[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20240521113619.2092-1-hdanton@sina.com>
Date: Tue, 21 May 2024 19:36:19 +0800
From: Hillf Danton <hdanton@...a.com>
To: linux-input@...r.kernel.org
Cc: Dmitry Torokhov <dmitry.torokhov@...il.com>,
Krzysztof Kozlowski <krzysztof.kozlowski+dt@...aro.org>,
Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>,
Linus Torvalds <torvalds@...ux-foundation.org>,
linux-kernel@...r.kernel.org
Subject: Input: uinput - race after request submit tiemout
uinput_request_submit() uinput_ioctl_handler()
--- ---
wait_for_completion_timeout() case UI_END_FF_ERASE:
req = uinput_request_find()
uinput_request_release_slot()
req->retval = ff_erase.retval;
complete(&req->done);
Given the race between request submit and ioctl handler, memory corruption
could happen after releasing request slot.
Powered by blists - more mailing lists