From patchwork Tue Jan 31 13:08:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pietro Borrello X-Patchwork-Id: 649068 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 966DEC636D3 for ; Tue, 31 Jan 2023 13:09:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231947AbjAaNJH (ORCPT ); Tue, 31 Jan 2023 08:09:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44708 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232022AbjAaNJG (ORCPT ); Tue, 31 Jan 2023 08:09:06 -0500 Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FFDE22A09 for ; Tue, 31 Jan 2023 05:09:03 -0800 (PST) Received: by mail-ej1-x62f.google.com with SMTP id p26so30208356ejx.13 for ; Tue, 31 Jan 2023 05:09:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=uOYadJvP8u49K2x2oSYl+EYqiXssZ4idBGq/e4Tz9NY=; b=KDEKy6z9clzZ/yt+Ugm+vcRRWzEj90+XlSFk9eYXi6IC5nH1Ekl2y3Hm9QX1/VOyg6 KoU6Bt2QbVi12p9NEJGHVLQti9laMQw3q0XhRpn8RudSITu6ZnOGgKHs7nTwUuFy4XOk N1Lq/Rl18bZd0+9UEdChBzxmYVa5FEhjARYR8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uOYadJvP8u49K2x2oSYl+EYqiXssZ4idBGq/e4Tz9NY=; b=RVRP2hOJVA+H+ZRprD/lc7uc3yhw2wHyKIPybttAzH6Jj6m/uEKBzgXhSXS6mmeOwu nUudhC2NgN/b6psEnpRGdDzbe3CcqruPQv3S5TCQRone3SN/dLcxaB8WWZOlOOAJwbyb nypeIbtHWW2FMKlsMmLekttmNoGzve1cqNRFJ5RKIbkUIccJZNRAgtV3A3Bxex9oXT0V hNR7ZRPHtcxF+oOcNwVjLUEjUKEB+p4iTfuGm6rKhKuieG8Ld0tk28Xh1kJmWpRLVScI T/+08NdJnHV4JSzaM0uRJxKWrELRtwQ0Ppz3bd8GXR6LjYFN9qk/xX2q/6vpc3goXaOW g2Rw== X-Gm-Message-State: AO0yUKXNpQXAp0RRGaTIbzNrWIgFKxYhHk7wsOioB0Qze0A82UNocOHh hOWdWVDD8n312ujLjov2EQeF4A== X-Google-Smtp-Source: AK7set+TLo90zN/rggXs78IMqKvdRPq3UMM97//YKxvo/gz4hPVpUrCvA/s+uzGixpW4LfOqI22Pzg== X-Received: by 2002:a17:907:da1:b0:888:7ce4:1dc1 with SMTP id go33-20020a1709070da100b008887ce41dc1mr10015780ejc.26.1675170541590; Tue, 31 Jan 2023 05:09:01 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id f19-20020a170906391300b0088452ca0666sm4898956eje.196.2023.01.31.05.09.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Jan 2023 05:09:01 -0800 (PST) From: Pietro Borrello Date: Tue, 31 Jan 2023 13:08:45 +0000 Subject: [PATCH v2 1/5] HID: bigben_remove: manually unregister leds MIME-Version: 1.0 Message-Id: <20230125-hid-unregister-leds-v2-1-689cc62fc878@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v2-0-689cc62fc878@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v2-0-689cc62fc878@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Pavel Machek , Lee Jones , Roderick Colenbrander , Sven Eckelmann Cc: linux-leds@vger.kernel.org, Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Jiri Kosina , Roderick Colenbrander , Pietro Borrello X-Mailer: b4 0.11.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1675170540; l=1037; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=wlU1zbXd7qFTSbVqYvqS9BOVrqglVS3eHD1ePCtISHc=; b=1S4dFJ6YtEJ88InQZSjBIJqgxbqXt+T9JIgkqoLWq0NtwsubGN/Fl9VW6G07oKHBAzx9ClO/JaNt v2JlPGwtCuiFqrHoLk9QBHzG1Seo6N4LHcIZ7c4vooOoJ+dx5t6/ X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-leds@vger.kernel.org Unregister the LED controllers before device removal, as bigben_set_led() may schedule bigben->worker after the structure has been freed, causing a use-after-free. Fixes: 4eb1b01de5b9 ("HID: hid-bigbenff: fix race condition for scheduled work during removal") Signed-off-by: Pietro Borrello --- drivers/hid/hid-bigbenff.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c index e8b16665860d..d3201b755595 100644 --- a/drivers/hid/hid-bigbenff.c +++ b/drivers/hid/hid-bigbenff.c @@ -306,9 +306,14 @@ static enum led_brightness bigben_get_led(struct led_classdev *led) static void bigben_remove(struct hid_device *hid) { + int n; struct bigben_device *bigben = hid_get_drvdata(hid); bigben->removed = true; + for (n = 0; n < NUM_LEDS; n++) { + if (bigben->leds[n]) + devm_led_classdev_unregister(&hid->dev, bigben->leds[n]); + } cancel_work_sync(&bigben->worker); hid_hw_stop(hid); } From patchwork Tue Jan 31 13:08:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pietro Borrello X-Patchwork-Id: 650470 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D954C64EC3 for ; Tue, 31 Jan 2023 13:09:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232033AbjAaNJJ (ORCPT ); Tue, 31 Jan 2023 08:09:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44728 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232004AbjAaNJH (ORCPT ); Tue, 31 Jan 2023 08:09:07 -0500 Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CEEC2233D2 for ; Tue, 31 Jan 2023 05:09:03 -0800 (PST) Received: by mail-ej1-x632.google.com with SMTP id hx15so21885919ejc.11 for ; Tue, 31 Jan 2023 05:09:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=OtVGZ8lsHwJ47yfcKnn1bRe6oeChLHMzfzZSc6Gf3Bk=; b=pA5e7TMvW7cwu+TT7l2Hls+dk56ZZZU4LdW2+MDQ1rJPyNuoyoaIIbboW9W2vfpw1x 5kNnqcCF5WcbT8fBUpvhAIq51qswfLSi6U1lqV9+SYOI3lJkdxs2B0me5bZCn6L47cx3 TPTHTQIUwNYyT2tDWfyXmMowMwebJsuaFs+h8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OtVGZ8lsHwJ47yfcKnn1bRe6oeChLHMzfzZSc6Gf3Bk=; b=NrChhED3eOLo6KQxMDxY1M+oEvyKPBaoAO/19dE3wF4m7Bx3s+c9kWBk77uW0D1po7 Z1AVZVSq+J9mSe6niPrjvqJmnTc/pJPk+t6a8CIEIjsUm0lDqipvIxQbNBSRf7br9ha6 NBeH095GyEGt+SsoyCdd/pgZACPiBbxvOZBzgZEpTZH797mQmywwhqv6piyHtLb5TM0v HVF0G/5kv6GOOVVWf4MdoPWmnkDA+kLRhNQz9/8tdMTywW0Wh1wXrHGAqnGJvdAu8g43 WNTeMfCptpi6InDL/NVsYnyA1bLI2oXAdQMHSUemY+1ZBlCqVX2SejvYvAJCK+avIHaH LMyg== X-Gm-Message-State: AO0yUKXZdSaawsXAs8RtRyOoriLqCP1PVOjDtXVS5cEiWA1/573J5hsF dq251FleU10iagenuS8MQDp01w== X-Google-Smtp-Source: AK7set/Cksul47Eq5LwKVVTkjIXAKGTG73njw/C2kmdOuQ3OLYqxIfQjR7bGvW2NKfHw496llf5C4w== X-Received: by 2002:a17:907:20b0:b0:87b:d376:b850 with SMTP id pw16-20020a17090720b000b0087bd376b850mr15363396ejb.10.1675170542167; Tue, 31 Jan 2023 05:09:02 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id f19-20020a170906391300b0088452ca0666sm4898956eje.196.2023.01.31.05.09.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Jan 2023 05:09:01 -0800 (PST) From: Pietro Borrello Date: Tue, 31 Jan 2023 13:08:46 +0000 Subject: [PATCH v2 2/5] HID: asus_remove: manually unregister led MIME-Version: 1.0 Message-Id: <20230125-hid-unregister-leds-v2-2-689cc62fc878@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v2-0-689cc62fc878@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v2-0-689cc62fc878@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Pavel Machek , Lee Jones , Roderick Colenbrander , Sven Eckelmann Cc: linux-leds@vger.kernel.org, Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Jiri Kosina , Roderick Colenbrander , Pietro Borrello X-Mailer: b4 0.11.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1675170540; l=841; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=6oFA70DnzD6hxYzPyFU4oYw2osDEjulwpyTezPO1v4g=; b=LzdPeS7nVFRpo8VU64kao203h0vMfO08dDdS4pMuCfp8K26oNi2WN4aYBXEv1EMMlBBQasjjEP2T c2hJTcoeAT73y7sOHiri1/kUbKWKBhOqOKL2ZerGBDgo+vBVjtga X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-leds@vger.kernel.org Unregister the LED controller before device removal, as asus_kbd_backlight_set() may schedule led->work after the structure has been freed, causing a use-after-free. Fixes: af22a610bc38 ("HID: asus: support backlight on USB keyboards") Signed-off-by: Pietro Borrello --- drivers/hid/hid-asus.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c index f99752b998f3..0f274c8d1bef 100644 --- a/drivers/hid/hid-asus.c +++ b/drivers/hid/hid-asus.c @@ -1122,6 +1122,7 @@ static void asus_remove(struct hid_device *hdev) if (drvdata->kbd_backlight) { drvdata->kbd_backlight->removed = true; + devm_led_classdev_unregister(&hdev->dev, &drvdata->kbd_backlight->cdev); cancel_work_sync(&drvdata->kbd_backlight->work); } From patchwork Tue Jan 31 13:08:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pietro Borrello X-Patchwork-Id: 650469 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65F31C636CC for ; Tue, 31 Jan 2023 13:09:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232052AbjAaNJK (ORCPT ); Tue, 31 Jan 2023 08:09:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232041AbjAaNJH (ORCPT ); Tue, 31 Jan 2023 08:09:07 -0500 Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 41D51AD39 for ; Tue, 31 Jan 2023 05:09:04 -0800 (PST) Received: by mail-ej1-x62f.google.com with SMTP id ud5so41449428ejc.4 for ; Tue, 31 Jan 2023 05:09:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=eVbivV8EGu+km89gAq7ikjZD9Nt9wLtDAtt21fJbyIE=; b=pJVMbn/vZRNaPQe0/Pfzxri/P1+RByqeFUJ9/umN+VsPxL3e3/bBzc6h668t114S/u sW0RQ1vPA/6lSs5n+Rn3J70dvTRtFZbVX8QiMjDTuDt7ZIOIuevWut63gXisf4/2autT pzVkokK1srC+UOM9kbemm2181pRPbr+c1pDBU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eVbivV8EGu+km89gAq7ikjZD9Nt9wLtDAtt21fJbyIE=; b=WK0DS7znICgFLNelplX1wj2bm08AEJzz0WDRvjiCbhBdCggpk/4pbuT90DsqfQDfGk m/VNzxP2d2rfLHwum47K3AJanMU0H9Z6wSFfGpRyIfS4c06U2VEte4SIS+/wJm0P5oXr uQMMF7Br5xZqdt8fB3SPM9rhLXQCbpVerMu7Quilrwt3CVTsMeNWndBa86uosLkOT7SC WJmYpVbnHIBDhGU+D+bh3UTurllcXyG82j042mzJCSxy8u45fCDrhOo+uSSyFK1KUKmM HN88fFWrekozQliqIv45K77r6oklURmyEd57JXCTEx2nkSItxiZ8Uc6K3Aczj7MWsSvB CWNA== X-Gm-Message-State: AO0yUKWL1GcDrFNyQ4gqmm/zBqxXj88oZBo9gLK0W5BYprFnlZp9Ob0A shvbAmP60ciGxBKGOubIPLNfRw== X-Google-Smtp-Source: AK7set8/dsb0DwLaEBtLxuVxd2bPqNpGLBTx6byaW3iLpH0RJzEEdVF24gASNLKt0q4ByhBIplGh5g== X-Received: by 2002:a17:906:208b:b0:885:d02f:d4ad with SMTP id 11-20020a170906208b00b00885d02fd4admr12778878ejq.43.1675170542716; Tue, 31 Jan 2023 05:09:02 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id f19-20020a170906391300b0088452ca0666sm4898956eje.196.2023.01.31.05.09.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Jan 2023 05:09:02 -0800 (PST) From: Pietro Borrello Date: Tue, 31 Jan 2023 13:08:47 +0000 Subject: [PATCH v2 3/5] HID: dualsense_remove: manually unregister leds MIME-Version: 1.0 Message-Id: <20230125-hid-unregister-leds-v2-3-689cc62fc878@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v2-0-689cc62fc878@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v2-0-689cc62fc878@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Pavel Machek , Lee Jones , Roderick Colenbrander , Sven Eckelmann Cc: linux-leds@vger.kernel.org, Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Jiri Kosina , Roderick Colenbrander , Pietro Borrello X-Mailer: b4 0.11.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1675170540; l=1556; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=I/aK9DcIPRri1R7+BoQmPFot08oQLGwMbJpqlNV1B8M=; b=5sp2HxZcrnV1R0s9GQ65lRPDmAjbbTrzRLu2QOtJ2rZ+CPXfd6lM34SYzoZQTTz5wcKpPq3+C4Rz xTnnHicND5nqprX0be6N1UIrfJQbhy+wplZo58FC2enoRBiPpDC4 X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-leds@vger.kernel.org Unregister the LED controllers before device removal, to prevent unnecessary runs of dualsense_player_led_set_brightness(). Fixes: 8c0ab553b072 ("HID: playstation: expose DualSense player LEDs through LED class.") Signed-off-by: Pietro Borrello --- Contrary to the other patches in this series, failing to unregister the led controller does not results into a use-after-free thanks to the output_worker_initialized variable and the spinlock checks. Changes in v2: - Unregister multicolor led controller - Clarify UAF - Link to v1: https://lore.kernel.org/all/20230125-hid-unregister-leds-v1-3-9a5192dcef16@diag.uniroma1.it/ --- drivers/hid/hid-playstation.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/hid/hid-playstation.c b/drivers/hid/hid-playstation.c index 27c40894acab..f23186ca2d76 100644 --- a/drivers/hid/hid-playstation.c +++ b/drivers/hid/hid-playstation.c @@ -1503,11 +1503,17 @@ static void dualsense_remove(struct ps_device *ps_dev) { struct dualsense *ds = container_of(ps_dev, struct dualsense, base); unsigned long flags; + int i; spin_lock_irqsave(&ds->base.lock, flags); ds->output_worker_initialized = false; spin_unlock_irqrestore(&ds->base.lock, flags); + for (i = 0; i < ARRAY_SIZE(ds->player_leds); i++) + devm_led_classdev_unregister(&ps_dev->hdev->dev, &ds->player_leds[i]); + + devm_led_classdev_multicolor_unregister(&ps_dev->hdev->dev, &ds->lightbar); + cancel_work_sync(&ds->output_worker); } From patchwork Tue Jan 31 13:08:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pietro Borrello X-Patchwork-Id: 649066 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CAFDC38142 for ; Tue, 31 Jan 2023 13:09:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232124AbjAaNJ2 (ORCPT ); Tue, 31 Jan 2023 08:09:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44744 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232051AbjAaNJZ (ORCPT ); Tue, 31 Jan 2023 08:09:25 -0500 Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB6E84F343 for ; Tue, 31 Jan 2023 05:09:04 -0800 (PST) Received: by mail-ed1-x52f.google.com with SMTP id v10so14328374edi.8 for ; Tue, 31 Jan 2023 05:09:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=Q79upilYUaTabLjtO3bZo14lYpmZpgLc63/mP4eG9WA=; b=Jiv6RUxvmV3Ufd8uoYWmd1situOGY4NhVV6W3e8iX/gSnI5hNoydnRNmL6pvCh8dSp 8eGfWvxqWz8zd3of7EcGBXL41UT07GSlYrxg5SjhiHyP+oXMvTPrRuVAlouhz4+y9We6 18ytUHl0u33LcDQGVwMctqXQbHTO04YiVQkmc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Q79upilYUaTabLjtO3bZo14lYpmZpgLc63/mP4eG9WA=; b=2Gfnd24dMr8EwY/9G+5VHbEGavyAn2TJgnl73Vyhg+QnsmkS8s81fP6TXiIitmPNCU 1LKcuQeLK3b7JgdMu92N5GoMOIiUHh8e0kZ0L87eVT+y/JsCEkr88lQfPyDRTYFo7KJ9 MyS4DPPjMBTfFILv5/JIC4FZkgAt87dVss1b6yNbo1j8FWVz2ZgCbgAztDmKZqHXfGu5 Cc3mre2YyA8VMjezHJ+PXsrOyQUDbP6NTRobO5uvD3vniTqosMqrJEo0KLkhqO18Dz0v 7WvgEgllOx/dn0FjAOP2ayX9wEtPF5TD51UhCo7FSzJqx2M01AQxMubxlf0J5+0P+ZmU /S9w== X-Gm-Message-State: AFqh2kr+CRFzA/mc3BT/SdSf5nv8F4p5YIHkovrt8PhSAmiVXSdvY+rz ssMOni1yQ9tA9x/5sdfchPItiA== X-Google-Smtp-Source: AMrXdXtiGqkeWKlRDAoIO4sROri5jyb0nQOOYcVpEPXewNUDAsDU6bDYl4l7r4L+LJVAOmVrweQMoA== X-Received: by 2002:aa7:c052:0:b0:475:dddc:374a with SMTP id k18-20020aa7c052000000b00475dddc374amr56004206edo.18.1675170543237; Tue, 31 Jan 2023 05:09:03 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id f19-20020a170906391300b0088452ca0666sm4898956eje.196.2023.01.31.05.09.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Jan 2023 05:09:02 -0800 (PST) From: Pietro Borrello Date: Tue, 31 Jan 2023 13:08:48 +0000 Subject: [PATCH v2 4/5] HID: dualshock4_remove: manually unregister leds MIME-Version: 1.0 Message-Id: <20230125-hid-unregister-leds-v2-4-689cc62fc878@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v2-0-689cc62fc878@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v2-0-689cc62fc878@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Pavel Machek , Lee Jones , Roderick Colenbrander , Sven Eckelmann Cc: linux-leds@vger.kernel.org, Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Jiri Kosina , Roderick Colenbrander , Pietro Borrello X-Mailer: b4 0.11.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1675170540; l=1491; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=VPrVVBqqogjSwkjTCQxGFur+jXJWf031MbQaC/naVuk=; b=a5Fi08feBch0WK2QkEw6jb2k0YeWIxIy0TOvIlH4YFQDjzx5YCPMMBiXJ+X1wwE3U5mdz9JHAVyg S53Yt4moDbGRX18ytJbn1h1YkW4eu7pgIyCWWt7/3d1Y4VCSvbfP X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-leds@vger.kernel.org Unregister the LED controllers before device removal, to prevent unnecessary runs of dualshock4_led_set_brightness(). Fixes: 4521109a8f40 ("HID: playstation: support DualShock4 lightbar.") Signed-off-by: Pietro Borrello --- Contrary to the other patches in this series, failing to unregister the led controller does not results into a use-after-free thanks to the output_worker_initialized variable and the spinlock checks. Changes in v2: - Clarify UAF - Link to v1: https://lore.kernel.org/all/20230125-hid-unregister-leds-v1-4-9a5192dcef16@diag.uniroma1.it/ --- drivers/hid/hid-playstation.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/hid/hid-playstation.c b/drivers/hid/hid-playstation.c index f23186ca2d76..b41657842e26 100644 --- a/drivers/hid/hid-playstation.c +++ b/drivers/hid/hid-playstation.c @@ -2434,11 +2434,15 @@ static void dualshock4_remove(struct ps_device *ps_dev) { struct dualshock4 *ds4 = container_of(ps_dev, struct dualshock4, base); unsigned long flags; + int i; spin_lock_irqsave(&ds4->base.lock, flags); ds4->output_worker_initialized = false; spin_unlock_irqrestore(&ds4->base.lock, flags); + for (i = 0; i < ARRAY_SIZE(ds4->lightbar_leds); i++) + devm_led_classdev_unregister(&ps_dev->hdev->dev, &ds4->lightbar_leds[i]); + cancel_work_sync(&ds4->output_worker); if (ps_dev->hdev->product == USB_DEVICE_ID_SONY_PS4_CONTROLLER_DONGLE) From patchwork Tue Jan 31 13:08:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pietro Borrello X-Patchwork-Id: 650468 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BDC25C636D3 for ; Tue, 31 Jan 2023 13:09:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232134AbjAaNJ3 (ORCPT ); Tue, 31 Jan 2023 08:09:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45494 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232094AbjAaNJZ (ORCPT ); Tue, 31 Jan 2023 08:09:25 -0500 Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 676A94F358 for ; Tue, 31 Jan 2023 05:09:05 -0800 (PST) Received: by mail-ej1-x62a.google.com with SMTP id p26so30208680ejx.13 for ; Tue, 31 Jan 2023 05:09:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=nSLU5NXnF595gyXxeWDSi1UUOJiT0ePoBW3kFPldqJg=; b=TgjBsUPIIAq4tN9feRGWSXFsbMEDj58nrNmhPLcm8UYtMOHOp4/0TGiQxOfrEr5e1R IjpmRHyrmvjbBOn01c4NOZnltIE5kHzrr4/H5ipgdZvT1HfDziI25QxWLil3DqTlYXbc SUELTdzKzqxqmohf9wyt67/3HN3HQX2YnoJUs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nSLU5NXnF595gyXxeWDSi1UUOJiT0ePoBW3kFPldqJg=; b=DQsjuKWuK508x/acpPmPNdvr/55Yo8eC0TGeiDoBNDjUPILclm6Ul/Sk4sSKDAsin0 BcSraYqddhGutMURle6PdsWu26HOQBvMWI/r0nt6Y1zhtWOUDdU5k2iwZ6MLNNKAn2VQ 7c4VULrN3i8U8BS44jXoIZhODj5DcEiOM2gzkYDA30BFob7CbzyHUtNVxJ2nPSblTXkB 7BQ9yFV2TFUrn6aR4iYhT4NdPdo2APg3c6swRPLYw1jKCIbrmVyUo+9hniOvnN1CYa6J Xj+s9ZseOJpKfdX+5WV5Ubif7dKC/PURC4LtoXCnV6bwWV93hB1RXlHCiG7HekVt3MpE q2Lw== X-Gm-Message-State: AFqh2kr/ehkZYVwv5QlJqjFUBwEPwjiJo0RxnhUlSX/Kl4Mi4wJsRhf6 XY3qAgDmq6HpxkN0YqZ4cRlRhg== X-Google-Smtp-Source: AMrXdXuJ9cWrU1GrTo9lhXJQpnCgMCNtO38vDPa2itSyQ5DYq1ObFWX83kJ8A2Kg/awK6/VUMpmpYg== X-Received: by 2002:a17:906:6846:b0:84d:2fdf:a41b with SMTP id a6-20020a170906684600b0084d2fdfa41bmr54522936ejs.50.1675170543813; Tue, 31 Jan 2023 05:09:03 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id f19-20020a170906391300b0088452ca0666sm4898956eje.196.2023.01.31.05.09.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Jan 2023 05:09:03 -0800 (PST) From: Pietro Borrello Date: Tue, 31 Jan 2023 13:08:49 +0000 Subject: [PATCH v2 5/5] HID: sony_remove: manually unregister leds MIME-Version: 1.0 Message-Id: <20230125-hid-unregister-leds-v2-5-689cc62fc878@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v2-0-689cc62fc878@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v2-0-689cc62fc878@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Pavel Machek , Lee Jones , Roderick Colenbrander , Sven Eckelmann Cc: linux-leds@vger.kernel.org, Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Jiri Kosina , Roderick Colenbrander , Pietro Borrello X-Mailer: b4 0.11.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1675170540; l=1360; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=229FyOXnrqPun6wciRAitLA27itC/9x6aEmACwn1+hs=; b=8Ck9ho6y0MkvQj3h5QlnwTwQENcRw2KZSkxXIkbaRHd+HTbXacBdbpF7ABf3bbxtN28DrLjQFpZW TSYqKYoFCrzdxPZgCRpFzFuRuSjrIes+qSrrPtSh6ehgPH3grT0O X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-leds@vger.kernel.org Unregister the LED controller before device removal, as sony_led_set_brightness() may schedule sc->state_worker after the structure has been freed, causing a use-after-free. Fixes: 0a286ef27852 ("HID: sony: Add LED support for Sixaxis/Dualshock3 USB") Signed-off-by: Pietro Borrello Reviewed-by: Sven Eckelmann --- drivers/hid/hid-sony.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c index 13125997ab5e..146677c8319c 100644 --- a/drivers/hid/hid-sony.c +++ b/drivers/hid/hid-sony.c @@ -3083,6 +3083,7 @@ static int sony_probe(struct hid_device *hdev, const struct hid_device_id *id) static void sony_remove(struct hid_device *hdev) { struct sony_sc *sc = hid_get_drvdata(hdev); + int n; if (sc->quirks & (GHL_GUITAR_PS3WIIU | GHL_GUITAR_PS4)) { del_timer_sync(&sc->ghl_poke_timer); @@ -3100,6 +3101,13 @@ static void sony_remove(struct hid_device *hdev) if (sc->hw_version_created) device_remove_file(&sc->hdev->dev, &dev_attr_hardware_version); + if (sc->quirks & SONY_LED_SUPPORT) { + for (n = 0; n < sc->led_count; n++) { + if (sc->leds[n]) + devm_led_classdev_unregister(&hdev->dev, sc->leds[n]); + } + } + sony_cancel_work_sync(sc); sony_remove_dev_list(sc);