On Fri, 14 Jan 2022, Jann Horn wrote:
> uhid has to run hid_add_device() from workqueue context while allowing
> parallel use of the userspace API (which is protected with ->devlock).
> But hid_add_device() can fail. Currently, that is handled by immediately
> destroying the associated HID device, without using ->devlock - but if
> there are concurrent requests from userspace, that's wrong and leads to
> NULL dereferences and/or memory corruption (via use-after-free).
>
> Fix it by leaving the HID device as-is in the worker. We can clean it up
> later, either in the UHID_DESTROY command handler or in the ->release()
> handler.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 67f8ecc550b5 ("HID: uhid: fix timeout when probe races with IO")
> Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
I've queued both patches for 5.17, thanks a lot for fixing this.
--
Jiri Kosina
SUSE Labs
