diff options
author | Vicki Pfau <vi@endrift.com> | 2023-11-30 16:42:01 -0800 |
---|---|---|
committer | Vicki Pfau <vi@endrift.com> | 2023-11-30 17:33:22 -0800 |
commit | f476acbd4e6c9ce0ee397e993dd21a5d6fbb10d5 (patch) | |
tree | d659fcdc7521bd409b2844c1ba4a8c54a9174c72 /drivers | |
parent | 37726e4f7e877e3ee25d1eaf50b161ce1ff06801 (diff) | |
download | linux-f476acbd4e6c9ce0ee397e993dd21a5d6fbb10d5.tar.gz |
uinput: Hold mutex while destroying udev
There exists a race condition where closing a uinput device while another thread is preparing a request can lead to the request being submitted and waiting until it times out as the queue had already been flushed in preparation of destroying the udev object. While the request will eventually time out, it would ideally not be submitted in the first place and error out beforehand. By holding the mutex, we can guarantee that the device is actually properly destroyed before the request gets prepared, and thus is correctly seen as unavailable for requests. Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218183 Signed-off-by: Vicki Pfau <vi@endrift.com> (cherry picked from commit 7cc7c60b27cc550ad7af0b83a57f542637372681)
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/input/misc/uinput.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c index 526e8765afcb..86adc35b5b87 100644 --- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c @@ -710,8 +710,12 @@ static __poll_t uinput_poll(struct file *file, poll_table *wait) static int uinput_release(struct inode *inode, struct file *file) { struct uinput_device *udev = file->private_data; + int retval = mutex_lock_interruptible(&udev->mutex); + if (retval) + return retval; uinput_destroy_device(udev); + mutex_unlock(&udev->mutex); kfree(udev); return 0; |