Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1170122pxb; Fri, 21 Jan 2022 11:21:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJzqD/PVui1ZStLE5Cy1PneOfqHRGd4wBPzhlQfE2d3p07UqcFHQoaulRrr7KlA0B21aRo8H X-Received: by 2002:a17:902:8212:b0:149:af87:9f9d with SMTP id x18-20020a170902821200b00149af879f9dmr4964524pln.39.1642792873653; Fri, 21 Jan 2022 11:21:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642792873; cv=none; d=google.com; s=arc-20160816; b=HjPSpsQ/+wcdaTehmtt7L4YGzTcqi73rwaxdQXOEDU2aB6PMaU5uy9eSKNPPtXEcxJ C80fl+amCUZfyjUQxK82jWp4nPWk9vKFNnHTzfYG1JCBrIVbc9VkAP4WBloXqvs/u7vb dB8eHz1Asf9jnT340BleVOIoJs5ovQ7Hu0WjQqSJTp8kIpL/HzxjaIWWNCuJQOZBf9y2 VR9suB2euVRcu7oV/lWQqZXZTtMgAg0NMrWW+PK2ayct0ZgC6mfIfKf/NMwUN2Z2Sz32 6cwsVbUc66cenF6FWZMKn8MoyAkXwDjo1A/Qpt4KmtFh2OfvXhPFQKqxIsQPba58MO0E zZWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:message-id :in-reply-to:subject:cc:to:from:date:dkim-signature; bh=fYjQs1CQ4Y+6/zFiWkiyvC5GDrnSKlaUgDM51LxjTjM=; b=oz0kGSlgPC2Y3mgG4esqPRdXZT80a2Wl0XZchT/HdVcLz2nnhiJ6CN0RizAYuoq1Ak QZ9CuO1kUKNtbYo93W8SU0ZVAWudMGM1jaOBVFnBBT0bLtRTv4omN14F/Gyhen7dxugp xoLQzN5iED1eepSU6OR0kEZr0HcbYLWGqOKZiI9KKHwy30QNTreUdQWenmj1vdr6c8QC zhh0HlqoxwOBKaart7IwJuQAsaBbNQv4e0a9TJxR2MLOxKRoyTRqtn0tb7aIKKVXGs3U ciky28lCeMPLpuU1ozPPIEVFKlhZTywTr/jxQItFNp1N9k8HFmLwX/F4xyxKRsp7Yic1 VOXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VL4STJPe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d15si7119367pgk.641.2022.01.21.11.21.01; Fri, 21 Jan 2022 11:21:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VL4STJPe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355378AbiASO7w (ORCPT + 99 others); Wed, 19 Jan 2022 09:59:52 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:52882 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349566AbiASO7v (ORCPT ); Wed, 19 Jan 2022 09:59:51 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6737B61325; Wed, 19 Jan 2022 14:59:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6780CC004E1; Wed, 19 Jan 2022 14:59:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1642604390; bh=Co6GqO2izoHEvb/easQuwemJ2ju1jNCgw+sJ4K1Ty4Y=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=VL4STJPe0VttSVxK9oVqxhtUWcEQg5+P62qF7F0KseezRYR31NL5uQHn3hddqW3Nf 03/vxTTM6uDolssjxZF7Uxk+a9OtSYo43EJGqrMjaFtNRjHhmsEF1PHjkHgZE/TEJt 6SOnkHiZhPDFB/2im3Iji/6QIMQ+iQZbeEwzgnH8mslJJQ00H0CUadNAda2W/gvUB3 AbDCT4eBOAw8Qc0mftnGlcRIRikwBzKVnl4Pg+s4fQmWNU+mf2yeQskeUPtKOPBdbx XjpbqNWdkVAtjiG5hzfLEu3x8Hi0XtiSfwZ5WuoZ5a7I8aQ5k1ZuE1OIHyuqgwQP3/ lxf3lRt8xLonQ== Date: Wed, 19 Jan 2022 15:59:47 +0100 (CET) From: Jiri Kosina To: Jann Horn cc: David Rheinsberg , Benjamin Tissoires , linux-input@vger.kernel.org, Roderick Colenbrander , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH 1/2] HID: uhid: Fix worker destroying device without any protection In-Reply-To: <20220114133331.873057-1-jannh@google.com> Message-ID: References: <20220114133331.873057-1-jannh@google.com> User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 14 Jan 2022, Jann Horn wrote: > uhid has to run hid_add_device() from workqueue context while allowing > parallel use of the userspace API (which is protected with ->devlock). > But hid_add_device() can fail. Currently, that is handled by immediately > destroying the associated HID device, without using ->devlock - but if > there are concurrent requests from userspace, that's wrong and leads to > NULL dereferences and/or memory corruption (via use-after-free). > > Fix it by leaving the HID device as-is in the worker. We can clean it up > later, either in the UHID_DESTROY command handler or in the ->release() > handler. > > Cc: stable@vger.kernel.org > Fixes: 67f8ecc550b5 ("HID: uhid: fix timeout when probe races with IO") > Signed-off-by: Jann Horn I've queued both patches for 5.17, thanks a lot for fixing this. -- Jiri Kosina SUSE Labs