diff options
| author | Zhang Lixu <[email protected]> | 2025-02-18 06:37:30 +0000 |
|---|---|---|
| committer | Jiri Kosina <[email protected]> | 2025-02-19 09:09:27 +0000 |
| commit | 07583a0010696a17fb0942e0b499a62785c5fc9f (patch) | |
| tree | df18d8ec1fefc3746ee587c0c62a8105e30dfd06 /net/switchdev/switchdev.c | |
| parent | HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove() (diff) | |
| download | kernel-07583a0010696a17fb0942e0b499a62785c5fc9f.tar.gz kernel-07583a0010696a17fb0942e0b499a62785c5fc9f.zip | |
HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()
The system can experience a random crash a few minutes after the driver is
removed. This issue occurs due to improper handling of memory freeing in
the ishtp_hid_remove() function.
The function currently frees the `driver_data` directly within the loop
that destroys the HID devices, which can lead to accessing freed memory.
Specifically, `hid_destroy_device()` uses `driver_data` when it calls
`hid_ishtp_set_feature()` to power off the sensor, so freeing
`driver_data` beforehand can result in accessing invalid memory.
This patch resolves the issue by storing the `driver_data` in a temporary
variable before calling `hid_destroy_device()`, and then freeing the
`driver_data` after the device is destroyed.
Fixes: 0b28cb4bcb17 ("HID: intel-ish-hid: ISH HID client driver")
Signed-off-by: Zhang Lixu <[email protected]>
Acked-by: Srinivas Pandruvada <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Diffstat (limited to 'net/switchdev/switchdev.c')
0 files changed, 0 insertions, 0 deletions