diff options
| author | Jann Horn <[email protected]> | 2022-01-14 14:33:30 +0100 |
|---|---|---|
| committer | Jiri Kosina <[email protected]> | 2022-01-19 15:59:05 +0100 |
| commit | 4ea5763fb79ed89b3bdad455ebf3f33416a81624 (patch) | |
| tree | 0b0dcbdef3fa8d32b09e9a99c03729cb58eb7013 /net/lapb/lapb_in.c | |
| parent | e24aeff6db738be7ce24999a41e91299b5fe14be (diff) | |
HID: uhid: Fix worker destroying device without any protection
uhid has to run hid_add_device() from workqueue context while allowing
parallel use of the userspace API (which is protected with ->devlock).
But hid_add_device() can fail. Currently, that is handled by immediately
destroying the associated HID device, without using ->devlock - but if
there are concurrent requests from userspace, that's wrong and leads to
NULL dereferences and/or memory corruption (via use-after-free).
Fix it by leaving the HID device as-is in the worker. We can clean it up
later, either in the UHID_DESTROY command handler or in the ->release()
handler.
Cc: [email protected]
Fixes: 67f8ecc550b5 ("HID: uhid: fix timeout when probe races with IO")
Signed-off-by: Jann Horn <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Diffstat (limited to 'net/lapb/lapb_in.c')
0 files changed, 0 insertions, 0 deletions