Re: [PATCH 1/2] HID: uhid: Fix worker destroying device without any protection

From: Jiri Kosina
Date: Wed Jan 19 2022 - 09:59:54 EST

Next message: Steven Rostedt: "Re: [PATCH 1/3] lib/string_helpers: Consolidate yesno() implementation"
Previous message: Masami Hiramatsu: "[RFC PATCH v3 8/9] [DO NOT MERGE] Out-of-tree: Support wildcard symbol option to sample"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 14 Jan 2022, Jann Horn wrote:

> uhid has to run hid_add_device() from workqueue context while allowing
> parallel use of the userspace API (which is protected with ->devlock).
> But hid_add_device() can fail. Currently, that is handled by immediately
> destroying the associated HID device, without using ->devlock - but if
> there are concurrent requests from userspace, that's wrong and leads to
> NULL dereferences and/or memory corruption (via use-after-free).
>
> Fix it by leaving the HID device as-is in the worker. We can clean it up
> later, either in the UHID_DESTROY command handler or in the ->release()
> handler.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 67f8ecc550b5 ("HID: uhid: fix timeout when probe races with IO")
> Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>

I've queued both patches for 5.17, thanks a lot for fixing this.

--
Jiri Kosina
SUSE Labs

Next message: Steven Rostedt: "Re: [PATCH 1/3] lib/string_helpers: Consolidate yesno() implementation"
Previous message: Masami Hiramatsu: "[RFC PATCH v3 8/9] [DO NOT MERGE] Out-of-tree: Support wildcard symbol option to sample"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]