[HID,0/3] Fix devm references used in HID drivers when allocating input_dev name

Message ID	20230824061308.222021-1-sergeantsagara@protonmail.com
Headers	show Return-Path: <linux-input-owner@vger.kernel.org> Date: Thu, 24 Aug 2023 06:13:52 +0000 To: linux-input@vger.kernel.org From: Rahul Rameshbabu <sergeantsagara@protonmail.com> Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>, Jiri Kosina <jikos@kernel.org>, Dmitry Torokhov <dmitry.torokhov@gmail.com>, Maxime Ripard <mripard@kernel.org>, Rahul Rameshbabu <sergeantsagara@protonmail.com> Subject: [PATCH HID 0/3] Fix devm references used in HID drivers when allocating input_dev name Message-ID: <20230824061308.222021-1-sergeantsagara@protonmail.com> Feedback-ID: 26003777:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Precedence: bulk
Series	Fix devm references used in HID drivers when allocating input_dev name \| expand [HID,0/3] Fix devm references used in HID drivers when allocating input_dev name [HID,1/3] HID: uclogic: Correct devm device reference for hidinput input_dev name [HID,2/3] HID: multitouch: Correct devm device reference for hidinput input_dev name [HID,3/3] HID: nvidia-shield: Reference hid_device devm allocation of input_dev name

Message ID

20230824061308.222021-1-sergeantsagara@protonmail.com

Headers

Date: Thu, 24 Aug 2023 06:13:52 +0000
To: linux-input@vger.kernel.org
From: Rahul Rameshbabu <sergeantsagara@protonmail.com>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>,
        Jiri Kosina <jikos@kernel.org>,
        Dmitry Torokhov <dmitry.torokhov@gmail.com>,
        Maxime Ripard <mripard@kernel.org>,
        Rahul Rameshbabu <sergeantsagara@protonmail.com>
Subject: [PATCH HID 0/3] Fix devm references used in HID drivers when
 allocating input_dev name
Message-ID: <20230824061308.222021-1-sergeantsagara@protonmail.com>
Feedback-ID: 26003777:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

Series

Fix devm references used in HID drivers when allocating input_dev name | expand

Message

Rahul Rameshbabu Aug. 24, 2023, 6:13 a.m. UTC

Maxime Ripard analyzed the following situation involving a use-after-free caused
by incorrect devres management.

1. input_dev name allocated as a resource referring to the same input_dev
instance
2. The input_dev is eventually unregistered
3. Unregistering the device first involves releasing devres managed resources
tied to the input_dev
4. A uevent is then fired for the input_dev, referencing various members of
the input_dev including the name
5. This leads to a use-after-free in the context of the triggered uevent

Dmitry Torokhov pointed out that the correct pattern for devm usage with the
input_dev would be to allocate the resource referencing the underlying device
that was probed by the driver than referencing the input subdevice instance. In
the case of hid drivers, the name resource will only be freed when devres
management reclaims resources for the hid_device. This will be after the
input_dev was unregistered and the uevent referencing the name was invoked.

This patch series applies the analysis done to correct problematic HID drivers.

Link: https://lore.kernel.org/linux-input/ZOZIZCND+L0P1wJc@penguin/T/#m443f3dce92520f74b6cf6ffa8653f9c92643d4ae

Rahul Rameshbabu (3):
HID: uclogic: Correct devm device reference for hidinput input_dev
name
HID: multitouch: Correct devm device reference for hidinput input_dev
name
HID: nvidia-shield: Reference hid_device devm allocation of input_dev
name

drivers/hid/hid-multitouch.c | 13 +++----------
drivers/hid/hid-nvidia-shield.c | 2 +-
drivers/hid/hid-uclogic-core.c | 13 +++----------
3 files changed, 7 insertions(+), 21 deletions(-)