CVSROOT: /cvs
Module name: src
Changes by: an...@cvs.openbsd.org 2021/11/16 23:20:30
Modified files:
sys/dev/usb : uhidev.c
Log message:
Fix a double free in uhidev_close() caused by a race between
uhidev_open() and uhidev_close(). In uhidev_close() the UHIDEV_OPEN flag
is cleared early on but the same thread can end up sleeping while
closing the input or output pipe. This allows another thread to enter
uhidev_open() but only to fail opening either the input or output pipe
since they are already open for exclusive use. The uhidev_open() error
path frees the input buffer but leaves a dangling pointer around;
causing uhidev_close() to free the same buffer.
This can at least happen on xhci(4) which can end up sleeping in
xhci_pipe_close().
Reported by and ok gnezdo@
