Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp3016858lqo; Tue, 21 May 2024 04:37:12 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVCpLHXfzcH2Yz1jJgQFmRRAfYJzLDaIx1cWjwr75Vk6/THS39XjolvFbyPvJEhCYM3v6q6t39mR5aV0vqGzamlNAhEIobJm9QSBYFR9Q== X-Google-Smtp-Source: AGHT+IGqyZA8ztS1/o7qHdKBmbqBiXsHil6HNCk0EULkwF7utE1GT3wRjQIteuptShpTNgnHWGd+ X-Received: by 2002:a05:6102:2ac7:b0:47c:28c1:c434 with SMTP id ada2fe7eead31-48077e4345fmr33300982137.26.1716291431885; Tue, 21 May 2024 04:37:11 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716291431; cv=pass; d=google.com; s=arc-20160816; b=w4j2J/P1qQlEfQBSNU4WlhK/k+WgpyX7BQMxBulG0VTzjilR9o7bxBChUTJ0zs/n2b gPIhz7xWp4ACOoQl711RcYSsaenO5SSrKjOPDADO6DacF9BRqb/tBt5gVoyUC67ckCE/ qWHkEy3ZQzdNbaySbi/IYJr9TDS+G4jlqGg8H+zSovcB7yE0egFl/qkBd5Hw+siejpp1 SW6Nxdjg4rNDCuDXioHacKxqW1SCY3w1w3qNem8q3e169j69wEBTn3HVEz2lUnpHA0tV 1VhZytOTcsDVKogRsc0j6hPKcod2MWaEQGGtDkKNX9OTpeCmF1GuN/dHoiJvxg5GwG1o uT9Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from; bh=gebPUC3zD5IY+Pwf6+tC/dPS0+EjK9Ke4MUE6JidEEU=; fh=jrZOtALl2seaTWDSBiy1rLsCtR1+U16Kqtf6n36dkew=; b=tvPHTAYh+2nIqotMBGJ6XaKUkYau4oyZ5pgrD2xtvGPhdZxzVK6rFMt5GB4vZYaBo0 3fXeqLBsIuV30iElo4iTEYRetJXgS/BJQkaMG+5ajUR1nc9+eBSMOtZ48Sz5jMlkqxh1 cDfUzkhd5acmY3Uf3hvY2c7t9wvJ/kz+65WPA10PHmezcw6kugkje1FNLZXAEsvCErow B4iYW+GjGRlCSs4l0P6UoR7maDIQ6flK3sdmPWEyiRcc00FKciw7ZS4ilI4GeoyI9pL1 qjWcYOx1sC2jOi+bGJY/QVuWIDm+DFEcoeZV18YPbtNTWgrHmFgZ5DCZ2bmu0uhbN7fk 61QQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=sina.com); spf=pass (google.com: domain of linux-kernel+bounces-184885-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-184885-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id d75a77b69052e-43e2ccc15a2si166193331cf.624.2024.05.21.04.37.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 May 2024 04:37:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-184885-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=sina.com); spf=pass (google.com: domain of linux-kernel+bounces-184885-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-184885-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id B11E61C2203A for ; Tue, 21 May 2024 11:37:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A79DF768EE; Tue, 21 May 2024 11:36:44 +0000 (UTC) Received: from mail115-171.sinamail.sina.com.cn (mail115-171.sinamail.sina.com.cn [218.30.115.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F08C6CDA9 for ; Tue, 21 May 2024 11:36:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=218.30.115.171 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716291404; cv=none; b=pd7vgaSSejJQlzZN3n0ZBSP6B/NveUVxHTMP5b6cuZz/c+MPPp7RHIcv2SMEx72fTsi546Zd13Djfkbd3Trdd8cQFlpVu7+hulrRpT2ooiWInCjKpPfVnucfXTH4FqJuIf/pWbNKm2bsv8qKoOFmB9u1ruSnOR+2KxGzupJZjZg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716291404; c=relaxed/simple; bh=ZQWoLegHRDJ0koVC50FV1ML2VQhF1kSaOq31Kd87KlM=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=SuxQmGlAOoHiSUe0DM36PmOvs9N/U1tmsqphKCPCg96AfC8JceOdfFddPD/KhsOscOi2wB5t37JIRfU465cfNnzRibywZ119REHpxNYdQxf4C7KDTPITT+Vs1ssey8kQf1TOxeMiQImwIbzTtgcq0Fhcdc5dDeCLmFMhQAMjzMw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; arc=none smtp.client-ip=218.30.115.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com X-SMAIL-HELO: localhost.localdomain Received: from unknown (HELO localhost.localdomain)([116.25.117.69]) by sina.com (172.16.235.25) with ESMTP id 664C873B00002956; Tue, 21 May 2024 19:36:29 +0800 (CST) X-Sender: hdanton@sina.com X-Auth-ID: hdanton@sina.com Authentication-Results: sina.com; spf=none smtp.mailfrom=hdanton@sina.com; dkim=none header.i=none; dmarc=none action=none header.from=hdanton@sina.com X-SMAIL-MID: 82644934209900 X-SMAIL-UIID: 995FF44FBFCE461097C881061510F556-20240521-193629-1 From: Hillf Danton To: linux-input@vger.kernel.org Cc: Dmitry Torokhov , Krzysztof Kozlowski , Tetsuo Handa , Linus Torvalds , linux-kernel@vger.kernel.org Subject: Input: uinput - race after request submit tiemout Date: Tue, 21 May 2024 19:36:19 +0800 Message-Id: <20240521113619.2092-1-hdanton@sina.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit uinput_request_submit() uinput_ioctl_handler() --- --- wait_for_completion_timeout() case UI_END_FF_ERASE: req = uinput_request_find() uinput_request_release_slot() req->retval = ff_erase.retval; complete(&req->done); Given the race between request submit and ioctl handler, memory corruption could happen after releasing request slot.