Skip to content

Commit f283805

Browse files
Binary-Eatergregkh
Binary-Eater
authored and
gregkh
committed
HID: uclogic: Correct devm device reference for hidinput input_dev name
[ Upstream commit dd613a4 ] Reference the HID device rather than the input device for the devm allocation of the input_dev name. Referencing the input_dev would lead to a use-after-free when the input_dev was unregistered and subsequently fires a uevent that depends on the name. At the point of firing the uevent, the name would be freed by devres management. Use devm_kasprintf to simplify the logic for allocating memory and formatting the input_dev name string. Reported-by: syzbot+3a0ebe8a52b89c63739d@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-input/ZOZIZCND+L0P1wJc@penguin/T/ Reported-by: Maxime Ripard <mripard@kernel.org> Closes: https://lore.kernel.org/linux-input/ZOZIZCND+L0P1wJc@penguin/T/#m443f3dce92520f74b6cf6ffa8653f9c92643d4ae Fixes: cce2dbd ("HID: uclogic: name the input nodes based on their tool") Suggested-by: Maxime Ripard <mripard@kernel.org> Suggested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Rahul Rameshbabu <sergeantsagara@protonmail.com> Reviewed-by: Maxime Ripard <mripard@kernel.org> Link: https://lore.kernel.org/r/20230824061308.222021-2-sergeantsagara@protonmail.com Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
1 parent 6e59609 commit f283805

File tree

1 file changed

+3
-10
lines changed

1 file changed

+3
-10
lines changed

drivers/hid/hid-uclogic-core.c

Lines changed: 3 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -85,10 +85,8 @@ static int uclogic_input_configured(struct hid_device *hdev,
8585
{
8686
struct uclogic_drvdata *drvdata = hid_get_drvdata(hdev);
8787
struct uclogic_params *params = &drvdata->params;
88-
char *name;
8988
const char *suffix = NULL;
9089
struct hid_field *field;
91-
size_t len;
9290
size_t i;
9391
const struct uclogic_params_frame *frame;
9492

@@ -146,14 +144,9 @@ static int uclogic_input_configured(struct hid_device *hdev,
146144
}
147145
}
148146

149-
if (suffix) {
150-
len = strlen(hdev->name) + 2 + strlen(suffix);
151-
name = devm_kzalloc(&hi->input->dev, len, GFP_KERNEL);
152-
if (name) {
153-
snprintf(name, len, "%s %s", hdev->name, suffix);
154-
hi->input->name = name;
155-
}
156-
}
147+
if (suffix)
148+
hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL,
149+
"%s %s", hdev->name, suffix);
157150

158151
return 0;
159152
}

0 commit comments

Comments
 (0)