HID: steam: fixes race in handling device list.
diff mbox series

Message ID 20200616164418.14426-1-rodrigorivascosta@gmail.com
State Mainlined
Commit 2d3f53a80e4eed078669853a178ed96d88f74143
Delegated to: Jiri Kosina
Headers show
Series
  • HID: steam: fixes race in handling device list.
Related show

Commit Message

Rodrigo Rivas Costa June 16, 2020, 4:44 p.m. UTC
Using uhid and KASAN this driver crashed because it was getting
several connection events where it only expected one. Then the
device was added several times to the static device list and it got
corrupted.

This patch checks if the device is already in the list before adding
it.

Signed-off-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
Tested-by: Siarhei Vishniakou <svv@google.com>
---
 drivers/hid/hid-steam.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Jiri Kosina June 19, 2020, 7:22 a.m. UTC | #1
On Tue, 16 Jun 2020, Rodrigo Rivas Costa wrote:

> Using uhid and KASAN this driver crashed because it was getting
> several connection events where it only expected one. Then the
> device was added several times to the static device list and it got
> corrupted.
> 
> This patch checks if the device is already in the list before adding
> it.

Applied, thanks.

Patch
diff mbox series

diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
index 6286204d4c56..a3b151b29bd7 100644
--- a/drivers/hid/hid-steam.c
+++ b/drivers/hid/hid-steam.c
@@ -526,7 +526,8 @@  static int steam_register(struct steam_device *steam)
 			steam_battery_register(steam);
 
 		mutex_lock(&steam_devices_lock);
-		list_add(&steam->list, &steam_devices);
+		if (list_empty(&steam->list))
+			list_add(&steam->list, &steam_devices);
 		mutex_unlock(&steam_devices_lock);
 	}
 
@@ -552,7 +553,7 @@  static void steam_unregister(struct steam_device *steam)
 		hid_info(steam->hdev, "Steam Controller '%s' disconnected",
 				steam->serial_no);
 		mutex_lock(&steam_devices_lock);
-		list_del(&steam->list);
+		list_del_init(&steam->list);
 		mutex_unlock(&steam_devices_lock);
 		steam->serial_no[0] = 0;
 	}
@@ -738,6 +739,7 @@  static int steam_probe(struct hid_device *hdev,
 	mutex_init(&steam->mutex);
 	steam->quirks = id->driver_data;
 	INIT_WORK(&steam->work_connect, steam_work_connect_cb);
+	INIT_LIST_HEAD(&steam->list);
 
 	steam->client_hdev = steam_create_client_hid(hdev);
 	if (IS_ERR(steam->client_hdev)) {