| Message ID | 20220422161709.30198-2-jose.exposito89@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Delegated to: | Jiri Kosina |
| Headers | show |
| Series | [1/3] Input: goodix - Fix double free on managed resource | expand |
Hi, On 4/22/22 18:17, José Expósito wrote: > As described in the documentation for devm_input_allocate_device(): > > Managed input devices do not need to be explicitly unregistered or > freed as it will be done automatically when owner device unbinds from > its driver (or binding fails). > > However this driver was explicitly freeing the input device, allocated > using devm_input_allocate_device() through hidpp_allocate_input(). > > Remove the call to input_free_device() to avoid a possible double free > error. Actually calling input_free_device() on a devm allocated input device is fine. The input subsystem has chosen to not have a separate devm_input_free_device(), instead input_free_device() knows if a device is allocated through devm and then also frees the devres tied to it: void input_free_device(struct input_dev *dev) { if (dev) { if (dev->devres_managed) WARN_ON(devres_destroy(dev->dev.parent, devm_input_device_release, devm_input_device_match, dev)); input_put_device(dev); } } > > Fixes: c39e3d5fc9dd3 ("HID: logitech-hidpp: late bind the input device on wireless connection") > Signed-off-by: José Expósito <jose.exposito89@gmail.com> > --- > drivers/hid/hid-logitech-hidpp.c | 6 +----- > 1 file changed, 1 insertion(+), 5 deletions(-) > > diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c > index 81de88ab2ecc..9c00a781ab57 100644 > --- a/drivers/hid/hid-logitech-hidpp.c > +++ b/drivers/hid/hid-logitech-hidpp.c > @@ -3957,11 +3957,7 @@ static void hidpp_connect_event(struct hidpp_device *hidpp) > } > > hidpp_populate_input(hidpp, input); > - > - ret = input_register_device(input); > - if (ret) > - input_free_device(input); > - The original code does look wrong there though, since the input device is free-ed it should not be stored in hidpp->delayed_input, so this should be comes: ret = input_register_device(input); if (ret) { input_free_device(input); return; } Regards, Hans > hidpp->delayed_input = input; > } >
On Sat, Apr 23, 2022 at 01:41:30PM +0200, Hans de Goede wrote: > Hi, > > On 4/22/22 18:17, José Expósito wrote: > > As described in the documentation for devm_input_allocate_device(): > > > > Managed input devices do not need to be explicitly unregistered or > > freed as it will be done automatically when owner device unbinds from > > its driver (or binding fails). > > > > However this driver was explicitly freeing the input device, allocated > > using devm_input_allocate_device() through hidpp_allocate_input(). > > > > Remove the call to input_free_device() to avoid a possible double free > > error. > > Actually calling input_free_device() on a devm allocated input device > is fine. The input subsystem has chosen to not have a > separate devm_input_free_device(), instead input_free_device() knows > if a device is allocated through devm and then also frees the devres > tied to it: > > void input_free_device(struct input_dev *dev) > { > if (dev) { > if (dev->devres_managed) > WARN_ON(devres_destroy(dev->dev.parent, > devm_input_device_release, > devm_input_device_match, > dev)); > input_put_device(dev); > } > } Hi Hans, Thanks for the code review. Obviously, I completely misunderstood these functions, my bad. Thanks for the explanation. Please ignore the patchset. Jose > > > > Fixes: c39e3d5fc9dd3 ("HID: logitech-hidpp: late bind the input device on wireless connection") > > Signed-off-by: José Expósito <jose.exposito89@gmail.com> > > --- > > drivers/hid/hid-logitech-hidpp.c | 6 +----- > > 1 file changed, 1 insertion(+), 5 deletions(-) > > > > diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c > > index 81de88ab2ecc..9c00a781ab57 100644 > > --- a/drivers/hid/hid-logitech-hidpp.c > > +++ b/drivers/hid/hid-logitech-hidpp.c > > @@ -3957,11 +3957,7 @@ static void hidpp_connect_event(struct hidpp_device *hidpp) > > } > > > > hidpp_populate_input(hidpp, input); > > - > > - ret = input_register_device(input); > > - if (ret) > > - input_free_device(input); > > - > > The original code does look wrong there though, since the input device > is free-ed it should not be stored in hidpp->delayed_input, so this should be comes: > > ret = input_register_device(input); > if (ret) { > input_free_device(input); > return; > } > > > Regards, > > Hans > > > > hidpp->delayed_input = input; > > } > > > >
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c index 81de88ab2ecc..9c00a781ab57 100644 --- a/drivers/hid/hid-logitech-hidpp.c +++ b/drivers/hid/hid-logitech-hidpp.c @@ -3957,11 +3957,7 @@ static void hidpp_connect_event(struct hidpp_device *hidpp) } hidpp_populate_input(hidpp, input); - - ret = input_register_device(input); - if (ret) - input_free_device(input); - + input_register_device(input); hidpp->delayed_input = input; }
As described in the documentation for devm_input_allocate_device(): Managed input devices do not need to be explicitly unregistered or freed as it will be done automatically when owner device unbinds from its driver (or binding fails). However this driver was explicitly freeing the input device, allocated using devm_input_allocate_device() through hidpp_allocate_input(). Remove the call to input_free_device() to avoid a possible double free error. Fixes: c39e3d5fc9dd3 ("HID: logitech-hidpp: late bind the input device on wireless connection") Signed-off-by: José Expósito <jose.exposito89@gmail.com> --- drivers/hid/hid-logitech-hidpp.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-)