From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
To: Rishi Gupta <gupt21@gmail.com>, Jiri Kosina <jikos@kernel.org>,
Pietro Borrello <borrello@diag.uniroma1.it>
Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
Benjamin Tissoires <benjamin.tissoires@redhat.com>
Subject: [PATCH v2] HID: mcp-2221: prevent UAF in delayed work
Date: Thu, 16 Feb 2023 11:22:58 +0100 [thread overview]
Message-ID: <20230215-wip-mcp2221-v2-1-109f71fd036e@redhat.com> (raw)
If the device is plugged/unplugged without giving time for mcp_init_work()
to complete, we might kick in the devm free code path and thus have
unavailable struct mcp_2221 while in delayed work.
Canceling the delayed_work item is enough to solve the issue, because
cancel_delayed_work_sync will prevent the work item to requeue itself.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
---
Similar to Pietro's series, we can see the pattern in hid-mcp2221,
except that this time the ledclass is not involved.
Link: https://lore.kernel.org/linux-input/20230125-hid-unregister-leds-v4-5-7860c5763c38@diag.uniroma1.it/
---
Changes in v2:
- drop the spinlock/boolean
- Link to v1: https://lore.kernel.org/r/20230215-wip-mcp2221-v1-1-d7d1da261a5c@redhat.com
---
drivers/hid/hid-mcp2221.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
index e61dd039354b..f74a977cf8f8 100644
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -922,6 +922,9 @@ static void mcp2221_hid_unregister(void *ptr)
/* This is needed to be sure hid_hw_stop() isn't called twice by the subsystem */
static void mcp2221_remove(struct hid_device *hdev)
{
+ struct mcp2221 *mcp = hid_get_drvdata(hdev);
+
+ cancel_delayed_work_sync(&mcp->init_work);
}
#if IS_REACHABLE(CONFIG_IIO)
---
base-commit: d883fd110dc17308a1506c5bf17e00ce9fe7b2a2
change-id: 20230215-wip-mcp2221-979d4115efb5
Best regards,
--
Benjamin Tissoires <benjamin.tissoires@redhat.com>
next reply other threads:[~2023-02-16 10:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-16 10:22 Benjamin Tissoires [this message]
2023-02-20 9:09 ` [PATCH v2] HID: mcp-2221: prevent UAF in delayed work Jiri Kosina
2023-02-20 9:31 ` Benjamin Tissoires
2023-02-20 9:43 ` Benjamin Tissoires
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230215-wip-mcp2221-v2-1-109f71fd036e@redhat.com \
--to=benjamin.tissoires@redhat.com \
--cc=borrello@diag.uniroma1.it \
--cc=gupt21@gmail.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.