
 drivers/hid/hid-cypress.c=100=static int cp_event(struct hid_device *hdev, struct hid_field *field,
 --
 drivers/hid/hid-cypress.c-118-	if (usage->code == REL_WHEEL && (quirks & CP_2WHEEL_MOUSE_HACK_ON)) {
 drivers/hid/hid-cypress.c:119:		struct input_dev *input = field->hidinput->input;
 drivers/hid/hid-cypress.c-120-
 --
 drivers/hid/hid-dr.c=27=struct drff_device {
 --
 drivers/hid/hid-dr.c-30-
 drivers/hid/hid-dr.c:31:static int drff_play(struct input_dev *dev, void *data,
 drivers/hid/hid-dr.c-32-				 struct ff_effect *effect)
 --
 drivers/hid/hid-dr.c=74=static int drff_init(struct hid_device *hid)
 --
 drivers/hid/hid-dr.c-80-			&hid->report_enum[HID_OUTPUT_REPORT].report_list;
 drivers/hid/hid-dr.c:81:	struct input_dev *dev;
 drivers/hid/hid-dr.c-82-	int error;
 --
 drivers/hid/hid-elan.c=40=struct elan_drvdata {
 drivers/hid/hid-elan.c:41:	struct input_dev *input;
 drivers/hid/hid-elan.c-42-	u8 prev_report[ELAN_INPUT_REPORT_SIZE];
 --
 drivers/hid/hid-elan.c=152=static int elan_input_configured(struct hid_device *hdev, struct hid_input *hi)
 --
 drivers/hid/hid-elan.c-154-	int ret;
 drivers/hid/hid-elan.c:155:	struct input_dev *input;
 drivers/hid/hid-elan.c-156-	struct elan_drvdata *drvdata = hid_get_drvdata(hdev);
 --
 drivers/hid/hid-elan.c=210=static void elan_report_mt_slot(struct elan_drvdata *drvdata, u8 *data,
 --
 drivers/hid/hid-elan.c-212-{
 drivers/hid/hid-elan.c:213:	struct input_dev *input = drvdata->input;
 drivers/hid/hid-elan.c-214-	int x, y, p;
 --
 drivers/hid/hid-elan.c=232=static void elan_usb_report_input(struct elan_drvdata *drvdata, u8 *data)
 --
 drivers/hid/hid-elan.c-234-	int i;
 drivers/hid/hid-elan.c:235:	struct input_dev *input = drvdata->input;
 drivers/hid/hid-elan.c-236-
 --
 drivers/hid/hid-elan.c=319=static void elan_i2c_report_input(struct elan_drvdata *drvdata, u8 *data)
 drivers/hid/hid-elan.c-320-{
 drivers/hid/hid-elan.c:321:	struct input_dev *input = drvdata->input;
 drivers/hid/hid-elan.c-322-	u8 *finger_data;
 --
 drivers/hid/hid-elo.c=39=static int elo_input_configured(struct hid_device *hdev,
 --
 drivers/hid/hid-elo.c-41-{
 drivers/hid/hid-elo.c:42:	struct input_dev *input = hidinput->input;
 drivers/hid/hid-elo.c-43-
 --
 drivers/hid/hid-elo.c-56-
 drivers/hid/hid-elo.c:57:static void elo_process_data(struct input_dev *input, const u8 *data, int size)
 drivers/hid/hid-elo.c-58-{
 --
 drivers/hid/hid-emsff.c=18=struct emsff_device {
 --
 drivers/hid/hid-emsff.c-21-
 drivers/hid/hid-emsff.c:22:static int emsff_play(struct input_dev *dev, void *data,
 drivers/hid/hid-emsff.c-23-			 struct ff_effect *effect)
 --
 drivers/hid/hid-emsff.c=46=static int emsff_init(struct hid_device *hid)
 --
 drivers/hid/hid-emsff.c-52-			&hid->report_enum[HID_OUTPUT_REPORT].report_list;
 drivers/hid/hid-emsff.c:53:	struct input_dev *dev;
 drivers/hid/hid-emsff.c-54-	int error;
 --
 drivers/hid/hid-ezkey.c=47=static int ez_event(struct hid_device *hdev, struct hid_field *field,
 --
 drivers/hid/hid-ezkey.c-55-	if (usage->type == EV_REL && usage->code == REL_HWHEEL) {
 drivers/hid/hid-ezkey.c:56:		struct input_dev *input = field->hidinput->input;
 drivers/hid/hid-ezkey.c-57-		input_event(input, usage->type, REL_WHEEL, -value);
 --
 drivers/hid/hid-gaff.c=25=struct gaff_device {
 --
 drivers/hid/hid-gaff.c-28-
 drivers/hid/hid-gaff.c:29:static int hid_gaff_play(struct input_dev *dev, void *data,
 drivers/hid/hid-gaff.c-30-			 struct ff_effect *effect)
 --
 drivers/hid/hid-gaff.c=63=static int gaff_init(struct hid_device *hid)
 --
 drivers/hid/hid-gaff.c-70-	struct list_head *report_ptr = report_list;
 drivers/hid/hid-gaff.c:71:	struct input_dev *dev;
 drivers/hid/hid-gaff.c-72-	int error;
 --
 drivers/hid/hid-google-hammer.c=36=struct cbas_ec {
 drivers/hid/hid-google-hammer.c-37-	struct device *dev;	/* The platform device (EC) */
 drivers/hid/hid-google-hammer.c:38:	struct input_dev *input;
 drivers/hid/hid-google-hammer.c-39-	bool base_present;
 --
 drivers/hid/hid-google-hammer.c=167=static SIMPLE_DEV_PM_OPS(cbas_ec_pm_ops, NULL, cbas_ec_resume);
 drivers/hid/hid-google-hammer.c-168-
 drivers/hid/hid-google-hammer.c:169:static void cbas_ec_set_input(struct input_dev *input)
 drivers/hid/hid-google-hammer.c-170-{
 --
 drivers/hid/hid-google-hammer.c=177=static int __cbas_ec_probe(struct platform_device *pdev)
 --
 drivers/hid/hid-google-hammer.c-179-	struct cros_ec_device *ec = dev_get_drvdata(pdev->dev.parent);
 drivers/hid/hid-google-hammer.c:180:	struct input_dev *input;
 drivers/hid/hid-google-hammer.c-181-	bool base_supported;
 --
 drivers/hid/hid-google-stadiaff.c=27=static void stadiaff_work(struct work_struct *work)
 --
 drivers/hid/hid-google-stadiaff.c-41-
 drivers/hid/hid-google-stadiaff.c:42:static int stadiaff_play(struct input_dev *dev, void *data,
 drivers/hid/hid-google-stadiaff.c-43-			 struct ff_effect *effect)
 --
 drivers/hid/hid-google-stadiaff.c=60=static int stadiaff_init(struct hid_device *hid)
 --
 drivers/hid/hid-google-stadiaff.c-64-	struct hid_input *hidinput;
 drivers/hid/hid-google-stadiaff.c:65:	struct input_dev *dev;
 drivers/hid/hid-google-stadiaff.c-66-	int error;
 --
 drivers/hid/hid-gyration.c=54=static int gyration_event(struct hid_device *hdev, struct hid_field *field,
 --
 drivers/hid/hid-gyration.c-62-			(usage->hid & 0xff) == 0x82) {
 drivers/hid/hid-gyration.c:63:		struct input_dev *input = field->hidinput->input;
 drivers/hid/hid-gyration.c-64-		input_event(input, usage->type, usage->code, 1);
 --
 drivers/hid/hid-haptic.c=201=static void switch_mode(struct hid_device *hdev, struct hid_haptic_device *haptic,
 --
 drivers/hid/hid-haptic.c-232-
 drivers/hid/hid-haptic.c:233:static int hid_haptic_upload_effect(struct input_dev *dev, struct ff_effect *effect,
 drivers/hid/hid-haptic.c-234-				    struct ff_effect *old)
 --
 drivers/hid/hid-haptic.c=294=static void haptic_work_handler(struct work_struct *work)
 --
 drivers/hid/hid-haptic.c-299-							work);
 drivers/hid/hid-haptic.c:300:	struct input_dev *dev = effect->input_dev;
 drivers/hid/hid-haptic.c-301-	struct hid_device *hdev = input_get_drvdata(dev);
 --
 drivers/hid/hid-haptic.c-312-
 drivers/hid/hid-haptic.c:313:static int hid_haptic_playback(struct input_dev *dev, int effect_id, int value)
 drivers/hid/hid-haptic.c-314-{
 --
 drivers/hid/hid-haptic.c=325=static void effect_set_default(struct ff_effect *effect)
 --
 drivers/hid/hid-haptic.c-334-
 drivers/hid/hid-haptic.c:335:static int hid_haptic_erase(struct input_dev *dev, int effect_id)
 drivers/hid/hid-haptic.c-336-{
 --
 drivers/hid/hid-haptic.c=403=int hid_haptic_init(struct hid_device *hdev,
 --
 drivers/hid/hid-haptic.c-406-	struct hid_haptic_device *haptic = *haptic_ptr;
 drivers/hid/hid-haptic.c:407:	struct input_dev *dev = NULL;
 drivers/hid/hid-haptic.c-408-	struct hid_input *hidinput;
 --
 drivers/hid/hid-haptic.c-415-	char *name;
 drivers/hid/hid-haptic.c:416:	int (*flush)(struct input_dev *dev, struct file *file);
 drivers/hid/hid-haptic.c:417:	int (*event)(struct input_dev *dev, unsigned int type, unsigned int code, int value);
 drivers/hid/hid-haptic.c-418-
 --
 drivers/hid/hid-haptic.h=16=struct hid_haptic_effect {
 drivers/hid/hid-haptic.h-17-	u8 *report_buf;
 drivers/hid/hid-haptic.h:18:	struct input_dev *input_dev;
 drivers/hid/hid-haptic.h-19-	struct work_struct work;
 --
 drivers/hid/hid-haptic.h=29=struct hid_haptic_device {
 drivers/hid/hid-haptic.h:30:	struct input_dev *input_dev;
 drivers/hid/hid-haptic.h-31-	struct hid_device *hdev;
 --
 drivers/hid/hid-holtek-kbd.c=105=static const __u8 *holtek_kbd_report_fixup(struct hid_device *hdev, __u8 *rdesc,
 --
 drivers/hid/hid-holtek-kbd.c-116-
 drivers/hid/hid-holtek-kbd.c:117:static int holtek_kbd_input_event(struct input_dev *dev, unsigned int type,
 drivers/hid/hid-holtek-kbd.c-118-		unsigned int code,
 --
 drivers/hid/hid-holtekff.c=75=static void holtekff_send(struct holtekff_device *holtekff,
 --
 drivers/hid/hid-holtekff.c-89-
 drivers/hid/hid-holtekff.c:90:static int holtekff_play(struct input_dev *dev, void *data,
 drivers/hid/hid-holtekff.c-91-			 struct ff_effect *effect)
 --
 drivers/hid/hid-holtekff.c=123=static int holtekff_init(struct hid_device *hid)
 --
 drivers/hid/hid-holtekff.c-129-			&hid->report_enum[HID_OUTPUT_REPORT].report_list;
 drivers/hid/hid-holtekff.c:130:	struct input_dev *dev;
 drivers/hid/hid-holtekff.c-131-	int error;
 --
 drivers/hid/hid-input.c=160=static struct hid_usage *hidinput_locate_usage(struct hid_device *hid,
 --
 drivers/hid/hid-input.c-176-
 drivers/hid/hid-input.c:177:static int hidinput_getkeycode(struct input_dev *dev,
 drivers/hid/hid-input.c-178-			       struct input_keymap_entry *ke)
]
]

gemini-3-flash-preview

							input: 119983
							output: 17
							thoughts: 500
						

**The Intriguing Memory Overlap**

Okay, I'm hitting a wall, there's no obvious direct link here. Let's revisit `input_devices_seq_show`. That `container_of` macro is key. If `v` is a pointer to the `node` field within an `input_dev` struct, and the debugger is showing this `v` pointing to a location where `ieee80211_elems_parse` lives, that's incredibly strange.

My initial thought, and I quickly dismissed it, was that maybe `ieee80211_elems_parse` was somehow allocated on top of a freed `input_dev` object. But the KASAN report specifies a use-after-free *of* the `ieee80211_elems_parse` object. This confirms that whatever is being accessed as an `input_dev` is actually pointing *to* the `ieee80211_elems_parse` structure, or an offset from it. That's a huge clue!

If `input_devices_seq_show` is being called, it means there is an `input_dev` registered somewhere in the system, and that device's `node` list head is pointing to this suspect memory address. The core issue now is: How is the `input_dev_list` global tracking list holding a pointer to a temporary `mac80211` object?

Ah, I think I've got it! The `input_dev_list` is the global repository of all registered input devices. When a device is registered, it's added to the list. When it's unregistered, it's removed.

The hypothetical scenario is this: Imagine a case where someone coded something like this:

```c
struct input_dev my_dev; // Local/temporary object (on stack, or in a temporary object)
input_register_device(&my_dev);
```

and, critically, the containing function returns *without* unregistering the input device.

If that happened, `input_dev_list` would contain a pointer to that now-invalid memory location – the stack/temporary object, which has since been reused, possibly by `mac80211`'s temporary objects.

Of course, `input_register_device` has checks to prevent double registration and does other things, and drivers usually use `input_allocate_device()`, which allocates from the heap. Still, there might be some unusual code path where this could occur.

Alright, I've got to follow this up. Let's see if there's any usage of `input_dev` in `net/mac80211`...

map[Expression:input_dev]

map[Output:
Full output is too long, showing 500 out of 22409 lines.
Use more precise expression if possible.

[Documentation/input/input-programming.rst=10=pressed or released a BUTTON_IRQ happens. The driver could look like::
 --
 Documentation/input/input-programming.rst-18-
 Documentation/input/input-programming.rst:19:    static struct input_dev *button_dev;
 Documentation/input/input-programming.rst-20-
 --
 Documentation/input/input-programming.rst=134=again. To do that, we would add this to our example driver::
 Documentation/input/input-programming.rst-135-
 Documentation/input/input-programming.rst:136:    static int button_open(struct input_dev *dev)
 Documentation/input/input-programming.rst-137-    {
 --
 Documentation/input/input-programming.rst-145-
 Documentation/input/input-programming.rst:146:    static void button_close(struct input_dev *dev)
 Documentation/input/input-programming.rst-147-    {
 --
 Documentation/input/input-programming.rst=217=It's reported to the input system via::
 Documentation/input/input-programming.rst-218-
 Documentation/input/input-programming.rst:219:	input_report_key(struct input_dev *dev, int code, int value)
 Documentation/input/input-programming.rst-220-
 --
 Documentation/input/input-programming.rst=235=set the corresponding bits and call the::
 Documentation/input/input-programming.rst-236-
 Documentation/input/input-programming.rst:237:	input_report_rel(struct input_dev *dev, int code, int value)
 Documentation/input/input-programming.rst-238-
 --
 Documentation/input/input-programming.rst=241=However EV_ABS requires a little special care. Before calling
 Documentation/input/input-programming.rst:242:input_register_device, you have to fill additional fields in the input_dev
 Documentation/input/input-programming.rst-243-struct for each absolute axis your device has. If our button device had also
 --
 Documentation/input/input-programming.rst=332=driver can handle these events, it has to set the respective bits in evbit,
 --
 Documentation/input/input-programming.rst-336-
 Documentation/input/input-programming.rst:337:    int button_event(struct input_dev *dev, unsigned int type,
 Documentation/input/input-programming.rst-338-		     unsigned int code, int value)
 --
 Documentation/input/input-programming.rst=354=the function::
 Documentation/input/input-programming.rst-355-
 Documentation/input/input-programming.rst:356:    int input_setup_polling(struct input_dev *dev,
 Documentation/input/input-programming.rst:357:        void (*poll_fn)(struct input_dev *dev))
 Documentation/input/input-programming.rst-358-
 --
 Documentation/input/input-programming.rst=362=There is also the function::
 Documentation/input/input-programming.rst-363-
 Documentation/input/input-programming.rst:364:    void input_set_poll_interval(struct input_dev *dev, unsigned int interval)
 Documentation/input/input-programming.rst-365-
 --
 arch/m68k/include/asm/oplib.h=154=__printf(1, 2) void prom_printf(char *fmt, ...);
 --
 arch/m68k/include/asm/oplib.h-157-
 arch/m68k/include/asm/oplib.h:158:enum prom_input_device {
 arch/m68k/include/asm/oplib.h-159-	PROMDEV_IKBD,			/* input from keyboard */
 --
 arch/m68k/include/asm/oplib.h-164-
 arch/m68k/include/asm/oplib.h:165:extern enum prom_input_device prom_query_input_device(void);
 arch/m68k/include/asm/oplib.h-166-
 --
 arch/m68k/sun3/prom/console.c=57=prom_putchar(char c)
 --
 arch/m68k/sun3/prom/console.c-64-#if 0
 arch/m68k/sun3/prom/console.c:65:enum prom_input_device
 arch/m68k/sun3/prom/console.c:66:prom_query_input_device()
 arch/m68k/sun3/prom/console.c-67-{
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c=29=static unsigned long acpi_base;
 arch/x86/platform/olpc/olpc-xo1-sci.c:30:static struct input_dev *power_button_idev;
 arch/x86/platform/olpc/olpc-xo1-sci.c:31:static struct input_dev *ebook_switch_idev;
 arch/x86/platform/olpc/olpc-xo1-sci.c:32:static struct input_dev *lid_switch_idev;
 arch/x86/platform/olpc/olpc-xo1-sci.c-33-
 --
 drivers/accessibility/speakup/fakekey.c=18=static DEFINE_PER_CPU(int, reporting_keystroke);
 drivers/accessibility/speakup/fakekey.c-19-
 drivers/accessibility/speakup/fakekey.c:20:static struct input_dev *virt_keyboard;
 drivers/accessibility/speakup/fakekey.c-21-
 --
 drivers/acpi/acpi_video.c=157=struct acpi_video_bus {
 --
 drivers/acpi/acpi_video.c-168-	struct list_head entry;
 drivers/acpi/acpi_video.c:169:	struct input_dev *input;
 drivers/acpi/acpi_video.c-170-	char phys[32];	/* for input device */
 --
 drivers/acpi/acpi_video.c=1541=static void acpi_video_bus_notify(acpi_handle handle, u32 event, void *data)
 --
 drivers/acpi/acpi_video.c-1544-	struct acpi_video_bus *video = acpi_driver_data(device);
 drivers/acpi/acpi_video.c:1545:	struct input_dev *input;
 drivers/acpi/acpi_video.c-1546-	int keycode = 0;
 --
 drivers/acpi/acpi_video.c=1604=static void acpi_video_device_notify(acpi_handle handle, u32 event, void *data)
 --
 drivers/acpi/acpi_video.c-1608-	struct acpi_video_bus *bus;
 drivers/acpi/acpi_video.c:1609:	struct input_dev *input;
 drivers/acpi/acpi_video.c-1610-	int keycode = 0;
 --
 drivers/acpi/acpi_video.c=1894=static int acpi_video_bus_add_notify_handler(struct acpi_video_bus *video)
 drivers/acpi/acpi_video.c-1895-{
 drivers/acpi/acpi_video.c:1896:	struct input_dev *input;
 drivers/acpi/acpi_video.c-1897-	struct acpi_video_device *dev;
 --
 drivers/acpi/button.c=171=struct acpi_button {
 drivers/acpi/button.c-172-	unsigned int type;
 drivers/acpi/button.c:173:	struct input_dev *input;
 drivers/acpi/button.c-174-	char phys[32];			/* for input device */
 --
 drivers/acpi/button.c=440=static void acpi_button_notify(acpi_handle handle, u32 event, void *data)
 --
 drivers/acpi/button.c-443-	struct acpi_button *button;
 drivers/acpi/button.c:444:	struct input_dev *input;
 drivers/acpi/button.c-445-	int keycode;
 --
 drivers/acpi/button.c=498=static int acpi_button_resume(struct device *dev)
 drivers/acpi/button.c-499-{
 drivers/acpi/button.c:500:	struct input_dev *input;
 drivers/acpi/button.c-501-	struct acpi_device *device = to_acpi_device(dev);
 --
 drivers/acpi/button.c-521-
 drivers/acpi/button.c:522:static int acpi_lid_input_open(struct input_dev *input)
 drivers/acpi/button.c-523-{
 --
 drivers/acpi/button.c=534=static int acpi_button_add(struct acpi_device *device)
 --
 drivers/acpi/button.c-537-	struct acpi_button *button;
 drivers/acpi/button.c:538:	struct input_dev *input;
 drivers/acpi/button.c-539-	const char *hid = acpi_device_hid(device);
 --
 drivers/auxdisplay/ht16k33.c=69=struct ht16k33_keypad {
 drivers/auxdisplay/ht16k33.c-70-	struct i2c_client *client;
 drivers/auxdisplay/ht16k33.c:71:	struct input_dev *dev;
 drivers/auxdisplay/ht16k33.c-72-	uint32_t cols;
 --
 drivers/auxdisplay/ht16k33.c=365=static irqreturn_t ht16k33_keypad_irq_thread(int irq, void *dev)
 --
 drivers/auxdisplay/ht16k33.c-378-
 drivers/auxdisplay/ht16k33.c:379:static int ht16k33_keypad_start(struct input_dev *dev)
 drivers/auxdisplay/ht16k33.c-380-{
 --
 drivers/auxdisplay/ht16k33.c-389-
 drivers/auxdisplay/ht16k33.c:390:static void ht16k33_keypad_stop(struct input_dev *dev)
 drivers/auxdisplay/ht16k33.c-391-{
 --
 drivers/char/sonypi.c=460=struct sonypi_keypress {
 drivers/char/sonypi.c:461:	struct input_dev *dev;
 drivers/char/sonypi.c-462-	int key;
 --
 drivers/char/sonypi.c=465=static struct sonypi_device {
 --
 drivers/char/sonypi.c-481-	int model;
 drivers/char/sonypi.c:482:	struct input_dev *input_jog_dev;
 drivers/char/sonypi.c:483:	struct input_dev *input_key_dev;
 drivers/char/sonypi.c-484-	struct work_struct input_work;
 --
 drivers/char/sonypi.c=775=static void sonypi_report_input_event(u8 event)
 drivers/char/sonypi.c-776-{
 drivers/char/sonypi.c:777:	struct input_dev *jog_dev = sonypi_device.input_jog_dev;
 drivers/char/sonypi.c:778:	struct input_dev *key_dev = sonypi_device.input_key_dev;
 drivers/char/sonypi.c-779-	struct sonypi_keypress kp = { NULL };
 --
 drivers/char/sonypi.c=1136=static struct acpi_driver sonypi_acpi_driver = {
 --
 drivers/char/sonypi.c-1146-
 drivers/char/sonypi.c:1147:static int sonypi_create_input_devices(struct platform_device *pdev)
 drivers/char/sonypi.c-1148-{
 drivers/char/sonypi.c:1149:	struct input_dev *jog_dev;
 drivers/char/sonypi.c:1150:	struct input_dev *key_dev;
 drivers/char/sonypi.c-1151-	int i;
 --
 drivers/char/sonypi.c=1287=static int sonypi_probe(struct platform_device *dev)
 --
 drivers/char/sonypi.c-1369-
 drivers/char/sonypi.c:1370:		error = sonypi_create_input_devices(dev);
 drivers/char/sonypi.c-1371-		if (error) {
 --
 drivers/extcon/extcon-max77693.c=66=struct max77693_muic_info {
 --
 drivers/extcon/extcon-max77693.c-88-	/* Button of dock device */
 drivers/extcon/extcon-max77693.c:89:	struct input_dev *dock;
 drivers/extcon/extcon-max77693.c-90-
 --
 drivers/extcon/extcon-max77693.c=532=static int max77693_muic_dock_button_handler(struct max77693_muic_info *info,
 --
 drivers/extcon/extcon-max77693.c-534-{
 drivers/extcon/extcon-max77693.c:535:	struct input_dev *dock = info->dock;
 drivers/extcon/extcon-max77693.c-536-	unsigned int code;
 --
 drivers/gpu/drm/bridge/sil-sii8620.c=2052=static void sii8620_cable_in(struct sii8620 *ctx)
 --
 drivers/gpu/drm/bridge/sil-sii8620.c-2095-
 drivers/gpu/drm/bridge/sil-sii8620.c:2096:static void sii8620_init_rcp_input_dev(struct sii8620 *ctx)
 drivers/gpu/drm/bridge/sil-sii8620.c-2097-{
 --
 drivers/gpu/drm/bridge/sil-sii8620.c=2205=static int sii8620_attach(struct drm_bridge *bridge,
 --
 drivers/gpu/drm/bridge/sil-sii8620.c-2210-
 drivers/gpu/drm/bridge/sil-sii8620.c:2211:	sii8620_init_rcp_input_dev(ctx);
 drivers/gpu/drm/bridge/sil-sii8620.c-2212-
 --
 drivers/hid/hid-a4tech.c=73=static int a4_event(struct hid_device *hdev, struct hid_field *field,
 --
 drivers/hid/hid-a4tech.c-76-	struct a4tech_sc *a4 = hid_get_drvdata(hdev);
 drivers/hid/hid-a4tech.c:77:	struct input_dev *input;
 drivers/hid/hid-a4tech.c-78-
 --
 drivers/hid/hid-alps.c=96=struct alps_dev {
 drivers/hid/hid-alps.c:97:	struct input_dev *input;
 drivers/hid/hid-alps.c:98:	struct input_dev *input2;
 drivers/hid/hid-alps.c-99-	struct hid_device *hdev;
 --
 drivers/hid/hid-alps.c=609=static int T4_init(struct hid_device *hdev, struct alps_dev *pri_data)
 --
 drivers/hid/hid-alps.c-659-
 drivers/hid/hid-alps.c:660:static int alps_sp_open(struct input_dev *dev)
 drivers/hid/hid-alps.c-661-{
 --
 drivers/hid/hid-alps.c-666-
 drivers/hid/hid-alps.c:667:static void alps_sp_close(struct input_dev *dev)
 drivers/hid/hid-alps.c-668-{
 --
 drivers/hid/hid-alps.c=674=static int alps_input_configured(struct hid_device *hdev, struct hid_input *hi)
 --
 drivers/hid/hid-alps.c-676-	struct alps_dev *data = hid_get_drvdata(hdev);
 drivers/hid/hid-alps.c:677:	struct input_dev *input = hi->input, *input2;
 drivers/hid/hid-alps.c-678-	int ret;
 --
 drivers/hid/hid-apple.c=383=static bool apple_is_omoton_kb066(struct hid_device *hdev)
 --
 drivers/hid/hid-apple.c-388-
 drivers/hid/hid-apple.c:389:static inline void apple_setup_key_translation(struct input_dev *input,
 drivers/hid/hid-apple.c-390-		const struct apple_key_translation *table)
 --
 drivers/hid/hid-apple.c=398=static const struct apple_key_translation *apple_find_translation(
 --
 drivers/hid/hid-apple.c-410-
 drivers/hid/hid-apple.c:411:static void input_event_with_scancode(struct input_dev *input,
 drivers/hid/hid-apple.c-412-		__u8 type, __u16 code, unsigned int hid, __s32 value)
 --
 drivers/hid/hid-apple.c-419-
 drivers/hid/hid-apple.c:420:static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input,
 drivers/hid/hid-apple.c-421-		struct hid_usage *usage, __s32 value)
 --
 drivers/hid/hid-apple.c=657=static const __u8 *apple_report_fixup(struct hid_device *hdev, __u8 *rdesc,
 --
 drivers/hid/hid-apple.c-700-
 drivers/hid/hid-apple.c:701:static void apple_setup_input(struct input_dev *input)
 drivers/hid/hid-apple.c-702-{
 --
 drivers/hid/hid-appleir.c=107=struct appleir {
 drivers/hid/hid-appleir.c:108:	struct input_dev *input_dev;
 drivers/hid/hid-appleir.c-109-	struct hid_device *hid;
 --
 drivers/hid/hid-appleir.c=151=static void key_up(struct hid_device *hid, struct appleir *appleir, int key)
 drivers/hid/hid-appleir.c-152-{
 drivers/hid/hid-appleir.c:153:	input_report_key(appleir->input_dev, key, 0);
 drivers/hid/hid-appleir.c:154:	input_sync(appleir->input_dev);
 drivers/hid/hid-appleir.c-155-}
 --
 drivers/hid/hid-appleir.c=157=static void key_down(struct hid_device *hid, struct appleir *appleir, int key)
 drivers/hid/hid-appleir.c-158-{
 drivers/hid/hid-appleir.c:159:	input_report_key(appleir->input_dev, key, 1);
 drivers/hid/hid-appleir.c:160:	input_sync(appleir->input_dev);
 drivers/hid/hid-appleir.c-161-}
 --
 drivers/hid/hid-appleir.c=163=static void battery_flat(struct appleir *appleir)
 drivers/hid/hid-appleir.c-164-{
 drivers/hid/hid-appleir.c:165:	dev_err(&appleir->input_dev->dev, "possible flat battery?\n");
 drivers/hid/hid-appleir.c-166-}
 --
 drivers/hid/hid-appleir.c=251=static int appleir_input_configured(struct hid_device *hid,
 --
 drivers/hid/hid-appleir.c-253-{
 drivers/hid/hid-appleir.c:254:	struct input_dev *input_dev = hidinput->input;
 drivers/hid/hid-appleir.c-255-	struct appleir *appleir = hid_get_drvdata(hid);
 --
 drivers/hid/hid-appleir.c-257-
 drivers/hid/hid-appleir.c:258:	appleir->input_dev = input_dev;
 drivers/hid/hid-appleir.c-259-
 drivers/hid/hid-appleir.c:260:	input_dev->keycode = appleir->keymap;
 drivers/hid/hid-appleir.c:261:	input_dev->keycodesize = sizeof(unsigned short);
 drivers/hid/hid-appleir.c:262:	input_dev->keycodemax = ARRAY_SIZE(appleir->keymap);
 drivers/hid/hid-appleir.c-263-
 drivers/hid/hid-appleir.c:264:	input_dev->evbit[0] = BIT(EV_KEY) | BIT(EV_REP);
 drivers/hid/hid-appleir.c-265-
 --
 drivers/hid/hid-appleir.c-267-	for (i = 0; i < ARRAY_SIZE(appleir_key_table); i++)
 drivers/hid/hid-appleir.c:268:		set_bit(appleir->keymap[i], input_dev->keybit);
 drivers/hid/hid-appleir.c:269:	clear_bit(KEY_RESERVED, input_dev->keybit);
 drivers/hid/hid-appleir.c-270-
 --
 drivers/hid/hid-appletb-kbd.c=197=static int appletb_kbd_hid_event(struct hid_device *hdev, struct hid_field *field,
 --
 drivers/hid/hid-appletb-kbd.c-201-	struct key_entry *translation;
 drivers/hid/hid-appletb-kbd.c:202:	struct input_dev *input;
 drivers/hid/hid-appletb-kbd.c-203-	int slot;
 --
 drivers/hid/hid-appletb-kbd.c=255=static int appletb_kbd_inp_connect(struct input_handler *handler,
 drivers/hid/hid-appletb-kbd.c:256:			       struct input_dev *dev,
 drivers/hid/hid-appletb-kbd.c:257:			       const struct input_device_id *id)
 drivers/hid/hid-appletb-kbd.c-258-{
 --
 drivers/hid/hid-appletb-kbd.c=308=static int appletb_kbd_input_configured(struct hid_device *hdev, struct hid_input *hidinput)
 --
 drivers/hid/hid-appletb-kbd.c-310-	int idx;
 drivers/hid/hid-appletb-kbd.c:311:	struct input_dev *input = hidinput->input;
 drivers/hid/hid-appletb-kbd.c-312-
 --
 drivers/hid/hid-appletb-kbd.c-330-
 drivers/hid/hid-appletb-kbd.c:331:static const struct input_device_id appletb_kbd_input_devices[] = {
 drivers/hid/hid-appletb-kbd.c-332-	{
 --
 drivers/hid/hid-appletb-kbd.c=353=static bool appletb_kbd_match_internal_device(struct input_handler *handler,
 drivers/hid/hid-appletb-kbd.c:354:					  struct input_dev *inp_dev)
 drivers/hid/hid-appletb-kbd.c-355-{
 --
 drivers/hid/hid-appletb-kbd.c=374=static int appletb_kbd_probe(struct hid_device *hdev, const struct hid_device_id *id)
 --
 drivers/hid/hid-appletb-kbd.c-419-	kbd->inp_handler.name = "appletb";
 drivers/hid/hid-appletb-kbd.c:420:	kbd->inp_handler.id_table = appletb_kbd_input_devices;
 drivers/hid/hid-appletb-kbd.c-421-	kbd->inp_handler.match = appletb_kbd_match_internal_device;
 --
 drivers/hid/hid-asus.c=122=struct asus_drvdata {
 --
 drivers/hid/hid-asus.c-124-	struct hid_device *hdev;
 drivers/hid/hid-asus.c:125:	struct input_dev *input;
 drivers/hid/hid-asus.c:126:	struct input_dev *tp_kbd_input;
 drivers/hid/hid-asus.c-127-	struct asus_kbd_leds *kbd_backlight;
 --
 drivers/hid/hid-asus.c=198=static void asus_report_contact_down(struct asus_drvdata *drvdat,
 --
 drivers/hid/hid-asus.c-200-{
 drivers/hid/hid-asus.c:201:	struct input_dev *input = drvdat->input;
 drivers/hid/hid-asus.c-202-	int touch_major, pressure, x, y;
 --
 drivers/hid/hid-asus.c=869=static int asus_input_configured(struct hid_device *hdev, struct hid_input *hi)
 drivers/hid/hid-asus.c-870-{
 drivers/hid/hid-asus.c:871:	struct input_dev *input = hi->input;
 drivers/hid/hid-asus.c-872-	struct asus_drvdata *drvdata = hid_get_drvdata(hdev);
 --
 drivers/hid/hid-asus.c=1127=static int asus_probe(struct hid_device *hdev, const struct hid_device_id *id)
 --
 drivers/hid/hid-asus.c-1175-		 * All functionality is on a single HID interface and for
 drivers/hid/hid-asus.c:1176:		 * userspace the touchpad must be a separate input_dev.
 drivers/hid/hid-asus.c-1177-		 */
 --
 drivers/hid/hid-axff.c=27=struct axff_device {
 --
 drivers/hid/hid-axff.c-30-
 drivers/hid/hid-axff.c:31:static int axff_play(struct input_dev *dev, void *data, struct ff_effect *effect)
 drivers/hid/hid-axff.c-32-{
 --
 drivers/hid/hid-axff.c=62=static int axff_init(struct hid_device *hid)
 --
 drivers/hid/hid-axff.c-67-	struct list_head *report_list =&hid->report_enum[HID_OUTPUT_REPORT].report_list;
 drivers/hid/hid-axff.c:68:	struct input_dev *dev;
 drivers/hid/hid-axff.c-69-	int field_count = 0;
 --
 drivers/hid/hid-betopff.c=33=struct betopff_device {
 --
 drivers/hid/hid-betopff.c-36-
 drivers/hid/hid-betopff.c:37:static int hid_betopff_play(struct input_dev *dev, void *data,
 drivers/hid/hid-betopff.c-38-			 struct ff_effect *effect)
 --
 drivers/hid/hid-betopff.c=55=static int betopff_init(struct hid_device *hid)
 --
 drivers/hid/hid-betopff.c-61-			&hid->report_enum[HID_OUTPUT_REPORT].report_list;
 drivers/hid/hid-betopff.c:62:	struct input_dev *dev;
 drivers/hid/hid-betopff.c-63-	int error;
 --
 drivers/hid/hid-bigbenff.c=198=static void bigben_worker(struct work_struct *work)
 --
 drivers/hid/hid-bigbenff.c-265-
 drivers/hid/hid-bigbenff.c:266:static int hid_bigben_play_effect(struct input_dev *dev, void *data,
 drivers/hid/hid-bigbenff.c-267-			 struct ff_effect *effect)
 --
 drivers/hid/hid-chicony.c=26=static int ch_report_wireless(struct hid_report *report, u8 *data, int size)
 --
 drivers/hid/hid-chicony.c-28-	struct hid_device *hdev = report->device;
 drivers/hid/hid-chicony.c:29:	struct input_dev *input;
 drivers/hid/hid-chicony.c-30-
 --
 drivers/hid/hid-cmedia.c=85=struct cmhid {
 drivers/hid/hid-cmedia.c:86:	struct input_dev *input_dev;
 drivers/hid/hid-cmedia.c-87-	struct hid_device *hid;
 --
 drivers/hid/hid-cmedia.c=91=static void hp_ev(struct hid_device *hid, struct cmhid *cm, int value)
 drivers/hid/hid-cmedia.c-92-{
 drivers/hid/hid-cmedia.c:93:	input_report_switch(cm->input_dev, SW_HEADPHONE_INSERT, value);
 drivers/hid/hid-cmedia.c:94:	input_sync(cm->input_dev);
 drivers/hid/hid-cmedia.c-95-}
 --
 drivers/hid/hid-cmedia.c=120=static int cmhid_input_configured(struct hid_device *hid,
 --
 drivers/hid/hid-cmedia.c-122-{
 drivers/hid/hid-cmedia.c:123:	struct input_dev *input_dev = hidinput->input;
 drivers/hid/hid-cmedia.c-124-	struct cmhid *cm = hid_get_drvdata(hid);
 --
 drivers/hid/hid-cmedia.c-126-
 drivers/hid/hid-cmedia.c:127:	cm->input_dev = input_dev;
 drivers/hid/hid-cmedia.c-128-	memcpy(cm->switch_map, jack_switch_types, sizeof(cm->switch_map));
 drivers/hid/hid-cmedia.c:129:	input_dev->evbit[0] = BIT(EV_SW);
 drivers/hid/hid-cmedia.c-130-	for (i = 0; i < CM6533_JD_TYPE_COUNT; i++)
 drivers/hid/hid-cmedia.c:131:		input_set_capability(cm->input_dev,
 drivers/hid/hid-cmedia.c-132-				EV_SW, jack_switch_types[i]);
 --
 drivers/hid/hid-cougar.c=68=struct cougar_shared {
 --
 drivers/hid/hid-cougar.c-72-	struct hid_device *dev;
 drivers/hid/hid-cougar.c:73:	struct input_dev *input;
 drivers/hid/hid-cougar.c-74-};
 --
 drivers/hid/hid-creative-sb0540.c=117=struct creative_sb0540 {
 drivers/hid/hid-creative-sb0540.c:118:	struct input_dev *input_dev;
 drivers/hid/hid-creative-sb0540.c-119-	struct hid_device *hid;
 --
 drivers/hid/hid-creative-sb0540.c=149=static int creative_sb0540_raw_event(struct hid_device *hid,
 --
 drivers/hid/hid-creative-sb0540.c-176-
 drivers/hid/hid-creative-sb0540.c:177:	input_report_key(creative_sb0540->input_dev, key, 1);
 drivers/hid/hid-creative-sb0540.c:178:	input_report_key(creative_sb0540->input_dev, key, 0);
 drivers/hid/hid-creative-sb0540.c:179:	input_sync(creative_sb0540->input_dev);
 drivers/hid/hid-creative-sb0540.c-180-
 --
 drivers/hid/hid-creative-sb0540.c=185=static int creative_sb0540_input_configured(struct hid_device *hid,
 --
 drivers/hid/hid-creative-sb0540.c-187-{
 drivers/hid/hid-creative-sb0540.c:188:	struct input_dev *input_dev = hidinput->input;
 drivers/hid/hid-creative-sb0540.c-189-	struct creative_sb0540 *creative_sb0540 = hid_get_drvdata(hid);
 --
 drivers/hid/hid-creative-sb0540.c-191-
 drivers/hid/hid-creative-sb0540.c:192:	creative_sb0540->input_dev = input_dev;
 drivers/hid/hid-creative-sb0540.c-193-
 drivers/hid/hid-creative-sb0540.c:194:	input_dev->keycode = creative_sb0540->keymap;
 drivers/hid/hid-creative-sb0540.c:195:	input_dev->keycodesize = sizeof(unsigned short);
 drivers/hid/hid-creative-sb0540.c:196:	input_dev->keycodemax = ARRAY_SIZE(creative_sb0540->keymap);
 drivers/hid/hid-creative-sb0540.c-197-
 drivers/hid/hid-creative-sb0540.c:198:	input_dev->evbit[0] = BIT(EV_KEY) | BIT(EV_REP);
 drivers/hid/hid-creative-sb0540.c-199-
 --
 drivers/hid/hid-creative-sb0540.c-202-	for (i = 0; i < ARRAY_SIZE(creative_sb0540_key_table); i++)
 drivers/hid/hid-creative-sb0540.c:203:		set_bit(creative_sb0540->keymap[i], input_dev->keybit);
 drivers/hid/hid-creative-sb0540.c:204:	clear_bit(KEY_RESERVED, input_dev->keybit);
 drivers/hid/hid-creative-sb0540.c-205-
 --
 drivers/hid/hid-cypress.c=100=static int cp_event(struct hid_device *hdev, struct hid_field *field,
 --
 drivers/hid/hid-cypress.c-118-	if (usage->code == REL_WHEEL && (quirks & CP_2WHEEL_MOUSE_HACK_ON)) {
 drivers/hid/hid-cypress.c:119:		struct input_dev *input = field->hidinput->input;
 drivers/hid/hid-cypress.c-120-
 --
 drivers/hid/hid-dr.c=27=struct drff_device {
 --
 drivers/hid/hid-dr.c-30-
 drivers/hid/hid-dr.c:31:static int drff_play(struct input_dev *dev, void *data,
 drivers/hid/hid-dr.c-32-				 struct ff_effect *effect)
 --
 drivers/hid/hid-dr.c=74=static int drff_init(struct hid_device *hid)
 --
 drivers/hid/hid-dr.c-80-			&hid->report_enum[HID_OUTPUT_REPORT].report_list;
 drivers/hid/hid-dr.c:81:	struct input_dev *dev;
 drivers/hid/hid-dr.c-82-	int error;
 --
 drivers/hid/hid-elan.c=40=struct elan_drvdata {
 drivers/hid/hid-elan.c:41:	struct input_dev *input;
 drivers/hid/hid-elan.c-42-	u8 prev_report[ELAN_INPUT_REPORT_SIZE];
 --
 drivers/hid/hid-elan.c=152=static int elan_input_configured(struct hid_device *hdev, struct hid_input *hi)
 --
 drivers/hid/hid-elan.c-154-	int ret;
 drivers/hid/hid-elan.c:155:	struct input_dev *input;
 drivers/hid/hid-elan.c-156-	struct elan_drvdata *drvdata = hid_get_drvdata(hdev);
 --
 drivers/hid/hid-elan.c=210=static void elan_report_mt_slot(struct elan_drvdata *drvdata, u8 *data,
 --
 drivers/hid/hid-elan.c-212-{
 drivers/hid/hid-elan.c:213:	struct input_dev *input = drvdata->input;
 drivers/hid/hid-elan.c-214-	int x, y, p;
 --
 drivers/hid/hid-elan.c=232=static void elan_usb_report_input(struct elan_drvdata *drvdata, u8 *data)
 --
 drivers/hid/hid-elan.c-234-	int i;
 drivers/hid/hid-elan.c:235:	struct input_dev *input = drvdata->input;
 drivers/hid/hid-elan.c-236-
 --
 drivers/hid/hid-elan.c=319=static void elan_i2c_report_input(struct elan_drvdata *drvdata, u8 *data)
 drivers/hid/hid-elan.c-320-{
 drivers/hid/hid-elan.c:321:	struct input_dev *input = drvdata->input;
 drivers/hid/hid-elan.c-322-	u8 *finger_data;
 --
 drivers/hid/hid-elo.c=39=static int elo_input_configured(struct hid_device *hdev,
 --
 drivers/hid/hid-elo.c-41-{
 drivers/hid/hid-elo.c:42:	struct input_dev *input = hidinput->input;
 drivers/hid/hid-elo.c-43-
 --
 drivers/hid/hid-elo.c-56-
 drivers/hid/hid-elo.c:57:static void elo_process_data(struct input_dev *input, const u8 *data, int size)
 drivers/hid/hid-elo.c-58-{
 --
 drivers/hid/hid-emsff.c=18=struct emsff_device {
 --
 drivers/hid/hid-emsff.c-21-
 drivers/hid/hid-emsff.c:22:static int emsff_play(struct input_dev *dev, void *data,
 drivers/hid/hid-emsff.c-23-			 struct ff_effect *effect)
 --
]
]

gemini-3-flash-preview

							input: 131308
							output: 58
							thoughts: 397
						

**Debugging a Potential Kernel Vulnerability**

Okay, I'm still hitting a wall here. I'm not quite seeing the root cause. Let me re-examine this `input_devices_seq_show` function. Specifically, this line:

```c
1091:		struct input_dev *dev = container_of(v, struct input_dev, node);
```

Right, if `v` here is a pointer to a `struct list_head` that *isn't* actually part of a valid `input_dev` structure, that could be a problem. Hang on... `input_dev_list` is itself a `struct list_head`. And the sequence file iterator uses `seq_list_start` and `seq_list_next`. So, if that list, `input_dev_list`, is somehow corrupted, we could end up with `v` pointing to arbitrary memory!

But... where would that corruption originate? I need to track this down. Okay, wait a minute, I'm seeing something in the allocation stack. I see the traces:

`ieee802_11_parse_elems_full+0x152/0x2ab0 net/mac80211/parse.c:1031`
`ieee80211_inform_bss+0x147/0x1130 net/mac80211/scan.c:79`

Aha! `ieee80211_inform_bss` is being called with `cbss`.
```c
  70:		struct ieee80211_bss *bss = (void *)cbss->priv;
```

`cbss` is a `struct cfg80211_bss`. And `cbss->priv` is a pointer to a `struct ieee80211_bss`. Wait a second... that `struct ieee80211_bss` is part of mac80211. Okay, this is looking interesting, I need to take a closer look at `struct ieee80211_bss`.

map[ContextFile:net/mac80211/ieee80211_i.h IncludeLines:true Name:ieee80211_bss]

map[SourceCode: 114:	struct ieee80211_bss {
 115:		u32 device_ts_beacon, device_ts_presp;
 116:	
 117:		bool wmm_used;
 118:		bool uapsd_supported;
 119:	
 120:	#define IEEE80211_MAX_SUPP_RATES 32
 121:		u8 supp_rates[IEEE80211_MAX_SUPP_RATES];
 122:		size_t supp_rates_len;
 123:		struct ieee80211_rate *beacon_rate;
 124:	
 125:		u32 vht_cap_info;
 126:	
 127:		/*
 128:		 * During association, we save an ERP value from a probe response so
 129:		 * that we can feed ERP info to the driver when handling the
 130:		 * association completes. these fields probably won't be up-to-date
 131:		 * otherwise, you probably don't want to use them.
 132:		 */
 133:		bool has_erp_value;
 134:		u8 erp_value;
 135:	
 136:		/* Keep track of the corruption of the last beacon/probe response. */
 137:		u8 corrupt_data;
 138:	
 139:		/* Keep track of what bits of information we have valid info for. */
 140:		u8 valid_data;
 141:	};
 SourceFile:net/mac80211/ieee80211_i.h]

gemini-3-flash-preview

							input: 132707
							output: 43
							thoughts: 181
						

**Investigating a Potential Input Device Vulnerability**

Okay, so I'm not seeing anything immediately concerning with `input_dev`, which is unusual. Wait a minute, I've got an idea. What if there was a way to exploit the `input_dev`'s `phys` field? Perhaps by cleverly misdirecting it. Specifically, what if the `phys` field, which *should* be a string pointer, was instead set to a pointer to a completely different structure? It could lead to all sorts of memory corruption issues. Let me double-check the `input_dev` structure layout again. Ah, yes, `phys` is at offset 8.

Alright, I think I'm on to something! I just found something interesting in `drivers/input/input.c`: Line 1091 uses `container_of` to get an `input_dev` pointer, using the `node` field. The pointer to the structure returned from the iterator is `v`. Okay, I need to understand this iterator. I believe it is `input_devices_seq_ops`. I'll look into that...

requested entity does not exist

map[ContextFile:drivers/input/input.c IncludeLines:true Name:input_devices_seq_ops]

map[SourceCode: SourceFile:]

gemini-3-flash-preview

							input: 133193
							output: 21
							thoughts: 15
						

Here's my attempt at summarizing the thought process, tailored for an expert audience:

**Unpacking a Potentially Ambiguous Term**

Okay, so I'm hitting a wall here. This term, whatever it is, feels a bit slippery. It's possible I'm working from a slightly off-base definition, or that its usage is context-dependent in a way I'm not immediately grasping. That means I need to dig deeper into the actual implementation and usage. Time to take a closer look at the source. Let's fire up `grep`, a targeted search will quickly reveal how this term is actually *being* used in the codebase. That should give me a clearer picture, and hopefully illuminate the specific meaning within this system.

map[Expression:input_devices_seq_ops]

map[Output:drivers/input/input.c=1089=static int input_devices_seq_show(struct seq_file *seq, void *v)
--
drivers/input/input.c-1133-
drivers/input/input.c:1134:static const struct seq_operations input_devices_seq_ops = {
drivers/input/input.c-1135-	.start	= input_devices_seq_start,
--
drivers/input/input.c=1141=static int input_proc_devices_open(struct inode *inode, struct file *file)
drivers/input/input.c-1142-{
drivers/input/input.c:1143:	return seq_open_private(file, &input_devices_seq_ops,
drivers/input/input.c-1144-				sizeof(struct input_seq_state));
]

gemini-3-flash-preview

							input: 133611
							output: 43
							thoughts: 24
						

Here's my attempt at summarizing the thought process, tailored for an expert audience:

**Analyzing `input_devices_seq_start` and `input_devices_seq_next`**

Okay, let's drill down into these two functions, `input_devices_seq_start` and `input_devices_seq_next`. My initial thought is to quickly understand their core functionality and how they relate. Are we looking at a state machine here, potentially? `_start` suggests an initialization phase or the kickoff of a sequence, while `_next` screams iteration or advancing to the following state/element. I wonder, what data structure are they operating on? Is it a linked list, an array, something more esoteric? The naming convention suggests a sequential process, but the implementation will reveal the details. Specifically, I need to know: what's being sequenced (device descriptors, events, etc.), what are the entry/exit conditions, and how are these functions handling error cases or edge conditions like an empty sequence? I'm anticipating that these are fundamental primitives for managing input device access and event handling, but I need to confirm my assumptions by tracing the call chain and analyzing the code itself.

map[ContextFile:drivers/input/input.c IncludeLines:true Name:input_devices_seq_start]

map[SourceCode:1034:	static void *input_devices_seq_start(struct seq_file *seq, loff_t *pos)
1035:	{
1036:		struct input_seq_state *state = seq->private;
1037:		int error;
1038:	
1039:		error = mutex_lock_interruptible(&input_mutex);
1040:		if (error) {
1041:			state->mutex_acquired = false;
1042:			return ERR_PTR(error);
1043:		}
1044:	
1045:		state->mutex_acquired = true;
1046:	
1047:		return seq_list_start(&input_dev_list, *pos);
1048:	}
 SourceFile:drivers/input/input.c]

gemini-3-flash-preview

							input: 134164
							output: 43
							thoughts: 10
						

Okay, here's my attempt at summarizing the thought process, tailored for an expert audience, and written in the first person:

**Analyzing `input_devices_seq_next`**

Alright, let's dissect this `input_devices_seq_next` concept. My immediate instinct is to consider the context. Given the naming convention, I'm assuming this relates to managing input devices, likely a sequence or enumeration of them. The "next" part suggests iterative access, which immediately makes me think about potential use cases: are we talking about a simple rotation through available devices, or something more sophisticated, perhaps with prioritization or dynamic assignment?

I’m already evaluating the potential underlying data structures. Is this an array, a linked list, maybe even a more complex structure like a priority queue if the "next" isn't strictly linear? The efficiency implications are key here – how fast does this "next" operation need to be? Is concurrent access a concern? Thread safety is definitely on my radar. If multiple threads might be querying or modifying this sequence, the implementation becomes considerably more complex, potentially involving mutexes, atomic operations, or other synchronization primitives.

Then I have to consider the fault tolerance. What happens if a device is suddenly disconnected? How does the "next" function handle that gracefully? Does it simply skip the missing device, throw an error, or attempt to re-establish the connection? Error handling is critical in any input system.

I'm also pondering the potential for configuration. Is this sequence hardcoded, or is it dynamic, potentially sourced from a configuration file or a system call? If dynamic, how is the sequence maintained and updated? Are there any lifecycle hooks or callbacks in the system, and how would I interact with them?

And finally, how extensible is this? Can I easily add or remove devices from this sequence without breaking existing code? This brings up concerns of modularity and coupling, how loosely or tightly the component is coupled to the wider system. Any design flaws here will become very obvious in the real world.

map[ContextFile:drivers/input/input.c IncludeLines:true Name:input_devices_seq_next]

map[SourceCode:1050:	static void *input_devices_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1051:	{
1052:		return seq_list_next(v, &input_dev_list, pos);
1053:	}
 SourceFile:drivers/input/input.c]

gemini-3-flash-preview

							input: 134747
							output: 51
							thoughts: 209
						

**Analyzing Potential Memory Corruption in `input_dev_list`**

Okay, so I'm looking at this code and it's using `input_dev_list`. My immediate concern is, if that list gets corrupted, we're likely going to be chasing bad pointers, and that's never fun. Let's see... Wait a minute, hold on. I think I've seen something relevant in the `mac80211` code... Yes! Here it is. In `ieee80211_inform_bss`, it calls `kfree(elems)`. Right, and `elems` is actually `&elems_parse->elems`. The structure's a bit of a maze, but `elems_parse->elems` is the first member of `ieee80211_elems_parse`. Okay.

Now, let's step back a second... `struct ieee802_11_elems`, that structure has quite a few members, doesn't it? My gut tells me there's something to this. I'm wondering... does it by any chance include a `struct list_head`? Could that be the connection? I'll re-check the structure layout for `ieee802_11_elems`. I don't see any of those that I recognized.

Alright, let's just make sure, let's go check the actual definition of `struct ieee802_11_elems`. I can't be too careful.

map[ContextFile:net/mac80211/parse.c IncludeLines:true Name:ieee802_11_elems]

map[SourceCode:1762:	/* Parsed Information Elements */
1763:	struct ieee802_11_elems {
1764:		const u8 *ie_start;
1765:		size_t total_len;
1766:		u32 crc;
1767:	
1768:		/* pointers to IEs */
1769:		const struct ieee80211_tdls_lnkie *lnk_id;
1770:		const struct ieee80211_ch_switch_timing *ch_sw_timing;
1771:		const u8 *ext_capab;
1772:		const u8 *ssid;
1773:		const u8 *supp_rates;
1774:		const u8 *ds_params;
1775:		const struct ieee80211_tim_ie *tim;
1776:		const u8 *rsn;
1777:		const u8 *rsnx;
1778:		const u8 *erp_info;
1779:		const u8 *ext_supp_rates;
1780:		const u8 *wmm_info;
1781:		const u8 *wmm_param;
1782:		const struct ieee80211_ht_cap *ht_cap_elem;
1783:		const struct ieee80211_ht_operation *ht_operation;
1784:		const struct ieee80211_vht_cap *vht_cap_elem;
1785:		const struct ieee80211_vht_operation *vht_operation;
1786:		const struct ieee80211_meshconf_ie *mesh_config;
1787:		const u8 *he_cap;
1788:		const struct ieee80211_he_operation *he_operation;
1789:		const struct ieee80211_he_spr *he_spr;
1790:		const struct ieee80211_mu_edca_param_set *mu_edca_param_set;
1791:		const struct ieee80211_he_6ghz_capa *he_6ghz_capa;
1792:		const u8 *uora_element;
1793:		const u8 *mesh_id;
1794:		const u8 *peering;
1795:		const __le16 *awake_window;
1796:		const u8 *preq;
1797:		const u8 *prep;
1798:		const u8 *perr;
1799:		const struct ieee80211_rann_ie *rann;
1800:		const struct ieee80211_channel_sw_ie *ch_switch_ie;
1801:		const struct ieee80211_ext_chansw_ie *ext_chansw_ie;
1802:		const struct ieee80211_wide_bw_chansw_ie *wide_bw_chansw_ie;
1803:		const u8 *max_channel_switch_time;
1804:		const u8 *country_elem;
1805:		const u8 *pwr_constr_elem;
1806:		const u8 *cisco_dtpc_elem;
1807:		const struct ieee80211_timeout_interval_ie *timeout_int;
1808:		const u8 *opmode_notif;
1809:		const struct ieee80211_sec_chan_offs_ie *sec_chan_offs;
1810:		struct ieee80211_mesh_chansw_params_ie *mesh_chansw_params_ie;
1811:		const struct ieee80211_bss_max_idle_period_ie *max_idle_period_ie;
1812:		const struct ieee80211_multiple_bssid_configuration *mbssid_config_ie;
1813:		const struct ieee80211_bssid_index *bssid_index;
1814:		u8 max_bssid_indicator;
1815:		u8 dtim_count;
1816:		u8 dtim_period;
1817:		const struct ieee80211_addba_ext_ie *addba_ext_ie;
1818:		const struct ieee80211_s1g_cap *s1g_capab;
1819:		const struct ieee80211_s1g_oper_ie *s1g_oper;
1820:		const struct ieee80211_s1g_bcn_compat_ie *s1g_bcn_compat;
1821:		const struct ieee80211_aid_response_ie *aid_resp;
1822:		const struct ieee80211_eht_cap_elem *eht_cap;
1823:		const struct ieee80211_eht_operation *eht_operation;
1824:		const struct ieee80211_multi_link_elem *ml_basic;
1825:		const struct ieee80211_multi_link_elem *ml_reconf;
1826:		const struct ieee80211_multi_link_elem *ml_epcs;
1827:		const struct ieee80211_bandwidth_indication *bandwidth_indication;
1828:		const struct ieee80211_ttlm_elem *ttlm[IEEE80211_TTLM_MAX_CNT];
1829:	
1830:		/* not the order in the psd values is per element, not per chandef */
1831:		struct ieee80211_parsed_tpe tpe;
1832:		struct ieee80211_parsed_tpe csa_tpe;
1833:	
1834:		/* length of them, respectively */
1835:		u8 ext_capab_len;
1836:		u8 ssid_len;
1837:		u8 supp_rates_len;
1838:		u8 tim_len;
1839:		u8 rsn_len;
1840:		u8 rsnx_len;
1841:		u8 ext_supp_rates_len;
1842:		u8 wmm_info_len;
1843:		u8 wmm_param_len;
1844:		u8 he_cap_len;
1845:		u8 mesh_id_len;
1846:		u8 peering_len;
1847:		u8 preq_len;
1848:		u8 prep_len;
1849:		u8 perr_len;
1850:		u8 country_elem_len;
1851:		u8 bssid_index_len;
1852:		u8 eht_cap_len;
1853:	
1854:		/* mult-link element can be de-fragmented and thus u8 is not sufficient */
1855:		size_t ml_basic_len;
1856:		size_t ml_reconf_len;
1857:		size_t ml_epcs_len;
1858:	
1859:		u8 ttlm_num;
1860:	
1861:		/*
1862:		 * store the per station profile pointer and length in case that the
1863:		 * parsing also handled Multi-Link element parsing for a specific link
1864:		 * ID.
1865:		 */
1866:		struct ieee80211_mle_per_sta_profile *prof;
1867:		size_t sta_prof_len;
1868:	
1869:		/* whether/which parse error occurred while retrieving these elements */
1870:		u8 parse_error;
1871:	};
 SourceFile:net/mac80211/ieee80211_i.h]

gemini-3-flash-preview

							input: 137505
							output: 61
							thoughts: 51
						

Here's my thought process, as if I were analyzing this code:

**Diving into the Structure**

Okay, hold on a second. Line 1831... Yes, there it is: `struct ieee80211_parsed_tpe tpe;`. Interesting. We've got a `struct ieee80211_parsed_tpe` named `tpe` declared. This seems like a key data structure we need to understand. Let's dig deeper and see what `struct ieee80211_parsed_tpe` actually *is*. I need to understand its members and purpose to continue. My focus shifts immediately to the definition of that structure.

map[ContextFile:net/mac80211/ieee80211_i.h IncludeLines:true Name:ieee80211_parsed_tpe]

map[SourceCode: 571:	/**
 572:	 * struct ieee80211_parsed_tpe - parsed transmit power envelope information
 573:	 * @max_local: maximum local EIRP, one value for 20, 40, 80, 160, 320 MHz each
 574:	 *	(indexed by TX power category)
 575:	 * @max_reg_client: maximum regulatory client EIRP, one value for 20, 40, 80,
 576:	 *	160, 320 MHz each
 577:	 *	(indexed by TX power category)
 578:	 * @psd_local: maximum local power spectral density, one value for each 20 MHz
 579:	 *	subchannel per bss_conf's chanreq.oper
 580:	 *	(indexed by TX power category)
 581:	 * @psd_reg_client: maximum regulatory power spectral density, one value for
 582:	 *	each 20 MHz subchannel per bss_conf's chanreq.oper
 583:	 *	(indexed by TX power category)
 584:	 */
 585:	struct ieee80211_parsed_tpe {
 586:		struct ieee80211_parsed_tpe_eirp max_local[2], max_reg_client[2];
 587:		struct ieee80211_parsed_tpe_psd psd_local[2], psd_reg_client[2];
 588:	};
 SourceFile:include/net/mac80211.h]

gemini-3-flash-preview

							input: 138218
							output: 17
							thoughts: 1309
						

**A Deep Dive into a Potential Kernel Vulnerability**

Okay, so I'm looking at this crash in `string_nocheck` triggered by a format string vulnerability (`%s`) and it looks like it's reading from an address within the `tpe` field of `ieee802_11_elems`. This is interesting because the address is inside `mac80211` memory.  If `dev->phys` (in the `input_dev` struct) points there, then someone must have assigned that address to it.  The crash context suggests `input_dev->phys` is pointing to some data that was meant to be a string, but clearly isn't.

My initial thoughts are, why is the `input_dev`'s `phys` field pointing to `mac80211` memory?  Then I see that the allocation and freeing of memory are happening within `ieee80211_inform_bss`, which is called when a BSS is found. This function uses temporary allocations.  So if `input_dev->phys` is pointing there, it must have been assigned *during* the execution of `ieee80211_inform_bss`. But that function doesn't seem to have anything to do with input devices.

The next thought is, is the `input_dev` itself part of some other structure being misused? I revisit the `input_devices_seq_show` code and remember that `input_dev` is obtained using `container_of` on a `list_head` node.  If `input_dev_list` is corrupted, it could lead to a pointer to a `list_head` that isn't part of a valid `input_dev`.  I checked, but neither `ieee80211_elems_parse` nor `ieee802_11_elems` contain a `list_head`.

What if the `input_dev` *was* freed and reused by `ieee80211_elems_parse`? But KASAN confirms the memory was allocated as `ieee80211_elems_parse`.  So the memory was definitely used as `ieee80211_elems_parse`.  Access is happening in `input_devices_seq_show`. That means the `input_dev_list` contains a pointer to this memory. But how did it get there?

Then, the crucial point – `input_register_device` calls `list_add_tail` on the `input_dev`'s `node`, adding it to `input_dev_list`. This is the smoking gun!

If someone called `input_register_device` with a pointer to memory that was later freed and then reused by `mac80211`, that would explain everything!

Who is calling `input_register_device`? I know that PID 7511 triggered the crash. I see it triggered by `vfs_readv` on a file, likely `/proc/bus/input/devices`. This means a driver registered an input device and didn't unregister it before the memory was freed. This is where I'm suspecting the problem lies.

I'm starting to think this isn't an issue of freeing the `input_dev` itself, but that it's `input_dev`'s `phys` pointer that is pointing to the freed memory. The `input_dev` *itself* is still valid, but it's `phys` field points to the freed `mac80211` object.

Some code must have done something like: `input_dev->phys = some_pointer;`  And `some_pointer` was pointing inside that `ieee80211_elems_parse` object.

Now I need to search through `net/wireless` to figure out where this could happen. This points to some code within `cfg80211` or `mac80211`.

map[Expression:input_dev]

map[Output:
Full output is too long, showing 500 out of 22409 lines.
Use more precise expression if possible.

[Documentation/input/input-programming.rst=10=pressed or released a BUTTON_IRQ happens. The driver could look like::
 --
 Documentation/input/input-programming.rst-18-
 Documentation/input/input-programming.rst:19:    static struct input_dev *button_dev;
 Documentation/input/input-programming.rst-20-
 --
 Documentation/input/input-programming.rst=134=again. To do that, we would add this to our example driver::
 Documentation/input/input-programming.rst-135-
 Documentation/input/input-programming.rst:136:    static int button_open(struct input_dev *dev)
 Documentation/input/input-programming.rst-137-    {
 --
 Documentation/input/input-programming.rst-145-
 Documentation/input/input-programming.rst:146:    static void button_close(struct input_dev *dev)
 Documentation/input/input-programming.rst-147-    {
 --
 Documentation/input/input-programming.rst=217=It's reported to the input system via::
 Documentation/input/input-programming.rst-218-
 Documentation/input/input-programming.rst:219:	input_report_key(struct input_dev *dev, int code, int value)
 Documentation/input/input-programming.rst-220-
 --
 Documentation/input/input-programming.rst=235=set the corresponding bits and call the::
 Documentation/input/input-programming.rst-236-
 Documentation/input/input-programming.rst:237:	input_report_rel(struct input_dev *dev, int code, int value)
 Documentation/input/input-programming.rst-238-
 --
 Documentation/input/input-programming.rst=241=However EV_ABS requires a little special care. Before calling
 Documentation/input/input-programming.rst:242:input_register_device, you have to fill additional fields in the input_dev
 Documentation/input/input-programming.rst-243-struct for each absolute axis your device has. If our button device had also
 --
 Documentation/input/input-programming.rst=332=driver can handle these events, it has to set the respective bits in evbit,
 --
 Documentation/input/input-programming.rst-336-
 Documentation/input/input-programming.rst:337:    int button_event(struct input_dev *dev, unsigned int type,
 Documentation/input/input-programming.rst-338-		     unsigned int code, int value)
 --
 Documentation/input/input-programming.rst=354=the function::
 Documentation/input/input-programming.rst-355-
 Documentation/input/input-programming.rst:356:    int input_setup_polling(struct input_dev *dev,
 Documentation/input/input-programming.rst:357:        void (*poll_fn)(struct input_dev *dev))
 Documentation/input/input-programming.rst-358-
 --
 Documentation/input/input-programming.rst=362=There is also the function::
 Documentation/input/input-programming.rst-363-
 Documentation/input/input-programming.rst:364:    void input_set_poll_interval(struct input_dev *dev, unsigned int interval)
 Documentation/input/input-programming.rst-365-
 --
 arch/m68k/include/asm/oplib.h=154=__printf(1, 2) void prom_printf(char *fmt, ...);
 --
 arch/m68k/include/asm/oplib.h-157-
 arch/m68k/include/asm/oplib.h:158:enum prom_input_device {
 arch/m68k/include/asm/oplib.h-159-	PROMDEV_IKBD,			/* input from keyboard */
 --
 arch/m68k/include/asm/oplib.h-164-
 arch/m68k/include/asm/oplib.h:165:extern enum prom_input_device prom_query_input_device(void);
 arch/m68k/include/asm/oplib.h-166-
 --
 arch/m68k/sun3/prom/console.c=57=prom_putchar(char c)
 --
 arch/m68k/sun3/prom/console.c-64-#if 0
 arch/m68k/sun3/prom/console.c:65:enum prom_input_device
 arch/m68k/sun3/prom/console.c:66:prom_query_input_device()
 arch/m68k/sun3/prom/console.c-67-{
 --
 arch/x86/platform/olpc/olpc-xo1-sci.c=29=static unsigned long acpi_base;
 arch/x86/platform/olpc/olpc-xo1-sci.c:30:static struct input_dev *power_button_idev;
 arch/x86/platform/olpc/olpc-xo1-sci.c:31:static struct input_dev *ebook_switch_idev;
 arch/x86/platform/olpc/olpc-xo1-sci.c:32:static struct input_dev *lid_switch_idev;
 arch/x86/platform/olpc/olpc-xo1-sci.c-33-
 --
 drivers/accessibility/speakup/fakekey.c=18=static DEFINE_PER_CPU(int, reporting_keystroke);
 drivers/accessibility/speakup/fakekey.c-19-
 drivers/accessibility/speakup/fakekey.c:20:static struct input_dev *virt_keyboard;
 drivers/accessibility/speakup/fakekey.c-21-
 --
 drivers/acpi/acpi_video.c=157=struct acpi_video_bus {
 --
 drivers/acpi/acpi_video.c-168-	struct list_head entry;
 drivers/acpi/acpi_video.c:169:	struct input_dev *input;
 drivers/acpi/acpi_video.c-170-	char phys[32];	/* for input device */
 --
 drivers/acpi/acpi_video.c=1541=static void acpi_video_bus_notify(acpi_handle handle, u32 event, void *data)
 --
 drivers/acpi/acpi_video.c-1544-	struct acpi_video_bus *video = acpi_driver_data(device);
 drivers/acpi/acpi_video.c:1545:	struct input_dev *input;
 drivers/acpi/acpi_video.c-1546-	int keycode = 0;
 --
 drivers/acpi/acpi_video.c=1604=static void acpi_video_device_notify(acpi_handle handle, u32 event, void *data)
 --
 drivers/acpi/acpi_video.c-1608-	struct acpi_video_bus *bus;
 drivers/acpi/acpi_video.c:1609:	struct input_dev *input;
 drivers/acpi/acpi_video.c-1610-	int keycode = 0;
 --
 drivers/acpi/acpi_video.c=1894=static int acpi_video_bus_add_notify_handler(struct acpi_video_bus *video)
 drivers/acpi/acpi_video.c-1895-{
 drivers/acpi/acpi_video.c:1896:	struct input_dev *input;
 drivers/acpi/acpi_video.c-1897-	struct acpi_video_device *dev;
 --
 drivers/acpi/button.c=171=struct acpi_button {
 drivers/acpi/button.c-172-	unsigned int type;
 drivers/acpi/button.c:173:	struct input_dev *input;
 drivers/acpi/button.c-174-	char phys[32];			/* for input device */
 --
 drivers/acpi/button.c=440=static void acpi_button_notify(acpi_handle handle, u32 event, void *data)
 --
 drivers/acpi/button.c-443-	struct acpi_button *button;
 drivers/acpi/button.c:444:	struct input_dev *input;
 drivers/acpi/button.c-445-	int keycode;
 --
 drivers/acpi/button.c=498=static int acpi_button_resume(struct device *dev)
 drivers/acpi/button.c-499-{
 drivers/acpi/button.c:500:	struct input_dev *input;
 drivers/acpi/button.c-501-	struct acpi_device *device = to_acpi_device(dev);
 --
 drivers/acpi/button.c-521-
 drivers/acpi/button.c:522:static int acpi_lid_input_open(struct input_dev *input)
 drivers/acpi/button.c-523-{
 --
 drivers/acpi/button.c=534=static int acpi_button_add(struct acpi_device *device)
 --
 drivers/acpi/button.c-537-	struct acpi_button *button;
 drivers/acpi/button.c:538:	struct input_dev *input;
 drivers/acpi/button.c-539-	const char *hid = acpi_device_hid(device);
 --
 drivers/auxdisplay/ht16k33.c=69=struct ht16k33_keypad {
 drivers/auxdisplay/ht16k33.c-70-	struct i2c_client *client;
 drivers/auxdisplay/ht16k33.c:71:	struct input_dev *dev;
 drivers/auxdisplay/ht16k33.c-72-	uint32_t cols;
 --
 drivers/auxdisplay/ht16k33.c=365=static irqreturn_t ht16k33_keypad_irq_thread(int irq, void *dev)
 --
 drivers/auxdisplay/ht16k33.c-378-
 drivers/auxdisplay/ht16k33.c:379:static int ht16k33_keypad_start(struct input_dev *dev)
 drivers/auxdisplay/ht16k33.c-380-{
 --
 drivers/auxdisplay/ht16k33.c-389-
 drivers/auxdisplay/ht16k33.c:390:static void ht16k33_keypad_stop(struct input_dev *dev)
 drivers/auxdisplay/ht16k33.c-391-{
 --
 drivers/char/sonypi.c=460=struct sonypi_keypress {
 drivers/char/sonypi.c:461:	struct input_dev *dev;
 drivers/char/sonypi.c-462-	int key;
 --
 drivers/char/sonypi.c=465=static struct sonypi_device {
 --
 drivers/char/sonypi.c-481-	int model;
 drivers/char/sonypi.c:482:	struct input_dev *input_jog_dev;
 drivers/char/sonypi.c:483:	struct input_dev *input_key_dev;
 drivers/char/sonypi.c-484-	struct work_struct input_work;
 --
 drivers/char/sonypi.c=775=static void sonypi_report_input_event(u8 event)
 drivers/char/sonypi.c-776-{
 drivers/char/sonypi.c:777:	struct input_dev *jog_dev = sonypi_device.input_jog_dev;
 drivers/char/sonypi.c:778:	struct input_dev *key_dev = sonypi_device.input_key_dev;
 drivers/char/sonypi.c-779-	struct sonypi_keypress kp = { NULL };
 --
 drivers/char/sonypi.c=1136=static struct acpi_driver sonypi_acpi_driver = {
 --
 drivers/char/sonypi.c-1146-
 drivers/char/sonypi.c:1147:static int sonypi_create_input_devices(struct platform_device *pdev)
 drivers/char/sonypi.c-1148-{
 drivers/char/sonypi.c:1149:	struct input_dev *jog_dev;
 drivers/char/sonypi.c:1150:	struct input_dev *key_dev;
 drivers/char/sonypi.c-1151-	int i;
 --
 drivers/char/sonypi.c=1287=static int sonypi_probe(struct platform_device *dev)
 --
 drivers/char/sonypi.c-1369-
 drivers/char/sonypi.c:1370:		error = sonypi_create_input_devices(dev);
 drivers/char/sonypi.c-1371-		if (error) {
 --
 drivers/extcon/extcon-max77693.c=66=struct max77693_muic_info {
 --
 drivers/extcon/extcon-max77693.c-88-	/* Button of dock device */
 drivers/extcon/extcon-max77693.c:89:	struct input_dev *dock;
 drivers/extcon/extcon-max77693.c-90-
 --
 drivers/extcon/extcon-max77693.c=532=static int max77693_muic_dock_button_handler(struct max77693_muic_info *info,
 --
 drivers/extcon/extcon-max77693.c-534-{
 drivers/extcon/extcon-max77693.c:535:	struct input_dev *dock = info->dock;
 drivers/extcon/extcon-max77693.c-536-	unsigned int code;
 --
 drivers/gpu/drm/bridge/sil-sii8620.c=2052=static void sii8620_cable_in(struct sii8620 *ctx)
 --
 drivers/gpu/drm/bridge/sil-sii8620.c-2095-
 drivers/gpu/drm/bridge/sil-sii8620.c:2096:static void sii8620_init_rcp_input_dev(struct sii8620 *ctx)
 drivers/gpu/drm/bridge/sil-sii8620.c-2097-{
 --
 drivers/gpu/drm/bridge/sil-sii8620.c=2205=static int sii8620_attach(struct drm_bridge *bridge,
 --
 drivers/gpu/drm/bridge/sil-sii8620.c-2210-
 drivers/gpu/drm/bridge/sil-sii8620.c:2211:	sii8620_init_rcp_input_dev(ctx);
 drivers/gpu/drm/bridge/sil-sii8620.c-2212-
 --
 drivers/hid/hid-a4tech.c=73=static int a4_event(struct hid_device *hdev, struct hid_field *field,
 --
 drivers/hid/hid-a4tech.c-76-	struct a4tech_sc *a4 = hid_get_drvdata(hdev);
 drivers/hid/hid-a4tech.c:77:	struct input_dev *input;
 drivers/hid/hid-a4tech.c-78-
 --
 drivers/hid/hid-alps.c=96=struct alps_dev {
 drivers/hid/hid-alps.c:97:	struct input_dev *input;
 drivers/hid/hid-alps.c:98:	struct input_dev *input2;
 drivers/hid/hid-alps.c-99-	struct hid_device *hdev;
 --
 drivers/hid/hid-alps.c=609=static int T4_init(struct hid_device *hdev, struct alps_dev *pri_data)
 --
 drivers/hid/hid-alps.c-659-
 drivers/hid/hid-alps.c:660:static int alps_sp_open(struct input_dev *dev)
 drivers/hid/hid-alps.c-661-{
 --
 drivers/hid/hid-alps.c-666-
 drivers/hid/hid-alps.c:667:static void alps_sp_close(struct input_dev *dev)
 drivers/hid/hid-alps.c-668-{
 --
 drivers/hid/hid-alps.c=674=static int alps_input_configured(struct hid_device *hdev, struct hid_input *hi)
 --
 drivers/hid/hid-alps.c-676-	struct alps_dev *data = hid_get_drvdata(hdev);
 drivers/hid/hid-alps.c:677:	struct input_dev *input = hi->input, *input2;
 drivers/hid/hid-alps.c-678-	int ret;
 --
 drivers/hid/hid-apple.c=383=static bool apple_is_omoton_kb066(struct hid_device *hdev)
 --
 drivers/hid/hid-apple.c-388-
 drivers/hid/hid-apple.c:389:static inline void apple_setup_key_translation(struct input_dev *input,
 drivers/hid/hid-apple.c-390-		const struct apple_key_translation *table)
 --
 drivers/hid/hid-apple.c=398=static const struct apple_key_translation *apple_find_translation(
 --
 drivers/hid/hid-apple.c-410-
 drivers/hid/hid-apple.c:411:static void input_event_with_scancode(struct input_dev *input,
 drivers/hid/hid-apple.c-412-		__u8 type, __u16 code, unsigned int hid, __s32 value)
 --
 drivers/hid/hid-apple.c-419-
 drivers/hid/hid-apple.c:420:static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input,
 drivers/hid/hid-apple.c-421-		struct hid_usage *usage, __s32 value)
 --
 drivers/hid/hid-apple.c=657=static const __u8 *apple_report_fixup(struct hid_device *hdev, __u8 *rdesc,
 --
 drivers/hid/hid-apple.c-700-
 drivers/hid/hid-apple.c:701:static void apple_setup_input(struct input_dev *input)
 drivers/hid/hid-apple.c-702-{
 --
 drivers/hid/hid-appleir.c=107=struct appleir {
 drivers/hid/hid-appleir.c:108:	struct input_dev *input_dev;
 drivers/hid/hid-appleir.c-109-	struct hid_device *hid;
 --
 drivers/hid/hid-appleir.c=151=static void key_up(struct hid_device *hid, struct appleir *appleir, int key)
 drivers/hid/hid-appleir.c-152-{
 drivers/hid/hid-appleir.c:153:	input_report_key(appleir->input_dev, key, 0);
 drivers/hid/hid-appleir.c:154:	input_sync(appleir->input_dev);
 drivers/hid/hid-appleir.c-155-}
 --
 drivers/hid/hid-appleir.c=157=static void key_down(struct hid_device *hid, struct appleir *appleir, int key)
 drivers/hid/hid-appleir.c-158-{
 drivers/hid/hid-appleir.c:159:	input_report_key(appleir->input_dev, key, 1);
 drivers/hid/hid-appleir.c:160:	input_sync(appleir->input_dev);
 drivers/hid/hid-appleir.c-161-}
 --
 drivers/hid/hid-appleir.c=163=static void battery_flat(struct appleir *appleir)
 drivers/hid/hid-appleir.c-164-{
 drivers/hid/hid-appleir.c:165:	dev_err(&appleir->input_dev->dev, "possible flat battery?\n");
 drivers/hid/hid-appleir.c-166-}
 --
 drivers/hid/hid-appleir.c=251=static int appleir_input_configured(struct hid_device *hid,
 --
 drivers/hid/hid-appleir.c-253-{
 drivers/hid/hid-appleir.c:254:	struct input_dev *input_dev = hidinput->input;
 drivers/hid/hid-appleir.c-255-	struct appleir *appleir = hid_get_drvdata(hid);
 --
 drivers/hid/hid-appleir.c-257-
 drivers/hid/hid-appleir.c:258:	appleir->input_dev = input_dev;
 drivers/hid/hid-appleir.c-259-
 drivers/hid/hid-appleir.c:260:	input_dev->keycode = appleir->keymap;
 drivers/hid/hid-appleir.c:261:	input_dev->keycodesize = sizeof(unsigned short);
 drivers/hid/hid-appleir.c:262:	input_dev->keycodemax = ARRAY_SIZE(appleir->keymap);
 drivers/hid/hid-appleir.c-263-
 drivers/hid/hid-appleir.c:264:	input_dev->evbit[0] = BIT(EV_KEY) | BIT(EV_REP);
 drivers/hid/hid-appleir.c-265-
 --
 drivers/hid/hid-appleir.c-267-	for (i = 0; i < ARRAY_SIZE(appleir_key_table); i++)
 drivers/hid/hid-appleir.c:268:		set_bit(appleir->keymap[i], input_dev->keybit);
 drivers/hid/hid-appleir.c:269:	clear_bit(KEY_RESERVED, input_dev->keybit);
 drivers/hid/hid-appleir.c-270-
 --
 drivers/hid/hid-appletb-kbd.c=197=static int appletb_kbd_hid_event(struct hid_device *hdev, struct hid_field *field,
 --
 drivers/hid/hid-appletb-kbd.c-201-	struct key_entry *translation;
 drivers/hid/hid-appletb-kbd.c:202:	struct input_dev *input;
 drivers/hid/hid-appletb-kbd.c-203-	int slot;
 --
 drivers/hid/hid-appletb-kbd.c=255=static int appletb_kbd_inp_connect(struct input_handler *handler,
 drivers/hid/hid-appletb-kbd.c:256:			       struct input_dev *dev,
 drivers/hid/hid-appletb-kbd.c:257:			       const struct input_device_id *id)
 drivers/hid/hid-appletb-kbd.c-258-{
 --
 drivers/hid/hid-appletb-kbd.c=308=static int appletb_kbd_input_configured(struct hid_device *hdev, struct hid_input *hidinput)
 --
 drivers/hid/hid-appletb-kbd.c-310-	int idx;
 drivers/hid/hid-appletb-kbd.c:311:	struct input_dev *input = hidinput->input;
 drivers/hid/hid-appletb-kbd.c-312-
 --
 drivers/hid/hid-appletb-kbd.c-330-
 drivers/hid/hid-appletb-kbd.c:331:static const struct input_device_id appletb_kbd_input_devices[] = {
 drivers/hid/hid-appletb-kbd.c-332-	{
 --
 drivers/hid/hid-appletb-kbd.c=353=static bool appletb_kbd_match_internal_device(struct input_handler *handler,
 drivers/hid/hid-appletb-kbd.c:354:					  struct input_dev *inp_dev)
 drivers/hid/hid-appletb-kbd.c-355-{
 --
 drivers/hid/hid-appletb-kbd.c=374=static int appletb_kbd_probe(struct hid_device *hdev, const struct hid_device_id *id)
 --
 drivers/hid/hid-appletb-kbd.c-419-	kbd->inp_handler.name = "appletb";
 drivers/hid/hid-appletb-kbd.c:420:	kbd->inp_handler.id_table = appletb_kbd_input_devices;
 drivers/hid/hid-appletb-kbd.c-421-	kbd->inp_handler.match = appletb_kbd_match_internal_device;
 --
 drivers/hid/hid-asus.c=122=struct asus_drvdata {
 --
 drivers/hid/hid-asus.c-124-	struct hid_device *hdev;
 drivers/hid/hid-asus.c:125:	struct input_dev *input;
 drivers/hid/hid-asus.c:126:	struct input_dev *tp_kbd_input;
 drivers/hid/hid-asus.c-127-	struct asus_kbd_leds *kbd_backlight;
 --
 drivers/hid/hid-asus.c=198=static void asus_report_contact_down(struct asus_drvdata *drvdat,
 --
 drivers/hid/hid-asus.c-200-{
 drivers/hid/hid-asus.c:201:	struct input_dev *input = drvdat->input;
 drivers/hid/hid-asus.c-202-	int touch_major, pressure, x, y;
 --
 drivers/hid/hid-asus.c=869=static int asus_input_configured(struct hid_device *hdev, struct hid_input *hi)
 drivers/hid/hid-asus.c-870-{
 drivers/hid/hid-asus.c:871:	struct input_dev *input = hi->input;
 drivers/hid/hid-asus.c-872-	struct asus_drvdata *drvdata = hid_get_drvdata(hdev);
 --
 drivers/hid/hid-asus.c=1127=static int asus_probe(struct hid_device *hdev, const struct hid_device_id *id)
 --
 drivers/hid/hid-asus.c-1175-		 * All functionality is on a single HID interface and for
 drivers/hid/hid-asus.c:1176:		 * userspace the touchpad must be a separate input_dev.
 drivers/hid/hid-asus.c-1177-		 */
 --
 drivers/hid/hid-axff.c=27=struct axff_device {
 --
 drivers/hid/hid-axff.c-30-
 drivers/hid/hid-axff.c:31:static int axff_play(struct input_dev *dev, void *data, struct ff_effect *effect)
 drivers/hid/hid-axff.c-32-{
 --
 drivers/hid/hid-axff.c=62=static int axff_init(struct hid_device *hid)
 --
 drivers/hid/hid-axff.c-67-	struct list_head *report_list =&hid->report_enum[HID_OUTPUT_REPORT].report_list;
 drivers/hid/hid-axff.c:68:	struct input_dev *dev;
 drivers/hid/hid-axff.c-69-	int field_count = 0;
 --
 drivers/hid/hid-betopff.c=33=struct betopff_device {
 --
 drivers/hid/hid-betopff.c-36-
 drivers/hid/hid-betopff.c:37:static int hid_betopff_play(struct input_dev *dev, void *data,
 drivers/hid/hid-betopff.c-38-			 struct ff_effect *effect)
 --
 drivers/hid/hid-betopff.c=55=static int betopff_init(struct hid_device *hid)
 --
 drivers/hid/hid-betopff.c-61-			&hid->report_enum[HID_OUTPUT_REPORT].report_list;
 drivers/hid/hid-betopff.c:62:	struct input_dev *dev;
 drivers/hid/hid-betopff.c-63-	int error;
 --
 drivers/hid/hid-bigbenff.c=198=static void bigben_worker(struct work_struct *work)
 --
 drivers/hid/hid-bigbenff.c-265-
 drivers/hid/hid-bigbenff.c:266:static int hid_bigben_play_effect(struct input_dev *dev, void *data,
 drivers/hid/hid-bigbenff.c-267-			 struct ff_effect *effect)
 --
 drivers/hid/hid-chicony.c=26=static int ch_report_wireless(struct hid_report *report, u8 *data, int size)
 --
 drivers/hid/hid-chicony.c-28-	struct hid_device *hdev = report->device;
 drivers/hid/hid-chicony.c:29:	struct input_dev *input;
 drivers/hid/hid-chicony.c-30-
 --
 drivers/hid/hid-cmedia.c=85=struct cmhid {
 drivers/hid/hid-cmedia.c:86:	struct input_dev *input_dev;
 drivers/hid/hid-cmedia.c-87-	struct hid_device *hid;
 --
 drivers/hid/hid-cmedia.c=91=static void hp_ev(struct hid_device *hid, struct cmhid *cm, int value)
 drivers/hid/hid-cmedia.c-92-{
 drivers/hid/hid-cmedia.c:93:	input_report_switch(cm->input_dev, SW_HEADPHONE_INSERT, value);
 drivers/hid/hid-cmedia.c:94:	input_sync(cm->input_dev);
 drivers/hid/hid-cmedia.c-95-}
 --
 drivers/hid/hid-cmedia.c=120=static int cmhid_input_configured(struct hid_device *hid,
 --
 drivers/hid/hid-cmedia.c-122-{
 drivers/hid/hid-cmedia.c:123:	struct input_dev *input_dev = hidinput->input;
 drivers/hid/hid-cmedia.c-124-	struct cmhid *cm = hid_get_drvdata(hid);
 --
 drivers/hid/hid-cmedia.c-126-
 drivers/hid/hid-cmedia.c:127:	cm->input_dev = input_dev;
 drivers/hid/hid-cmedia.c-128-	memcpy(cm->switch_map, jack_switch_types, sizeof(cm->switch_map));
 drivers/hid/hid-cmedia.c:129:	input_dev->evbit[0] = BIT(EV_SW);
 drivers/hid/hid-cmedia.c-130-	for (i = 0; i < CM6533_JD_TYPE_COUNT; i++)
 drivers/hid/hid-cmedia.c:131:		input_set_capability(cm->input_dev,
 drivers/hid/hid-cmedia.c-132-				EV_SW, jack_switch_types[i]);
 --
 drivers/hid/hid-cougar.c=68=struct cougar_shared {
 --
 drivers/hid/hid-cougar.c-72-	struct hid_device *dev;
 drivers/hid/hid-cougar.c:73:	struct input_dev *input;
 drivers/hid/hid-cougar.c-74-};
 --
 drivers/hid/hid-creative-sb0540.c=117=struct creative_sb0540 {
 drivers/hid/hid-creative-sb0540.c:118:	struct input_dev *input_dev;
 drivers/hid/hid-creative-sb0540.c-119-	struct hid_device *hid;
 --
 drivers/hid/hid-creative-sb0540.c=149=static int creative_sb0540_raw_event(struct hid_device *hid,
 --
 drivers/hid/hid-creative-sb0540.c-176-
 drivers/hid/hid-creative-sb0540.c:177:	input_report_key(creative_sb0540->input_dev, key, 1);
 drivers/hid/hid-creative-sb0540.c:178:	input_report_key(creative_sb0540->input_dev, key, 0);
 drivers/hid/hid-creative-sb0540.c:179:	input_sync(creative_sb0540->input_dev);
 drivers/hid/hid-creative-sb0540.c-180-
 --
 drivers/hid/hid-creative-sb0540.c=185=static int creative_sb0540_input_configured(struct hid_device *hid,
 --
 drivers/hid/hid-creative-sb0540.c-187-{
 drivers/hid/hid-creative-sb0540.c:188:	struct input_dev *input_dev = hidinput->input;
 drivers/hid/hid-creative-sb0540.c-189-	struct creative_sb0540 *creative_sb0540 = hid_get_drvdata(hid);
 --
 drivers/hid/hid-creative-sb0540.c-191-
 drivers/hid/hid-creative-sb0540.c:192:	creative_sb0540->input_dev = input_dev;
 drivers/hid/hid-creative-sb0540.c-193-
 drivers/hid/hid-creative-sb0540.c:194:	input_dev->keycode = creative_sb0540->keymap;
 drivers/hid/hid-creative-sb0540.c:195:	input_dev->keycodesize = sizeof(unsigned short);
 drivers/hid/hid-creative-sb0540.c:196:	input_dev->keycodemax = ARRAY_SIZE(creative_sb0540->keymap);
 drivers/hid/hid-creative-sb0540.c-197-
 drivers/hid/hid-creative-sb0540.c:198:	input_dev->evbit[0] = BIT(EV_KEY) | BIT(EV_REP);
 drivers/hid/hid-creative-sb0540.c-199-
 --
 drivers/hid/hid-creative-sb0540.c-202-	for (i = 0; i < ARRAY_SIZE(creative_sb0540_key_table); i++)
 drivers/hid/hid-creative-sb0540.c:203:		set_bit(creative_sb0540->keymap[i], input_dev->keybit);
 drivers/hid/hid-creative-sb0540.c:204:	clear_bit(KEY_RESERVED, input_dev->keybit);
 drivers/hid/hid-creative-sb0540.c-205-
 --
 drivers/hid/hid-cypress.c=100=static int cp_event(struct hid_device *hdev, struct hid_field *field,
 --
 drivers/hid/hid-cypress.c-118-	if (usage->code == REL_WHEEL && (quirks & CP_2WHEEL_MOUSE_HACK_ON)) {
 drivers/hid/hid-cypress.c:119:		struct input_dev *input = field->hidinput->input;
 drivers/hid/hid-cypress.c-120-
 --
 drivers/hid/hid-dr.c=27=struct drff_device {
 --
 drivers/hid/hid-dr.c-30-
 drivers/hid/hid-dr.c:31:static int drff_play(struct input_dev *dev, void *data,
 drivers/hid/hid-dr.c-32-				 struct ff_effect *effect)
 --
 drivers/hid/hid-dr.c=74=static int drff_init(struct hid_device *hid)
 --
 drivers/hid/hid-dr.c-80-			&hid->report_enum[HID_OUTPUT_REPORT].report_list;
 drivers/hid/hid-dr.c:81:	struct input_dev *dev;
 drivers/hid/hid-dr.c-82-	int error;
 --
 drivers/hid/hid-elan.c=40=struct elan_drvdata {
 drivers/hid/hid-elan.c:41:	struct input_dev *input;
 drivers/hid/hid-elan.c-42-	u8 prev_report[ELAN_INPUT_REPORT_SIZE];
 --
 drivers/hid/hid-elan.c=152=static int elan_input_configured(struct hid_device *hdev, struct hid_input *hi)
 --
 drivers/hid/hid-elan.c-154-	int ret;
 drivers/hid/hid-elan.c:155:	struct input_dev *input;
 drivers/hid/hid-elan.c-156-	struct elan_drvdata *drvdata = hid_get_drvdata(hdev);
 --
 drivers/hid/hid-elan.c=210=static void elan_report_mt_slot(struct elan_drvdata *drvdata, u8 *data,
 --
 drivers/hid/hid-elan.c-212-{
 drivers/hid/hid-elan.c:213:	struct input_dev *input = drvdata->input;
 drivers/hid/hid-elan.c-214-	int x, y, p;
 --
 drivers/hid/hid-elan.c=232=static void elan_usb_report_input(struct elan_drvdata *drvdata, u8 *data)
 --
 drivers/hid/hid-elan.c-234-	int i;
 drivers/hid/hid-elan.c:235:	struct input_dev *input = drvdata->input;
 drivers/hid/hid-elan.c-236-
 --
 drivers/hid/hid-elan.c=319=static void elan_i2c_report_input(struct elan_drvdata *drvdata, u8 *data)
 drivers/hid/hid-elan.c-320-{
 drivers/hid/hid-elan.c:321:	struct input_dev *input = drvdata->input;
 drivers/hid/hid-elan.c-322-	u8 *finger_data;
 --
 drivers/hid/hid-elo.c=39=static int elo_input_configured(struct hid_device *hdev,
 --
 drivers/hid/hid-elo.c-41-{
 drivers/hid/hid-elo.c:42:	struct input_dev *input = hidinput->input;
 drivers/hid/hid-elo.c-43-
 --
 drivers/hid/hid-elo.c-56-
 drivers/hid/hid-elo.c:57:static void elo_process_data(struct input_dev *input, const u8 *data, int size)
 drivers/hid/hid-elo.c-58-{
 --
 drivers/hid/hid-emsff.c=18=struct emsff_device {
 --
 drivers/hid/hid-emsff.c-21-
 drivers/hid/hid-emsff.c:22:static int emsff_play(struct input_dev *dev, void *data,
 drivers/hid/hid-emsff.c-23-			 struct ff_effect *effect)
 --
]
]

gemini-3-flash-preview

							input: 150635
							output: 17
							thoughts: 54
						

Okay, here's my thought process on that:

**Investigating a Clue in mac80211**

Hold on a second! I think I stumbled upon something promising in `net/mac80211/main.c`. My initial instinct was right, the kernel's mac80211 wireless driver is probably the place to focus.

I'm going to refine my approach. Instead of a general `input_dev` search, I'll go back and specifically look within the `net/mac80211` directory for instances where the `input_dev` structure is assigned to the `phys` field. That seems like a more direct path to understanding how the physical device representation is tied to the input side in this context. It's a bit more targeted, which should hopefully yield more relevant results, and faster. It's about finding the critical cross-reference. Let's see what turns up.

map[Expression:phys.*=]

map[Output:
Full output is too long, showing 500 out of 41705 lines.
Use more precise expression if possible.

[Documentation/ABI/stable/sysfs-class-infiniband=335=Description:
 --
 Documentation/ABI/stable/sysfs-class-infiniband-349-		======================= ==========================================
 Documentation/ABI/stable/sysfs-class-infiniband:350:		gids/<n>:		(RO) The physical port gids n = 0..127
 Documentation/ABI/stable/sysfs-class-infiniband-351-
 --
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci=4=Description:    Read-only. Attribute group to describe the magic bits
 --
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci-18-				offset = "config:32-63"
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci:19:				phys_processor_idx = "config:32-63"
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci-20-				secondary_index = "config:0-15"
 --
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci-25-		  processor_core_utilization_instructions_completed = "request=0x94,
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci:26:					phys_processor_idx=?,counter_info_version=0x8,
 Documentation/ABI/testing/sysfs-bus-event_source-devices-hv_gpci-27-					length=8,offset=0x18"
 --
 Documentation/admin-guide/device-mapper/dm-ima.rst=640=section above) has the following data format for 'striped' target.
 --
 Documentation/admin-guide/device-mapper/dm-ima.rst-654-                       where <X> ranges from 0 to (<NS> -1) - for <NS> described in <stripes>.
 Documentation/admin-guide/device-mapper/dm-ima.rst:655: stripe_physical_start := "stripe_" <X> "_physical_start=" <N>
 Documentation/admin-guide/device-mapper/dm-ima.rst-656-                           where <X> ranges from 0 to (<NS> -1) - for <NS> described in <stripes>.
 --
 Documentation/admin-guide/device-mapper/dm-ima.rst-669- target_index=0,target_begin=0,target_len=640,target_name=striped,target_version=1.6.0,stripes=2,chunk_size=64,
 Documentation/admin-guide/device-mapper/dm-ima.rst:670:    stripe_0_device_name=253:0,stripe_0_physical_start=2048,stripe_0_status=A,
 Documentation/admin-guide/device-mapper/dm-ima.rst:671:    stripe_1_device_name=253:3,stripe_1_physical_start=2048,stripe_1_status=A;
 Documentation/admin-guide/device-mapper/dm-ima.rst-672-
 --
 Documentation/arch/arm/porting.rst=12=virtual address to a physical address.  Normally, it is simply:
 Documentation/arch/arm/porting.rst-13-
 Documentation/arch/arm/porting.rst:14:		phys = virt - PAGE_OFFSET + PHYS_OFFSET
 Documentation/arch/arm/porting.rst-15-
 --
 Documentation/arch/arm/porting.rst=33=ZRELADDR
 --
 Documentation/arch/arm/porting.rst-36-
 Documentation/arch/arm/porting.rst:37:		__virt_to_phys(TEXTADDR) == ZRELADDR
 Documentation/arch/arm/porting.rst-38-
 --
 Documentation/arch/arm/porting.rst=47=INITRD_VIRT
 --
 Documentation/arch/arm/porting.rst-50-
 Documentation/arch/arm/porting.rst:51:		__virt_to_phys(INITRD_VIRT) == INITRD_PHYS
 Documentation/arch/arm/porting.rst-52-
 --
 Documentation/arch/s390/mm.rst=7=Virtual memory layout
 --
 Documentation/arch/s390/mm.rst-54-		     |			|
 Documentation/arch/s390/mm.rst:55:		     | identity		| phys == virt - __identity_base
 Documentation/arch/s390/mm.rst-56-		     | mapping		| virt == phys + __identity_base
 --
 Documentation/arch/s390/mm.rst-96-		     |			| KASAN tracked
 Documentation/arch/s390/mm.rst:97:		     | kernel text/data | phys == (kvirt - __kaslr_offset) +
 Documentation/arch/s390/mm.rst-98-		     |			|	  __kaslr_offset_phys
 --
 Documentation/dev-tools/kasan.rst=97=enable ``CONFIG_STACKTRACE``. To include alloc and free stack traces of affected
 Documentation/dev-tools/kasan.rst:98:physical pages, enable ``CONFIG_PAGE_OWNER`` and boot with ``page_owner=on``.
 Documentation/dev-tools/kasan.rst-99-
 --
 Documentation/devicetree/bindings/ata/ahci-platform.yaml=169=examples:
 --
 Documentation/devicetree/bindings/ata/ahci-platform.yaml-193-
 Documentation/devicetree/bindings/ata/ahci-platform.yaml:194:            phys = <&sata_phy 0>;
 Documentation/devicetree/bindings/ata/ahci-platform.yaml-195-            target-supply = <&reg_sata0>;
 --
 Documentation/devicetree/bindings/ata/ahci-platform.yaml-202-
 Documentation/devicetree/bindings/ata/ahci-platform.yaml:203:            phys = <&sata_phy 1>;
 Documentation/devicetree/bindings/ata/ahci-platform.yaml-204-            target-supply = <&reg_sata1>;
 --
 Documentation/devicetree/bindings/ata/apm,xgene-ahci.yaml=51=examples:
 --
 Documentation/devicetree/bindings/ata/apm,xgene-ahci.yaml-62-        interrupts = <0x0 0x87 0x4>;
 Documentation/devicetree/bindings/ata/apm,xgene-ahci.yaml:63:        phys = <&phy2 0>;
 Documentation/devicetree/bindings/ata/apm,xgene-ahci.yaml-64-        phy-names = "sata-phy";
 --
 Documentation/devicetree/bindings/ata/brcm,sata-brcm.yaml=68=examples:
 --
 Documentation/devicetree/bindings/ata/brcm,sata-brcm.yaml-79-            reg = <0>;
 Documentation/devicetree/bindings/ata/brcm,sata-brcm.yaml:80:            phys = <&sata_phy 0>;
 Documentation/devicetree/bindings/ata/brcm,sata-brcm.yaml-81-        };
 --
 Documentation/devicetree/bindings/ata/brcm,sata-brcm.yaml-84-            reg = <1>;
 Documentation/devicetree/bindings/ata/brcm,sata-brcm.yaml:85:            phys = <&sata_phy 1>;
 Documentation/devicetree/bindings/ata/brcm,sata-brcm.yaml-86-        };
 --
 Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml=163=examples:
 --
 Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml-184-        ceva,broken-gen2;
 Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml:185:        phys = <&psgtr 1 PHY_TYPE_SATA 1 1>;
 Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml-186-        resets = <&zynqmp_reset ZYNQMP_RESET_SATA>;
 --
 Documentation/devicetree/bindings/ata/eswin,eic7700-ahci.yaml=65=examples:
 --
 Documentation/devicetree/bindings/ata/eswin,eic7700-ahci.yaml-73-        clock-names = "pclk", "aclk";
 Documentation/devicetree/bindings/ata/eswin,eic7700-ahci.yaml:74:        phys = <&sata_phy>;
 Documentation/devicetree/bindings/ata/eswin,eic7700-ahci.yaml-75-        phy-names = "sata-phy";
 --
 Documentation/devicetree/bindings/ata/marvell,orion-sata.yaml=74=examples:
 --
 Documentation/devicetree/bindings/ata/marvell,orion-sata.yaml-79-        interrupts = <21>;
 Documentation/devicetree/bindings/ata/marvell,orion-sata.yaml:80:        phys = <&sata_phy0>, <&sata_phy1>;
 Documentation/devicetree/bindings/ata/marvell,orion-sata.yaml-81-        phy-names = "port0", "port1";
 --
 Documentation/devicetree/bindings/ata/mediatek,mtk-ahci.yaml=70=examples:
 --
 Documentation/devicetree/bindings/ata/mediatek,mtk-ahci.yaml-88-        clock-names = "ahb", "axi", "asic", "rbc", "pm";
 Documentation/devicetree/bindings/ata/mediatek,mtk-ahci.yaml:89:        phys = <&u3port1 PHY_TYPE_SATA>;
 Documentation/devicetree/bindings/ata/mediatek,mtk-ahci.yaml-90-        phy-names = "sata-phy";
 --
 Documentation/devicetree/bindings/ata/rockchip,dwc-ahci.yaml=101=examples:
 --
 Documentation/devicetree/bindings/ata/rockchip,dwc-ahci.yaml-122-        hba-port-cap = <HBA_PORT_FBSCP>;
 Documentation/devicetree/bindings/ata/rockchip,dwc-ahci.yaml:123:        phys = <&combphy0_ps PHY_TYPE_SATA>;
 Documentation/devicetree/bindings/ata/rockchip,dwc-ahci.yaml-124-        phy-names = "sata-phy";
 --
 Documentation/devicetree/bindings/ata/sata_highbank.yaml=79=examples:
 --
 Documentation/devicetree/bindings/ata/sata_highbank.yaml-85-        dma-coherent;
 Documentation/devicetree/bindings/ata/sata_highbank.yaml:86:        calxeda,port-phys = <&combophy5 0>, <&combophy0 0>, <&combophy0 1>,
 Documentation/devicetree/bindings/ata/sata_highbank.yaml-87-                             <&combophy0 2>, <&combophy0 3>;
 --
 Documentation/devicetree/bindings/ata/snps,dwc-ahci.yaml=53=examples:
 --
 Documentation/devicetree/bindings/ata/snps,dwc-ahci.yaml-68-
 Documentation/devicetree/bindings/ata/snps,dwc-ahci.yaml:69:      phys = <&sata_phy>;
 Documentation/devicetree/bindings/ata/snps,dwc-ahci.yaml-70-      phy-names = "sata-phy";
 --
 Documentation/devicetree/bindings/ata/st,ahci.yaml=52=examples:
 --
 Documentation/devicetree/bindings/ata/st,ahci.yaml-63-        interrupt-names = "hostc";
 Documentation/devicetree/bindings/ata/st,ahci.yaml:64:        phys          = <&phy_port0 PHY_TYPE_SATA>;
 Documentation/devicetree/bindings/ata/st,ahci.yaml-65-        phy-names     = "sata-phy";
 --
 Documentation/devicetree/bindings/bus/fsl,imx8qxp-pixel-link-msi-bus.yaml=89=examples:
 --
 Documentation/devicetree/bindings/bus/fsl,imx8qxp-pixel-link-msi-bus.yaml-170-                    reg = <0>;
 Documentation/devicetree/bindings/bus/fsl,imx8qxp-pixel-link-msi-bus.yaml:171:                    phys = <&mipi_lvds_0_phy>;
 Documentation/devicetree/bindings/bus/fsl,imx8qxp-pixel-link-msi-bus.yaml-172-                    phy-names = "lvds_phy";
 --
 Documentation/devicetree/bindings/bus/fsl,imx8qxp-pixel-link-msi-bus.yaml-192-                    reg = <1>;
 Documentation/devicetree/bindings/bus/fsl,imx8qxp-pixel-link-msi-bus.yaml:193:                    phys = <&mipi_lvds_0_phy>;
 Documentation/devicetree/bindings/bus/fsl,imx8qxp-pixel-link-msi-bus.yaml-194-                    phy-names = "lvds_phy";
 --
 Documentation/devicetree/bindings/display/allwinner,sun6i-a31-mipi-dsi.yaml=106=examples:
 --
 Documentation/devicetree/bindings/display/allwinner,sun6i-a31-mipi-dsi.yaml-114-        resets = <&ccu 4>;
 Documentation/devicetree/bindings/display/allwinner,sun6i-a31-mipi-dsi.yaml:115:        phys = <&dphy0>;
 Documentation/devicetree/bindings/display/allwinner,sun6i-a31-mipi-dsi.yaml-116-        phy-names = "dphy";
 --
 Documentation/devicetree/bindings/display/allwinner,sun8i-a83t-dw-hdmi.yaml=147=examples:
 --
 Documentation/devicetree/bindings/display/allwinner,sun8i-a83t-dw-hdmi.yaml-171-        reset-names = "ctrl";
 Documentation/devicetree/bindings/display/allwinner,sun8i-a83t-dw-hdmi.yaml:172:        phys = <&hdmi_phy>;
 Documentation/devicetree/bindings/display/allwinner,sun8i-a83t-dw-hdmi.yaml-173-        phy-names = "phy";
 --
 Documentation/devicetree/bindings/display/allwinner,sun8i-a83t-dw-hdmi.yaml-229-        reset-names = "ctrl", "hdcp";
 Documentation/devicetree/bindings/display/allwinner,sun8i-a83t-dw-hdmi.yaml:230:        phys = <&hdmi_phy>;
 Documentation/devicetree/bindings/display/allwinner,sun8i-a83t-dw-hdmi.yaml-231-        phy-names = "phy";
 --
 Documentation/devicetree/bindings/display/amlogic,meson-g12a-dw-mipi-dsi.yaml=84=examples:
 --
 Documentation/devicetree/bindings/display/amlogic,meson-g12a-dw-mipi-dsi.yaml-92-          clock-names = "pclk", "bit", "px";
 Documentation/devicetree/bindings/display/amlogic,meson-g12a-dw-mipi-dsi.yaml:93:          phys = <&mipi_dphy>;
 Documentation/devicetree/bindings/display/amlogic,meson-g12a-dw-mipi-dsi.yaml-94-          phy-names = "dphy";
 --
 Documentation/devicetree/bindings/display/bridge/cdns,dsi.yaml=105=examples:
 --
 Documentation/devicetree/bindings/display/bridge/cdns,dsi.yaml-116-            interrupts = <1>;
 Documentation/devicetree/bindings/display/bridge/cdns,dsi.yaml:117:            phys = <&dphy0>;
 Documentation/devicetree/bindings/display/bridge/cdns,dsi.yaml-118-            phy-names = "dphy";
 --
 Documentation/devicetree/bindings/display/bridge/cdns,dsi.yaml-153-            interrupts = <1>;
 Documentation/devicetree/bindings/display/bridge/cdns,dsi.yaml:154:            phys = <&dphy1>;
 Documentation/devicetree/bindings/display/bridge/cdns,dsi.yaml-155-            phy-names = "dphy";
 --
 Documentation/devicetree/bindings/display/bridge/cdns,mhdp8546.yaml=128=examples:
 --
 Documentation/devicetree/bindings/display/bridge/cdns,mhdp8546.yaml-139-            clocks = <&mhdp_clock>;
 Documentation/devicetree/bindings/display/bridge/cdns,mhdp8546.yaml:140:            phys = <&dp_phy>;
 Documentation/devicetree/bindings/display/bridge/cdns,mhdp8546.yaml-141-            phy-names = "dpphy";
 --
 Documentation/devicetree/bindings/display/bridge/fsl,imx8qxp-ldb.yaml=130=examples:
 --
 Documentation/devicetree/bindings/display/bridge/fsl,imx8qxp-ldb.yaml-145-            reg = <0>;
 Documentation/devicetree/bindings/display/bridge/fsl,imx8qxp-ldb.yaml:146:            phys = <&mipi_lvds_0_phy>;
 Documentation/devicetree/bindings/display/bridge/fsl,imx8qxp-ldb.yaml-147-            phy-names = "lvds_phy";
 --
 Documentation/devicetree/bindings/display/bridge/fsl,imx8qxp-ldb.yaml-161-            reg = <1>;
 Documentation/devicetree/bindings/display/bridge/fsl,imx8qxp-ldb.yaml:162:            phys = <&mipi_lvds_0_phy>;
 Documentation/devicetree/bindings/display/bridge/fsl,imx8qxp-ldb.yaml-163-            phy-names = "lvds_phy";
 --
 Documentation/devicetree/bindings/display/bridge/nwl-dsi.yaml=156=examples:
 --
 Documentation/devicetree/bindings/display/bridge/nwl-dsi.yaml-181-              reset-names = "byte", "dpi", "esc", "pclk";
 Documentation/devicetree/bindings/display/bridge/nwl-dsi.yaml:182:              phys = <&dphy>;
 Documentation/devicetree/bindings/display/bridge/nwl-dsi.yaml-183-              phy-names = "dphy";
 --
 Documentation/devicetree/bindings/display/bridge/samsung,mipi-dsim.yaml=266=examples:
 --
 Documentation/devicetree/bindings/display/bridge/samsung,mipi-dsim.yaml-275-        interrupts = <GIC_SPI 205 IRQ_TYPE_LEVEL_HIGH>;
 Documentation/devicetree/bindings/display/bridge/samsung,mipi-dsim.yaml:276:        phys = <&mipi_phy 1>;
 Documentation/devicetree/bindings/display/bridge/samsung,mipi-dsim.yaml-277-        phy-names = "dsim";
 --
 Documentation/devicetree/bindings/display/mediatek/mediatek,dsi.yaml=118=examples:
 --
 Documentation/devicetree/bindings/display/mediatek/mediatek,dsi.yaml-140-            resets = <&mmsys MT8183_MMSYS_SW0_RST_B_DISP_DSI0>;
 Documentation/devicetree/bindings/display/mediatek/mediatek,dsi.yaml:141:            phys = <&mipi_tx0>;
 Documentation/devicetree/bindings/display/mediatek/mediatek,dsi.yaml-142-            phy-names = "dphy";
 --
 Documentation/devicetree/bindings/display/mediatek/mediatek,hdmi.yaml=94=examples:
 --
 Documentation/devicetree/bindings/display/mediatek/mediatek,hdmi.yaml-109-        pinctrl-0 = <&hdmi_pin>;
 Documentation/devicetree/bindings/display/mediatek/mediatek,hdmi.yaml:110:        phys = <&hdmi_phy>;
 Documentation/devicetree/bindings/display/mediatek/mediatek,hdmi.yaml-111-        phy-names = "hdmi";
 --
 Documentation/devicetree/bindings/display/mediatek/mediatek,mt8195-hdmi.yaml=99=examples:
 --
 Documentation/devicetree/bindings/display/mediatek/mediatek,mt8195-hdmi.yaml-117-            interrupts = <GIC_SPI 677 IRQ_TYPE_LEVEL_HIGH 0>;
 Documentation/devicetree/bindings/display/mediatek/mediatek,mt8195-hdmi.yaml:118:            phys = <&hdmi_phy>;
 Documentation/devicetree/bindings/display/mediatek/mediatek,mt8195-hdmi.yaml-119-            phy-names = "hdmi";
 --
 Documentation/devicetree/bindings/display/msm/dp-controller.yaml=315=examples:
 --
 Documentation/devicetree/bindings/display/msm/dp-controller.yaml-343-
 Documentation/devicetree/bindings/display/msm/dp-controller.yaml:344:        phys = <&dp_phy>;
 Documentation/devicetree/bindings/display/msm/dp-controller.yaml-345-        phy-names = "dp";
 --
 Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml=421=examples:
 --
 Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml-451-
 Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml:452:        phys = <&dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml-453-        phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/hdmi.yaml=165=examples:
 --
 Documentation/devicetree/bindings/display/msm/hdmi.yaml-187-
 Documentation/devicetree/bindings/display/msm/hdmi.yaml:188:      phys = <&hdmi_phy>;
 Documentation/devicetree/bindings/display/msm/hdmi.yaml-189-    };
 --
 Documentation/devicetree/bindings/display/msm/hdmi.yaml-218-
 Documentation/devicetree/bindings/display/msm/hdmi.yaml:219:      phys = <&hdmi_phy>;
 Documentation/devicetree/bindings/display/msm/hdmi.yaml-220-      #sound-dai-cells = <1>;
 --
 Documentation/devicetree/bindings/display/msm/qcom,glymur-mdss.yaml=68=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,glymur-mdss.yaml-213-
 Documentation/devicetree/bindings/display/msm/qcom,glymur-mdss.yaml:214:                phys = <&usb_1_ss0_qmpphy QMP_USB43DP_DP_PHY>;
 Documentation/devicetree/bindings/display/msm/qcom,glymur-mdss.yaml-215-                phy-names = "dp";
 --
 Documentation/devicetree/bindings/display/msm/qcom,msm8998-mdss.yaml=70=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,msm8998-mdss.yaml-163-
 Documentation/devicetree/bindings/display/msm/qcom,msm8998-mdss.yaml:164:            phys = <&dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,msm8998-mdss.yaml-165-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,msm8998-mdss.yaml-233-
 Documentation/devicetree/bindings/display/msm/qcom,msm8998-mdss.yaml:234:            phys = <&dsi1_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,msm8998-mdss.yaml-235-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,qcm2290-mdss.yaml=80=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,qcm2290-mdss.yaml-172-
 Documentation/devicetree/bindings/display/msm/qcom,qcm2290-mdss.yaml:173:            phys = <&dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,qcm2290-mdss.yaml-174-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,qcs8300-mdss.yaml=69=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,qcs8300-mdss.yaml-234-                                     <&mdss_dp0_phy 1>;
 Documentation/devicetree/bindings/display/msm/qcom,qcs8300-mdss.yaml:235:            phys = <&mdss_dp0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,qcs8300-mdss.yaml-236-            phy-names = "dp";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sa8775p-mdss.yaml=78=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sa8775p-mdss.yaml-236-            assigned-clock-parents = <&mdss0_dsi0_phy 0>, <&mdss0_dsi0_phy 1>;
 Documentation/devicetree/bindings/display/msm/qcom,sa8775p-mdss.yaml:237:            phys = <&mdss0_dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sa8775p-mdss.yaml-238-
 --
 Documentation/devicetree/bindings/display/msm/qcom,sa8775p-mdss.yaml-313-            assigned-clock-parents = <&mdss0_dsi1_phy 0>, <&mdss0_dsi1_phy 1>;
 Documentation/devicetree/bindings/display/msm/qcom,sa8775p-mdss.yaml:314:            phys = <&mdss0_dsi1_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sa8775p-mdss.yaml-315-
 --
 Documentation/devicetree/bindings/display/msm/qcom,sa8775p-mdss.yaml-413-
 Documentation/devicetree/bindings/display/msm/qcom,sa8775p-mdss.yaml:414:            phys = <&mdss0_dp0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sa8775p-mdss.yaml-415-            phy-names = "dp";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sar2130p-mdss.yaml=78=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sar2130p-mdss.yaml-225-
 Documentation/devicetree/bindings/display/msm/qcom,sar2130p-mdss.yaml:226:            phys = <&usb_dp_qmpphy QMP_USB43DP_DP_PHY>;
 Documentation/devicetree/bindings/display/msm/qcom,sar2130p-mdss.yaml-227-            phy-names = "dp";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sar2130p-mdss.yaml-306-
 Documentation/devicetree/bindings/display/msm/qcom,sar2130p-mdss.yaml:307:            phys = <&mdss_dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sar2130p-mdss.yaml-308-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sar2130p-mdss.yaml-398-
 Documentation/devicetree/bindings/display/msm/qcom,sar2130p-mdss.yaml:399:            phys = <&mdss_dsi1_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sar2130p-mdss.yaml-400-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sc7180-mdss.yaml=88=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sc7180-mdss.yaml-188-
 Documentation/devicetree/bindings/display/msm/qcom,sc7180-mdss.yaml:189:            phys = <&dsi_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sc7180-mdss.yaml-190-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sc7180-mdss.yaml-272-            assigned-clock-parents = <&dp_phy 0>, <&dp_phy 1>;
 Documentation/devicetree/bindings/display/msm/qcom,sc7180-mdss.yaml:273:            phys = <&dp_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sc7180-mdss.yaml-274-            phy-names = "dp";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sc7280-mdss.yaml=98=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sc7280-mdss.yaml-212-
 Documentation/devicetree/bindings/display/msm/qcom,sc7280-mdss.yaml:213:            phys = <&mdss_dsi_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sc7280-mdss.yaml-214-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sc7280-mdss.yaml-303-
 Documentation/devicetree/bindings/display/msm/qcom,sc7280-mdss.yaml:304:            phys = <&mdss_edp_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sc7280-mdss.yaml-305-            phy-names = "dp";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sc7280-mdss.yaml-393-            assigned-clock-parents = <&dp_phy 0>, <&dp_phy 1>;
 Documentation/devicetree/bindings/display/msm/qcom,sc7280-mdss.yaml:394:            phys = <&dp_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sc7280-mdss.yaml-395-            phy-names = "dp";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sc8180x-mdss.yaml=85=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sc8180x-mdss.yaml-224-
 Documentation/devicetree/bindings/display/msm/qcom,sc8180x-mdss.yaml:225:            phys = <&dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sc8180x-mdss.yaml-226-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sc8180x-mdss.yaml-315-
 Documentation/devicetree/bindings/display/msm/qcom,sc8180x-mdss.yaml:316:            phys = <&dsi1_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sc8180x-mdss.yaml-317-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sdm670-mdss.yaml=80=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sdm670-mdss.yaml-178-
 Documentation/devicetree/bindings/display/msm/qcom,sdm670-mdss.yaml:179:            phys = <&mdss_dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sdm670-mdss.yaml-180-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sdm670-mdss.yaml-248-
 Documentation/devicetree/bindings/display/msm/qcom,sdm670-mdss.yaml:249:            phys = <&dsi1_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sdm670-mdss.yaml-250-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sdm845-mdss.yaml=82=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sdm845-mdss.yaml-174-
 Documentation/devicetree/bindings/display/msm/qcom,sdm845-mdss.yaml:175:            phys = <&dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sdm845-mdss.yaml-176-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sdm845-mdss.yaml-244-
 Documentation/devicetree/bindings/display/msm/qcom,sdm845-mdss.yaml:245:            phys = <&dsi1_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sdm845-mdss.yaml-246-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm6115-mdss.yaml=78=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm6115-mdss.yaml-162-            power-domains = <&rpmpd SM6115_VDDCX>;
 Documentation/devicetree/bindings/display/msm/qcom,sm6115-mdss.yaml:163:            phys = <&dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm6115-mdss.yaml-164-
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm6125-mdss.yaml=76=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm6125-mdss.yaml-176-
 Documentation/devicetree/bindings/display/msm/qcom,sm6125-mdss.yaml:177:            phys = <&mdss_dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm6125-mdss.yaml-178-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm6150-mdss.yaml=80=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm6150-mdss.yaml-204-
 Documentation/devicetree/bindings/display/msm/qcom,sm6150-mdss.yaml:205:            phys = <&mdss_dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm6150-mdss.yaml-206-
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm6350-mdss.yaml=85=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm6350-mdss.yaml-183-
 Documentation/devicetree/bindings/display/msm/qcom,sm6350-mdss.yaml:184:            phys = <&dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm6350-mdss.yaml-185-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm6375-mdss.yaml=76=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm6375-mdss.yaml-175-
 Documentation/devicetree/bindings/display/msm/qcom,sm6375-mdss.yaml:176:            phys = <&mdss_dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm6375-mdss.yaml-177-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm7150-mdss.yaml=88=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm7150-mdss.yaml-245-
 Documentation/devicetree/bindings/display/msm/qcom,sm7150-mdss.yaml:246:            phys = <&mdss_dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm7150-mdss.yaml-247-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm7150-mdss.yaml-337-
 Documentation/devicetree/bindings/display/msm/qcom,sm7150-mdss.yaml:338:            phys = <&mdss_dsi1_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm7150-mdss.yaml-339-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm7150-mdss.yaml-415-
 Documentation/devicetree/bindings/display/msm/qcom,sm7150-mdss.yaml:416:            phys = <&dp_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm7150-mdss.yaml-417-            phy-names = "dp";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8150-mdss.yaml=85=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8150-mdss.yaml-213-
 Documentation/devicetree/bindings/display/msm/qcom,sm8150-mdss.yaml:214:            phys = <&dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8150-mdss.yaml-215-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8150-mdss.yaml-303-
 Documentation/devicetree/bindings/display/msm/qcom,sm8150-mdss.yaml:304:            phys = <&dsi1_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8150-mdss.yaml-305-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8250-mdss.yaml=88=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8250-mdss.yaml-216-
 Documentation/devicetree/bindings/display/msm/qcom,sm8250-mdss.yaml:217:            phys = <&dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8250-mdss.yaml-218-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8250-mdss.yaml-306-
 Documentation/devicetree/bindings/display/msm/qcom,sm8250-mdss.yaml:307:            phys = <&dsi1_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8250-mdss.yaml-308-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8350-mdss.yaml=89=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8350-mdss.yaml-222-
 Documentation/devicetree/bindings/display/msm/qcom,sm8350-mdss.yaml:223:            phys = <&mdss_dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8350-mdss.yaml-224-
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8450-mdss.yaml=80=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8450-mdss.yaml-225-
 Documentation/devicetree/bindings/display/msm/qcom,sm8450-mdss.yaml:226:            phys = <&dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8450-mdss.yaml-227-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8450-mdss.yaml-320-
 Documentation/devicetree/bindings/display/msm/qcom,sm8450-mdss.yaml:321:            phys = <&dsi1_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8450-mdss.yaml-322-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8550-mdss.yaml=84=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8550-mdss.yaml-221-
 Documentation/devicetree/bindings/display/msm/qcom,sm8550-mdss.yaml:222:            phys = <&dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8550-mdss.yaml-223-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8550-mdss.yaml-310-
 Documentation/devicetree/bindings/display/msm/qcom,sm8550-mdss.yaml:311:            phys = <&dsi1_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8550-mdss.yaml-312-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8650-mdss.yaml=77=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8650-mdss.yaml-209-
 Documentation/devicetree/bindings/display/msm/qcom,sm8650-mdss.yaml:210:            phys = <&dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8650-mdss.yaml-211-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8650-mdss.yaml-298-
 Documentation/devicetree/bindings/display/msm/qcom,sm8650-mdss.yaml:299:            phys = <&dsi1_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8650-mdss.yaml-300-            phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml=77=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml-238-
 Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml:239:                phys = <&mdss_dsi0_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml-240-                phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml-344-
 Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml:345:                phys = <&mdss_dsi1_phy>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml-346-                phy-names = "dsi";
 --
 Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml-423-
 Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml:424:                phys = <&usb_dp_qmpphy QMP_USB43DP_DP_PHY>;
 Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml-425-                phy-names = "dp";
 --
 Documentation/devicetree/bindings/display/msm/qcom,x1e80100-mdss.yaml=64=examples:
 --
 Documentation/devicetree/bindings/display/msm/qcom,x1e80100-mdss.yaml-204-
 Documentation/devicetree/bindings/display/msm/qcom,x1e80100-mdss.yaml:205:            phys = <&usb_1_ss0_qmpphy QMP_USB43DP_DP_PHY>;
 Documentation/devicetree/bindings/display/msm/qcom,x1e80100-mdss.yaml-206-            phy-names = "dp";
 --
 Documentation/devicetree/bindings/display/rockchip/rockchip,analogix-dp.yaml=78=examples:
 --
 Documentation/devicetree/bindings/display/rockchip/rockchip,analogix-dp.yaml-88-      clock-names = "dp", "pclk";
 Documentation/devicetree/bindings/display/rockchip/rockchip,analogix-dp.yaml:89:      phys = <&dp_phy>;
 Documentation/devicetree/bindings/display/rockchip/rockchip,analogix-dp.yaml-90-      phy-names = "dp";
 --
 Documentation/devicetree/bindings/display/rockchip/rockchip,dw-dp.yaml=100=examples:
 --
 Documentation/devicetree/bindings/display/rockchip/rockchip,dw-dp.yaml-123-        resets = <&cru SRST_DP0>;
 Documentation/devicetree/bindings/display/rockchip/rockchip,dw-dp.yaml:124:        phys = <&usbdp_phy0 PHY_TYPE_DP>;
 Documentation/devicetree/bindings/display/rockchip/rockchip,dw-dp.yaml-125-        power-domains = <&power RK3588_PD_VO0>;
 --
 Documentation/devicetree/bindings/display/rockchip/rockchip,rk3399-cdn-dp.yaml=119=examples:
 --
 Documentation/devicetree/bindings/display/rockchip/rockchip,rk3399-cdn-dp.yaml-137-            power-domains = <&power RK3399_PD_HDCP>;
 Documentation/devicetree/bindings/display/rockchip/rockchip,rk3399-cdn-dp.yaml:138:            phys = <&tcphy0_dp>, <&tcphy1_dp>;
 Documentation/devicetree/bindings/display/rockchip/rockchip,rk3399-cdn-dp.yaml-139-            resets = <&cru SRST_DPTX_SPDIF_REC>, <&cru SRST_P_UPHY0_DPTX>,
 --
 Documentation/devicetree/bindings/display/rockchip/rockchip,rk3588-dw-hdmi-qp.yaml=140=examples:
 --
 Documentation/devicetree/bindings/display/rockchip/rockchip,rk3588-dw-hdmi-qp.yaml-169-        interrupt-names = "avp", "cec", "earc", "main", "hpd";
 Documentation/devicetree/bindings/display/rockchip/rockchip,rk3588-dw-hdmi-qp.yaml:170:        phys = <&hdptxphy0>;
 Documentation/devicetree/bindings/display/rockchip/rockchip,rk3588-dw-hdmi-qp.yaml-171-        power-domains = <&power RK3588_PD_VO1>;
 --
 Documentation/devicetree/bindings/display/rockchip/rockchip,rk3588-mipi-dsi2.yaml=83=examples:
 --
 Documentation/devicetree/bindings/display/rockchip/rockchip,rk3588-mipi-dsi2.yaml-104-        power-domains = <&power RK3588_PD_VOP>;
 Documentation/devicetree/bindings/display/rockchip/rockchip,rk3588-mipi-dsi2.yaml:105:        phys = <&mipidcphy0 PHY_TYPE_DPHY>;
]
]

gemini-3-flash-preview

							input: 164522
							output: 21
							thoughts: 1637
						

**The Hunt for a Corrupted `input_dev`**

Okay, so the `grep` search for `phys.*=` was too broad. Back to square one. Let's revisit `input_devices_seq_show`. That `seq_printf` line, specifically the `dev->phys` part, is intriguing. I need to understand how that `phys` field is populated.

Aha! In `drivers/input/input.c`, the `input_dev` structure has a `phys` field, and it's a `const char *`. That's the key. If some code is directly assigning a temporary buffer to `input_dev->phys`, we have a potential problem.

Wait a second...I think I'm on to something! Over in `net/mac80211/parse.c`, the `ieee802_11_parse_elems_full` function uses a `scratch` buffer. The code stores pointers from the `scratch` buffer in `elems`, like `sub.start = elems_parse->scratch_pos`. The catch is that `ieee802_11_parse_elems_full` *returns* `elems`, and `ieee80211_inform_bss` *frees* `elems` (actually the `elems_parse` struct). So any pointer *into* that `elems_parse` struct, including `scratch`, becomes invalid after the `ieee80211_inform_bss` call. That's a classic use-after-free scenario waiting to happen.

So, the question is: does any code in `mac80211` or `cfg80211` end up assigning a pointer from `elems` (the now-invalid memory) to an `input_dev`?

Wait a minute, `ieee80211_inform_bss` is called with `cbss`. Okay, so `bss = (void *)cbss->priv`. Is there a way that `bss` can be an `input_dev`? No, that doesn't seem possible.

Okay, back to `drivers/input/input.c`. That `container_of(v, struct input_dev, node)` line, with `v` coming from `input_dev_list`. Could someone be adding a `struct ieee80211_elems_parse` to `input_dev_list`? That doesn't seem right either... `ieee80211_elems_parse` doesn't have a `node` field at the right offset, the sizes don't match.

Hold on, maybe it's not a direct insertion into `input_dev_list`. What if an `input_dev` object was freed, and then the same memory was *reused* by `mac80211`? But KASAN says the memory was actually allocated as an `ieee80211_elems_parse`. The `PID 7511` is running a crash and `PID 7472` is allocating/freeing. That crash might be important. I see a very similar bug report online, about a freed `input_dev` still hanging around in `input_dev_list`. This KASAN report is related.

The fact that KASAN says the access is to a *mac80211* object is critical. That means `input_dev_list` *contains* a pointer to memory that KASAN *thinks* is a `mac80211` object! That happens if an `input_dev` was allocated, registered, *freed without unregistering*, and then the memory was reused for an `ieee80211_elems_parse`, and then `input_devices_seq_show` hits the now-stale pointer.

But wait a minute... if the memory was reused, KASAN should show the *previous* allocation/free of the `input_dev` object. However, KASAN says: `Allocated by task 7472` ... `ieee802_11_parse_elems_full`, `Freed by task 7472` ... `ieee80211_inform_bss`. The access is *after* the free. So:

1.  `mac80211` allocates memory.
2.  `mac80211` frees memory.
3.  `input_devices_seq_show` accesses it.

That means `input_dev_list` *must* contain a pointer to *this* memory, the memory freed in step 2. The question is

no matches

map[Expression:mesh_id.*input_dev]

map[Output:]

gemini-3-flash-preview

							input: 167219
							output: 19
							thoughts: 6
						

Okay, here's my attempt at summarizing the thought process, tailored for an expert audience, and written in the first person:

**Initial Consideration: SSID Significance**

Hmm, so, what's the deal with `ssid`? It's a fundamental concept, of course, but the context here is key. Are we talking about its role in initial network discovery? Or is this about its security implications, perhaps the vulnerability of broadcasting it openly? Is it a focus on hidden SSIDs? Are we concerned about the impact of multiple overlapping SSIDs in a dense environment and how that affects channel utilization and performance? We need to delve deeper into the *why* of this question about `ssid` to properly assess its relevance. My mind has to explore this to get to the core.

no matches

map[Expression:ssid.*input_dev]

map[Output:]

gemini-3-flash-preview

							input: 167420
							output: 57
							thoughts: 1028
						

**Debugging a Kernel Crash Related to Input Devices**

Okay, so I'm chasing this kernel crash related to input devices. The first thing that popped into my head was to consider how wireless devices are handled, specifically the `wiphy` abstraction. Then I started digging. My initial exploration took me to `net/wireless/core.c`, where I noted the call to `cfg80211_register_wiphy`, but I couldn't immediately pinpoint an input device creation.

I then briefly considered the `soc_button_array.c` driver, which was a dead end. However, I found a promising lead in `net/wireless/scan.c`, where `cfg80211_inform_single_bss_data` calls `regulatory_hint_found_beacon`. Still, I need to check more.

I considered a theory about `input_dev` being part of `struct cfg80211_registered_device`, but that didn't pan out either. My attention shifted to `drivers/input/input.c`, specifically line 1092 where a path is allocated and freed. However, the crash is occurring at line 1099, so this might be relevant.

Then it clicked that `input_devices_seq_show` is called, and this is showing *all* input devices. This gives me a direction. If I can find which driver creates an input device and messes with its `phys` field, I might be on the right track.

This led me to `drivers/hid/hid-input.c`. I noticed that `input_dev->phys` is set to `hid->phys`, and `hid->phys` is set in `hid-core.c` using `snprintf` with a fixed-size buffer. This is interesting.

I also saw that the `input_dev` structure has a `name` field, and I'd be able to catch if the `name` field was also pointing to the freed memory.

I then went back to `net/mac80211/scan.c`, and noticed that `elems` is a pointer to `ieee80211_elems_parse->elems`. Then I got back to `drivers/input/input.c`, where I noticed the `input_dev` structure has a `name` field. This led me to `net/mac80211/scan.c` again.

Then I realized that `ieee802_11_parse_elems_full` is being called, which then led me to `ieee80211_inform_bss` which is called when a BSS is found. This is promising.

Back in `net/mac80211/scan.c`, I saw a data update to `bss->beacon_rate`. I also noticed that data is being copied with `memcpy` into `bss->supp_rates`.

Then I found a very suspicious thing in `net/mac80211/parse.c` which allocates memory:
```c
1031:		elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len),
1032:				      GFP_ATOMIC);
```
Here, the `scratch` buffer is used for de-fragmentation.

Then I noticed that `ieee80211_mle_defrag_reconf` is called. It looks like this is where the error might be, so I need to dig into it.

map[ContextFile:net/mac80211/parse.c IncludeLines:true Name:ieee80211_mle_defrag_reconf]

map[SourceCode: 973:	static void
 974:	ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse *elems_parse)
 975:	{
 976:		struct ieee802_11_elems *elems = &elems_parse->elems;
 977:		ssize_t ml_len;
 978:	
 979:		ml_len = cfg80211_defragment_element(elems_parse->ml_reconf_elem,
 980:						     elems->ie_start,
 981:						     elems->total_len,
 982:						     elems_parse->scratch_pos,
 983:						     elems_parse->scratch +
 984:							elems_parse->scratch_len -
 985:							elems_parse->scratch_pos,
 986:						     WLAN_EID_FRAGMENT);
 987:		if (ml_len < 0)
 988:			return;
 989:		elems->ml_reconf = (void *)elems_parse->scratch_pos;
 990:		elems->ml_reconf_len = ml_len;
 991:		elems_parse->scratch_pos += ml_len;
 992:	}
 SourceFile:net/mac80211/parse.c]

gemini-3-flash-preview

							input: 169649
							output: 58
							thoughts: 436
						

**Analyzing a Potential Memory Corruption Issue**

Okay, so I'm looking at this function that's supposed to defragment an element and store a pointer. Seems straightforward enough, placing it into the `scratch` buffer. But then I see that `elems` is freed at the end of `ieee80211_inform_bss`. That’s a red flag! Memory being freed is usually where things go sideways.

Aha! I found where `elems` is freed, right here in `net/mac80211/scan.c`: `kfree(elems)`. This is freeing the entire `ieee80211_elems_parse` object.

But now I have another problem, it seems that `input_devices_seq_show` is accessing this memory after it's been freed. That means some `input_dev` has its `phys` field pointing to this memory, which is bad news.

Wait... I just saw something potentially very suspicious in `drivers/input/input.c`. The `input_dev` structure has a `dev` field, and it's a `struct device`. A `struct device` has a `parent` field, which is interesting.

Now I remember! In `net/mac80211/main.c`, there's a call to `ieee80211_register_hw`. Does this create an input device? It might.

Wait... I see another interesting thing in `drivers/input/input.c`. The `input_dev` structure also has a `vals` field.

And now I find this line in the `drivers/input/input.c`: `struct input_dev *dev = container_of(v, struct input_dev, node);`.

Okay, so here's my theory: what if the `input_dev` object was actually allocated as part of another larger object, and *that* object is the one being freed? Perhaps `struct ieee80211_local`? That could explain everything. Now, let's take a closer look at `struct ieee80211_local`. This could be the key!

map[ContextFile:net/mac80211/ieee80211_i.h IncludeLines:true Name:ieee80211_local]

map[SourceCode:1410:	struct ieee80211_local {
1411:		/* embed the driver visible part.
1412:		 * don't cast (use the static inlines below), but we keep
1413:		 * it first anyway so they become a no-op */
1414:		struct ieee80211_hw hw;
1415:	
1416:		struct fq fq;
1417:		struct codel_vars *cvars;
1418:		struct codel_params cparams;
1419:	
1420:		/* protects active_txqs and txqi->schedule_order */
1421:		spinlock_t active_txq_lock[IEEE80211_NUM_ACS];
1422:		struct list_head active_txqs[IEEE80211_NUM_ACS];
1423:		u16 schedule_round[IEEE80211_NUM_ACS];
1424:	
1425:		/* serializes ieee80211_handle_wake_tx_queue */
1426:		spinlock_t handle_wake_tx_queue_lock;
1427:	
1428:		u16 airtime_flags;
1429:		u32 aql_txq_limit_low[IEEE80211_NUM_ACS];
1430:		u32 aql_txq_limit_high[IEEE80211_NUM_ACS];
1431:		u32 aql_threshold;
1432:		atomic_t aql_total_pending_airtime;
1433:		atomic_t aql_ac_pending_airtime[IEEE80211_NUM_ACS];
1434:	
1435:		const struct ieee80211_ops *ops;
1436:	
1437:		/*
1438:		 * private workqueue to mac80211. mac80211 makes this accessible
1439:		 * via ieee80211_queue_work()
1440:		 */
1441:		struct workqueue_struct *workqueue;
1442:	
1443:		unsigned long queue_stop_reasons[IEEE80211_MAX_QUEUES];
1444:		int q_stop_reasons[IEEE80211_MAX_QUEUES][IEEE80211_QUEUE_STOP_REASONS];
1445:		/* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
1446:		spinlock_t queue_stop_reason_lock;
1447:	
1448:		int open_count;
1449:		int monitors, virt_monitors, tx_mntrs;
1450:		/* number of interfaces with corresponding FIF_ flags */
1451:		int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
1452:		    fif_probe_req;
1453:		bool probe_req_reg;
1454:		bool rx_mcast_action_reg;
1455:		unsigned int filter_flags; /* FIF_* */
1456:	
1457:		struct cfg80211_chan_def dflt_chandef;
1458:		bool emulate_chanctx;
1459:	
1460:		/* protects the aggregated multicast list and filter calls */
1461:		spinlock_t filter_lock;
1462:	
1463:		/* used for uploading changed mc list */
1464:		struct wiphy_work reconfig_filter;
1465:	
1466:		/* aggregated multicast list */
1467:		struct netdev_hw_addr_list mc_list;
1468:	
1469:		bool tim_in_locked_section; /* see ieee80211_beacon_get() */
1470:	
1471:		/*
1472:		 * suspended is true if we finished all the suspend _and_ we have
1473:		 * not yet come up from resume. This is to be used by mac80211
1474:		 * to ensure driver sanity during suspend and mac80211's own
1475:		 * sanity. It can eventually be used for WoW as well.
1476:		 */
1477:		bool suspended;
1478:	
1479:		/* suspending is true during the whole suspend process */
1480:		bool suspending;
1481:	
1482:		/*
1483:		 * Resuming is true while suspended, but when we're reprogramming the
1484:		 * hardware -- at that time it's allowed to use ieee80211_queue_work()
1485:		 * again even though some other parts of the stack are still suspended
1486:		 * and we still drop received frames to avoid waking the stack.
1487:		 */
1488:		bool resuming;
1489:	
1490:		/*
1491:		 * quiescing is true during the suspend process _only_ to
1492:		 * ease timer cancelling etc.
1493:		 */
1494:		bool quiescing;
1495:	
1496:		/* device is started */
1497:		bool started;
1498:	
1499:		/* device is during a HW reconfig */
1500:		bool in_reconfig;
1501:	
1502:		/* reconfiguration failed ... suppress some warnings etc. */
1503:		bool reconfig_failure;
1504:	
1505:		/* wowlan is enabled -- don't reconfig on resume */
1506:		bool wowlan;
1507:	
1508:		struct wiphy_work radar_detected_work;
1509:	
1510:		/* number of RX chains the hardware has */
1511:		u8 rx_chains;
1512:	
1513:		/* bitmap of which sbands were copied */
1514:		u8 sband_allocated;
1515:	
1516:		int tx_headroom; /* required headroom for hardware/radiotap */
1517:	
1518:		/* Tasklet and skb queue to process calls from IRQ mode. All frames
1519:		 * added to skb_queue will be processed, but frames in
1520:		 * skb_queue_unreliable may be dropped if the total length of these
1521:		 * queues increases over the limit. */
1522:	#define IEEE80211_IRQSAFE_QUEUE_LIMIT 128
1523:		struct tasklet_struct tasklet;
1524:		struct sk_buff_head skb_queue;
1525:		struct sk_buff_head skb_queue_unreliable;
1526:	
1527:		spinlock_t rx_path_lock;
1528:	
1529:		/* Station data */
1530:		/*
1531:		 * The list, hash table and counter are protected
1532:		 * by the wiphy mutex, reads are done with RCU.
1533:		 */
1534:		spinlock_t tim_lock;
1535:		unsigned long num_sta;
1536:		struct list_head sta_list;
1537:		struct rhltable sta_hash;
1538:		struct rhltable link_sta_hash;
1539:		struct timer_list sta_cleanup;
1540:		int sta_generation;
1541:	
1542:		struct sk_buff_head pending[IEEE80211_MAX_QUEUES];
1543:		struct tasklet_struct tx_pending_tasklet;
1544:		struct tasklet_struct wake_txqs_tasklet;
1545:	
1546:		atomic_t agg_queue_stop[IEEE80211_MAX_QUEUES];
1547:	
1548:		/* number of interfaces with allmulti RX */
1549:		atomic_t iff_allmultis;
1550:	
1551:		struct rate_control_ref *rate_ctrl;
1552:	
1553:		struct arc4_ctx wep_tx_ctx;
1554:		struct arc4_ctx wep_rx_ctx;
1555:		u32 wep_iv;
1556:	
1557:		/* see iface.c */
1558:		struct list_head interfaces;
1559:		struct list_head mon_list; /* only that are IFF_UP */
1560:		struct mutex iflist_mtx;
1561:	
1562:		/* Scanning and BSS list */
1563:		unsigned long scanning;
1564:		struct cfg80211_ssid scan_ssid;
1565:		struct cfg80211_scan_request *int_scan_req;
1566:		struct cfg80211_scan_request __rcu *scan_req;
1567:		struct ieee80211_scan_request *hw_scan_req;
1568:		struct cfg80211_chan_def scan_chandef;
1569:		enum nl80211_band hw_scan_band;
1570:		int scan_channel_idx;
1571:		int scan_ies_len;
1572:		int hw_scan_ies_bufsize;
1573:		struct cfg80211_scan_info scan_info;
1574:	
1575:		struct wiphy_work sched_scan_stopped_work;
1576:		struct ieee80211_sub_if_data __rcu *sched_scan_sdata;
1577:		struct cfg80211_sched_scan_request __rcu *sched_scan_req;
1578:		u8 scan_addr[ETH_ALEN];
1579:	
1580:		unsigned long leave_oper_channel_time;
1581:		enum mac80211_scan_state next_scan_state;
1582:		struct wiphy_delayed_work scan_work;
1583:		struct ieee80211_sub_if_data __rcu *scan_sdata;
1584:	
1585:		/* Temporary remain-on-channel for off-channel operations */
1586:		struct ieee80211_channel *tmp_channel;
1587:	
1588:		/* channel contexts */
1589:		struct list_head chanctx_list;
1590:	
1591:	#ifdef CONFIG_MAC80211_LEDS
1592:		struct led_trigger tx_led, rx_led, assoc_led, radio_led;
1593:		struct led_trigger tpt_led;
1594:		atomic_t tx_led_active, rx_led_active, assoc_led_active;
1595:		atomic_t radio_led_active, tpt_led_active;
1596:		struct tpt_led_trigger *tpt_led_trigger;
1597:	#endif
1598:	
1599:	#ifdef CONFIG_MAC80211_DEBUG_COUNTERS
1600:		/* SNMP counters */
1601:		/* dot11CountersTable */
1602:		u32 dot11TransmittedFragmentCount;
1603:		u32 dot11MulticastTransmittedFrameCount;
1604:		u32 dot11FailedCount;
1605:		u32 dot11RetryCount;
1606:		u32 dot11MultipleRetryCount;
1607:		u32 dot11FrameDuplicateCount;
1608:		u32 dot11ReceivedFragmentCount;
1609:		u32 dot11MulticastReceivedFrameCount;
1610:		u32 dot11TransmittedFrameCount;
1611:	
1612:		/* TX/RX handler statistics */
1613:		unsigned int tx_handlers_queued;
1614:		unsigned int tx_handlers_drop_wep;
1615:		unsigned int tx_handlers_drop_not_assoc;
1616:		unsigned int tx_handlers_drop_unauth_port;
1617:		unsigned int rx_handlers_drop;
1618:		unsigned int rx_handlers_queued;
1619:		unsigned int rx_handlers_drop_nullfunc;
1620:		unsigned int rx_handlers_drop_defrag;
1621:		unsigned int tx_expand_skb_head;
1622:		unsigned int tx_expand_skb_head_cloned;
1623:		unsigned int rx_expand_skb_head_defrag;
1624:		unsigned int rx_handlers_fragments;
1625:		unsigned int tx_status_drop;
1626:	#define I802_DEBUG_INC(c) (c)++
1627:	#else /* CONFIG_MAC80211_DEBUG_COUNTERS */
1628:	#define I802_DEBUG_INC(c) do { } while (0)
1629:	#endif /* CONFIG_MAC80211_DEBUG_COUNTERS */
1630:	
1631:	
1632:		int total_ps_buffered; /* total number of all buffered unicast and
1633:					* multicast packets for power saving stations
1634:					*/
1635:	
1636:		bool pspolling;
1637:		/*
1638:		 * PS can only be enabled when we have exactly one managed
1639:		 * interface (and monitors) in PS, this then points there.
1640:		 */
1641:		struct ieee80211_sub_if_data *ps_sdata;
1642:		struct wiphy_work dynamic_ps_enable_work;
1643:		struct wiphy_work dynamic_ps_disable_work;
1644:		struct timer_list dynamic_ps_timer;
1645:		struct notifier_block ifa_notifier;
1646:		struct notifier_block ifa6_notifier;
1647:	
1648:		/*
1649:		 * The dynamic ps timeout configured from user space via WEXT -
1650:		 * this will override whatever chosen by mac80211 internally.
1651:		 */
1652:		int dynamic_ps_forced_timeout;
1653:	
1654:		int user_power_level; /* in dBm, for all interfaces */
1655:	
1656:		struct work_struct restart_work;
1657:	
1658:	#ifdef CONFIG_MAC80211_DEBUGFS
1659:		struct local_debugfsdentries {
1660:			struct dentry *rcdir;
1661:			struct dentry *keys;
1662:		} debugfs;
1663:		bool force_tx_status;
1664:	#endif
1665:	
1666:		/*
1667:		 * Remain-on-channel support
1668:		 */
1669:		struct wiphy_delayed_work roc_work;
1670:		struct list_head roc_list;
1671:		struct wiphy_work hw_roc_start, hw_roc_done;
1672:		unsigned long hw_roc_start_time;
1673:		u64 roc_cookie_counter;
1674:	
1675:		struct idr ack_status_frames;
1676:		spinlock_t ack_status_lock;
1677:	
1678:		/* virtual monitor interface */
1679:		struct ieee80211_sub_if_data __rcu *monitor_sdata;
1680:		struct ieee80211_chan_req monitor_chanreq;
1681:	
1682:		/* extended capabilities provided by mac80211 */
1683:		u8 ext_capa[8];
1684:	
1685:		bool wbrf_supported;
1686:	};
 SourceFile:net/mac80211/ieee80211_i.h]

gemini-3-flash-preview

							input: 175035
							output: 19
							thoughts: 62910
						

map[Actionable:true Confident:true]

map[Actionable:true Confident:true]

gemini-3-flash-preview

							input: 237981
							output: 450
							thoughts: 417
						

**Analyzing a Kernel UAF Bug**

Okay, this bug report is pretty clear, and thankfully, actionable. I can see the pieces lining up nicely.

First, the stack trace points directly to the problem: a use-after-free in `input_devices_seq_show`. That’s right where the kernel is trying to read the `phys` field of an `input_dev` structure, and it's crashing. This is happening while accessing `/proc/bus/input/devices`, so it's a relatively common path that can be easily reproduced.

Now, the allocation and free stacks are the critical piece. The memory in question – a 1KB object – was allocated and *freed* within `ieee80211_inform_bss` during a BSS scan. That's a wireless subsystem function, specifically in `net/mac80211/scan.c`. It makes sense. It's using this `ieee80211_elems_parse` object as a temporary buffer to parse Information Elements (IEs). It allocates, parses, and then *frees* it. Perfectly normal, except…

…the problem here is that someone, likely a wireless driver, has somehow assigned a pointer *inside* that temporary object to the `input_dev->phys` field. This is classic. My guess is it’s either the `scratch` buffer or a pointer to one of the parsed elements. So, when `ieee80211_inform_bss` returns and frees the `ieee80211_elems_parse` structure, the `input_dev->phys` pointer becomes a dangling pointer. This is a common pattern for kernel bugs of this type.

Bingo! The UAF is triggered when `/proc/bus/input/devices` is accessed, because it is then attempting to access that freed memory.

So, in essence, it's a wireless driver (or possibly some code inside `mac80211` or `cfg80211`) that's carelessly assigning a pointer to a temporary BSS data buffer to a persistent `input_dev` structure. The root cause is likely a classic programming error: a dangling pointer, pointing to a chunk of memory that is only alive for the short duration of a BSS scan. This is a textbook example.