Re: [PATCH 1/2] HID: uhid: Fix worker destroying device without any protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 14 Jan 2022, Jann Horn wrote:

> uhid has to run hid_add_device() from workqueue context while allowing
> parallel use of the userspace API (which is protected with ->devlock).
> But hid_add_device() can fail. Currently, that is handled by immediately
> destroying the associated HID device, without using ->devlock - but if
> there are concurrent requests from userspace, that's wrong and leads to
> NULL dereferences and/or memory corruption (via use-after-free).
> 
> Fix it by leaving the HID device as-is in the worker. We can clean it up
> later, either in the UHID_DESTROY command handler or in the ->release()
> handler.
> 
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 67f8ecc550b5 ("HID: uhid: fix timeout when probe races with IO")
> Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>

I've queued both patches for 5.17, thanks a lot for fixing this.

-- 
Jiri Kosina
SUSE Labs




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux