Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit c429b235 authored by John Keeping's avatar John Keeping Committed by Lee Jones
Browse files

UPSTREAM: usb: gadget: f_hid: fix f_hidg lifetime vs cdev 



[ Upstream commit 89ff3dfac604614287ad5aad9370c3f984ea3f4b ]

The embedded struct cdev does not have its lifetime correctly tied to
the enclosing struct f_hidg, so there is a use-after-free if /dev/hidgN
is held open while the gadget is deleted.

This can readily be replicated with libusbgx's example programs (for
conciseness - operating directly via configfs is equivalent):

	gadget-hid
	exec 3<> /dev/hidg0
	gadget-vid-pid-remove
	exec 3<&-

Pull the existing device up in to struct f_hidg and make use of the
cdev_device_{add,del}() helpers.  This changes the lifetime of the
device object to match struct f_hidg, but note that it is still added
and deleted at the same time.

Bug: 176850153
Fixes: 71adf118 ("USB: gadget: add HID gadget driver")
Tested-by: default avatarLee Jones <lee@kernel.org>
Reviewed-by: default avatarAndrzej Pietrasiewicz <andrzej.p@collabora.com>
Reviewed-by: default avatarLee Jones <lee@kernel.org>
Signed-off-by: default avatarJohn Keeping <john@metanate.com>
Link: https://lore.kernel.org/r/20221122123523.3068034-2-john@metanate.com


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarLee Jones <joneslee@google.com>
Change-Id: I5d37ca47c5f087d5b1b303b4e8a1614ea3f50159
Signed-off-by: default avatarLee Jones <joneslee@google.com>
parent 28b985f1
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment