Hi Mukesh, On Mon, Apr 15, 2019 at 03:35:51PM +0530, Mukesh Ojha wrote: > > Hi Dmitry, > > Can you please have a look at this patch ? as this seems to reproducing > quite frequently > > Thanks, > Mukesh > > On 4/10/2019 1:29 PM, Mukesh Ojha wrote: > > uinput_destroy_device() gets called from two places. In one place, > > uinput_ioctl_handler() where it is protected under a lock > > udev->mutex but there is no protection on udev device from freeing > > inside uinput_release(). uinput_release() should be called when last file handle to the uinput instance is being dropped, so there should be no other users and thus we can't be racing with anyone. > > > > This can result in Object-Already-Free case where uinput parent > > device already got freed while a child being inserted inside it. > > That result in a double free case for parent while kernfs_put() > > being done for child in a failure path of adding a node. Can you please describe scenario in more detail? How do you free the parent device while child input device is being registered? Thanks. - Dmitry
