Searched hist:"4 ea5763f" (Results 1 – 1 of 1) sorted by relevance
| /openbmc/linux/drivers/hid/ |
| H A D | uhid.c | 4ea5763f Fri Jan 14 07:33:30 CST 2022 Jann Horn <jannh@google.com> HID: uhid: Fix worker destroying device without any protection
uhid has to run hid_add_device() from workqueue context while allowing
parallel use of the userspace API (which is protected with ->devlock).
But hid_add_device() can fail. Currently, that is handled by immediately
destroying the associated HID device, without using ->devlock - but if
there are concurrent requests from userspace, that's wrong and leads to
NULL dereferences and/or memory corruption (via use-after-free).
Fix it by leaving the HID device as-is in the worker. We can clean it up
later, either in the UHID_DESTROY command handler or in the ->release()
handler.
Cc: stable@vger.kernel.org
Fixes: 67f8ecc550b5 ("HID: uhid: fix timeout when probe races with IO")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|