On Sun, 12 Feb 2023 18:59:58 +0000, Pietro Borrello wrote: > I noticed a recurring pattern is present in multiple hid devices in the > Linux tree, where the LED controller of a device schedules a work_struct > to interact with the hardware. > The work_struct is embedded in the device structure and thus, is freed > at device removal. > > The issue is that a LED worker may be scheduled by a timer concurrently > with device removal, causing the work_struct to be accessed after having > been freed. > I was able to trigger the issue in hid-bigbenff.c and hid-asus.c > where the work_structs may be scheduled by the LED controller > while the device is disconnecting, triggering use-after-frees. > I can attach the reproducer, but it's very simple USB configuration, > using the /dev/raw-gadget interface with some more USB interactions > to manage LEDs configuration and pass checks in asus_kbd_init() > and asus_kbd_get_functions() in case of hid-asus.c. > I triggered the issue by connecting a device and immediately > disconnecting it, so that the remove function runs before the LED one > which remains pending. > > [...] Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-6.3/asus), thanks! [4/5] HID: asus: use spinlock to protect concurrent accesses https://git.kernel.org/hid/hid/c/315c537068a1 [5/5] HID: asus: use spinlock to safely schedule workers https://git.kernel.org/hid/hid/c/4ab3a086d10e Cheers, -- Benjamin Tissoires <benjamin.tissoires@xxxxxxxxxx>
