git.maquefel.me Git - linux.git/commit

author	John Keeping <john@metanate.com>
	Tue, 22 Nov 2022 12:35:21 +0000 (12:35 +0000)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 31 Dec 2022 12:14:30 +0000 (13:14 +0100)
commit	d3136b79705c2e3bba9c76adc5628af0215d798e
tree	dbff41b308e75d424e7dff43685876f56dd7f749	tree \| snapshot
parent	a41c2bba7f2853d9ede8b74f2d9a080db1e8e1ed	commit \| diff

usb: gadget: f_hid: fix f_hidg lifetime vs cdev

[ Upstream commit 89ff3dfac604614287ad5aad9370c3f984ea3f4b ]

The embedded struct cdev does not have its lifetime correctly tied to
the enclosing struct f_hidg, so there is a use-after-free if /dev/hidgN
is held open while the gadget is deleted.

This can readily be replicated with libusbgx's example programs (for
conciseness - operating directly via configfs is equivalent):

gadget-hid
exec 3<> /dev/hidg0
gadget-vid-pid-remove
exec 3<&-

Pull the existing device up in to struct f_hidg and make use of the
cdev_device_{add,del}() helpers. This changes the lifetime of the
device object to match struct f_hidg, but note that it is still added
and deleted at the same time.

Fixes: 71adf1189469 ("USB: gadget: add HID gadget driver")
Tested-by: Lee Jones <lee@kernel.org>
Reviewed-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
Reviewed-by: Lee Jones <lee@kernel.org>
Signed-off-by: John Keeping <john@metanate.com>
Link: https://lore.kernel.org/r/20221122123523.3068034-2-john@metanate.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>