Maxime Ripard analyzed the following situation involving a use-after-free caused
by incorrect devres management.
1. input_dev name allocated as a resource referring to the same input_dev
instance
2. The input_dev is eventually unregistered
3. Unregistering the device first involves releasing devres managed resources
tied to the input_dev
4. A uevent is then fired for the input_dev, referencing various members of
the input_dev including the name
5. This leads to a use-after-free in the context of the triggered uevent
Dmitry Torokhov pointed out that the correct pattern for devm usage with the
input_dev would be to allocate the resource referencing the underlying device
that was probed by the driver than referencing the input subdevice instance. In
the case of hid drivers, the name resource will only be freed when devres
management reclaims resources for the hid_device. This will be after the
input_dev was unregistered and the uevent referencing the name was invoked.
This patch series applies the analysis done to correct problematic HID drivers.
Link: https://lore.kernel.org/linux-input/ZOZIZCND+L0P1wJc@penguin/T/#m443f3dce92520f74b6cf6ffa8653f9c92643d4ae
Rahul Rameshbabu (3):
HID: uclogic: Correct devm device reference for hidinput input_dev
name
HID: multitouch: Correct devm device reference for hidinput input_dev
name
HID: nvidia-shield: Reference hid_device devm allocation of input_dev
name
drivers/hid/hid-multitouch.c | 13 +++----------
drivers/hid/hid-nvidia-shield.c | 2 +-
drivers/hid/hid-uclogic-core.c | 13 +++----------
3 files changed, 7 insertions(+), 21 deletions(-)
--
2.40.1
