On Thu, 24 Aug 2023 06:13:52 +0000, Rahul Rameshbabu wrote: > Maxime Ripard analyzed the following situation involving a use-after-free caused > by incorrect devres management. > > 1. input_dev name allocated as a resource referring to the same input_dev > instance > 2. The input_dev is eventually unregistered > 3. Unregistering the device first involves releasing devres managed resources > tied to the input_dev > 4. A uevent is then fired for the input_dev, referencing various members of > the input_dev including the name > 5. This leads to a use-after-free in the context of the triggered uevent > > [...] Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-6.6/devm-fixes), thanks! [1/3] HID: uclogic: Correct devm device reference for hidinput input_dev name https://git.kernel.org/hid/hid/c/dd613a4e45f8 [2/3] HID: multitouch: Correct devm device reference for hidinput input_dev name https://git.kernel.org/hid/hid/c/479439463529 [3/3] HID: nvidia-shield: Reference hid_device devm allocation of input_dev name https://git.kernel.org/hid/hid/c/197d3143520f Cheers, -- Benjamin Tissoires <bentiss@xxxxxxxxxx>
