Commit dd613a4e authored by Rahul Rameshbabu's avatar Rahul Rameshbabu Committed by Benjamin Tissoires

HID: uclogic: Correct devm device reference for hidinput input_dev name

Reference the HID device rather than the input device for the devm
allocation of the input_dev name. Referencing the input_dev would lead to a
use-after-free when the input_dev was unregistered and subsequently fires a
uevent that depends on the name. At the point of firing the uevent, the
name would be freed by devres management.

Use devm_kasprintf to simplify the logic for allocating memory and
formatting the input_dev name string.

Reported-by: syzbot+3a0ebe8a52b89c63739d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-input/ZOZIZCND+L0P1wJc@penguin/T/Reported-by: default avatarMaxime Ripard <mripard@kernel.org>
Closes: https://lore.kernel.org/linux-input/ZOZIZCND+L0P1wJc@penguin/T/#m443f3dce92520f74b6cf6ffa8653f9c92643d4ae
Fixes: cce2dbdf ("HID: uclogic: name the input nodes based on their tool")
Suggested-by: default avatarMaxime Ripard <mripard@kernel.org>
Suggested-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: default avatarRahul Rameshbabu <sergeantsagara@protonmail.com>
Reviewed-by: default avatarMaxime Ripard <mripard@kernel.org>
Link: https://lore.kernel.org/r/20230824061308.222021-2-sergeantsagara@protonmail.comSigned-off-by: default avatarBenjamin Tissoires <bentiss@kernel.org>
parent 1d754604
...@@ -85,10 +85,8 @@ static int uclogic_input_configured(struct hid_device *hdev, ...@@ -85,10 +85,8 @@ static int uclogic_input_configured(struct hid_device *hdev,
{ {
struct uclogic_drvdata *drvdata = hid_get_drvdata(hdev); struct uclogic_drvdata *drvdata = hid_get_drvdata(hdev);
struct uclogic_params *params = &drvdata->params; struct uclogic_params *params = &drvdata->params;
char *name;
const char *suffix = NULL; const char *suffix = NULL;
struct hid_field *field; struct hid_field *field;
size_t len;
size_t i; size_t i;
const struct uclogic_params_frame *frame; const struct uclogic_params_frame *frame;
...@@ -146,14 +144,9 @@ static int uclogic_input_configured(struct hid_device *hdev, ...@@ -146,14 +144,9 @@ static int uclogic_input_configured(struct hid_device *hdev,
} }
} }
if (suffix) { if (suffix)
len = strlen(hdev->name) + 2 + strlen(suffix); hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL,
name = devm_kzalloc(&hi->input->dev, len, GFP_KERNEL); "%s %s", hdev->name, suffix);
if (name) {
snprintf(name, len, "%s %s", hdev->name, suffix);
hi->input->name = name;
}
}
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment