Message ID | 20230125-hid-unregister-leds-v1-5-9a5192dcef16@diag.uniroma1.it (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Jiri Kosina |
Headers | show |
Series | HID: manually unregister leds on device removal to prevent UAFs | expand |
On Thursday, 26 January 2023 01:24:57 CET Pietro Borrello wrote: > Unregister the LED controller before device removal, as > sony_led_set_brightness() may schedule sc->state_worker > after the structure has been freed, causing a use-after-free. > > Fixes: 0a286ef27852 ("HID: sony: Add LED support for Sixaxis/Dualshock3 USB") > Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it> > --- > drivers/hid/hid-sony.c | 8 ++++++++ > 1 file changed, 8 insertions(+) Reviewed-by: Sven Eckelmann <sven@narfation.org> Thanks, Sven
diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c index 13125997ab5e..146677c8319c 100644 --- a/drivers/hid/hid-sony.c +++ b/drivers/hid/hid-sony.c @@ -3083,6 +3083,7 @@ static int sony_probe(struct hid_device *hdev, const struct hid_device_id *id) static void sony_remove(struct hid_device *hdev) { struct sony_sc *sc = hid_get_drvdata(hdev); + int n; if (sc->quirks & (GHL_GUITAR_PS3WIIU | GHL_GUITAR_PS4)) { del_timer_sync(&sc->ghl_poke_timer); @@ -3100,6 +3101,13 @@ static void sony_remove(struct hid_device *hdev) if (sc->hw_version_created) device_remove_file(&sc->hdev->dev, &dev_attr_hardware_version); + if (sc->quirks & SONY_LED_SUPPORT) { + for (n = 0; n < sc->led_count; n++) { + if (sc->leds[n]) + devm_led_classdev_unregister(&hdev->dev, sc->leds[n]); + } + } + sony_cancel_work_sync(sc); sony_remove_dev_list(sc);
Unregister the LED controller before device removal, as sony_led_set_brightness() may schedule sc->state_worker after the structure has been freed, causing a use-after-free. Fixes: 0a286ef27852 ("HID: sony: Add LED support for Sixaxis/Dualshock3 USB") Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it> --- drivers/hid/hid-sony.c | 8 ++++++++ 1 file changed, 8 insertions(+)