diff mbox series

HID: steam: fixes race in handling device list.

Message ID 20200616164418.14426-1-rodrigorivascosta@gmail.com (mailing list archive)
State Mainlined
Commit 2d3f53a80e4eed078669853a178ed96d88f74143
Delegated to: Jiri Kosina
Headers show
Series HID: steam: fixes race in handling device list. | expand

Commit Message

Rodrigo Rivas Costa June 16, 2020, 4:44 p.m. UTC 
Using uhid and KASAN this driver crashed because it was getting
several connection events where it only expected one. Then the
device was added several times to the static device list and it got
corrupted.

This patch checks if the device is already in the list before adding
it.

Signed-off-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
Tested-by: Siarhei Vishniakou <svv@google.com>
---
 drivers/hid/hid-steam.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Jiri Kosina June 19, 2020, 7:22 a.m. UTC | #1 
On Tue, 16 Jun 2020, Rodrigo Rivas Costa wrote:

> Using uhid and KASAN this driver crashed because it was getting
> several connection events where it only expected one. Then the
> device was added several times to the static device list and it got
> corrupted.
> 
> This patch checks if the device is already in the list before adding
> it.

Applied, thanks.
diff mbox series

Patch

diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
index 6286204d4c56..a3b151b29bd7 100644
--- a/drivers/hid/hid-steam.c
+++ b/drivers/hid/hid-steam.c
@@ -526,7 +526,8 @@  static int steam_register(struct steam_device *steam)
 			steam_battery_register(steam);
 
 		mutex_lock(&steam_devices_lock);
-		list_add(&steam->list, &steam_devices);
+		if (list_empty(&steam->list))
+			list_add(&steam->list, &steam_devices);
 		mutex_unlock(&steam_devices_lock);
 	}
 
@@ -552,7 +553,7 @@  static void steam_unregister(struct steam_device *steam)
 		hid_info(steam->hdev, "Steam Controller '%s' disconnected",
 				steam->serial_no);
 		mutex_lock(&steam_devices_lock);
-		list_del(&steam->list);
+		list_del_init(&steam->list);
 		mutex_unlock(&steam_devices_lock);
 		steam->serial_no[0] = 0;
 	}
@@ -738,6 +739,7 @@  static int steam_probe(struct hid_device *hdev,
 	mutex_init(&steam->mutex);
 	steam->quirks = id->driver_data;
 	INIT_WORK(&steam->work_connect, steam_work_connect_cb);
+	INIT_LIST_HEAD(&steam->list);
 
 	steam->client_hdev = steam_create_client_hid(hdev);
 	if (IS_ERR(steam->client_hdev)) {