Commit 86eacb4f authored by Pietro Borrello's avatar Pietro Borrello Committed by Jialin Zhang
Browse files

HID: asus: use spinlock to protect concurrent accesses 

mainline inclusion
from mainline-v6.2
commit 315c5370
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6I7U9
CVE: CVE-2023-1079

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=315c537068a13f0b5681d33dd045a912f4bece6f



--------------------------------

asus driver has a worker that may access data concurrently.
Proct the accesses using a spinlock.

Fixes: af22a610 ("HID: asus: support backlight on USB keyboards")
Signed-off-by: default avatarPietro Borrello <borrello@diag.uniroma1.it>
Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-4-7860c5763c38@diag.uniroma1.it


Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: default avatarYuyao Lin <linyuyao1@huawei.com>
Reviewed-by: default avatarWei Li <liwei391@huawei.com>
Reviewed-by: default avatarWang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parent a2b3fc56

drivers/hid/hid-asus.c

+21 −1
Original line number Diff line number Diff line
@@ -95,6 +95,7 @@ struct asus_kbd_leds { 
	struct hid_device *hdev;

	struct work_struct work;

	unsigned int brightness;

	spinlock_t lock;

	bool removed;

};
@@ -402,7 +403,12 @@ static void asus_kbd_backlight_set(struct led_classdev *led_cdev, 
{

	struct asus_kbd_leds *led = container_of(led_cdev, struct asus_kbd_leds,

						 cdev);

	unsigned long flags;



	spin_lock_irqsave(&led->lock, flags);

	led->brightness = brightness;

	spin_unlock_irqrestore(&led->lock, flags);



	schedule_work(&led->work);

}
@@ -410,8 +416,14 @@ static enum led_brightness asus_kbd_backlight_get(struct led_classdev *led_cdev) 
{

	struct asus_kbd_leds *led = container_of(led_cdev, struct asus_kbd_leds,

						 cdev);

	enum led_brightness brightness;

	unsigned long flags;



	return led->brightness;

	spin_lock_irqsave(&led->lock, flags);

	brightness = led->brightness;

	spin_unlock_irqrestore(&led->lock, flags);



	return brightness;

}



static void asus_kbd_backlight_work(struct work_struct *work)
@@ -419,11 +431,14 @@ static void asus_kbd_backlight_work(struct work_struct *work) 
	struct asus_kbd_leds *led = container_of(work, struct asus_kbd_leds, work);

	u8 buf[] = { FEATURE_KBD_REPORT_ID, 0xba, 0xc5, 0xc4, 0x00 };

	int ret;

	unsigned long flags;



	if (led->removed)

		return;



	spin_lock_irqsave(&led->lock, flags);

	buf[4] = led->brightness;

	spin_unlock_irqrestore(&led->lock, flags);



	ret = asus_kbd_set_report(led->hdev, buf, sizeof(buf));

	if (ret < 0)
@@ -485,6 +500,7 @@ static int asus_kbd_register_leds(struct hid_device *hdev) 
	drvdata->kbd_backlight->cdev.brightness_set = asus_kbd_backlight_set;

	drvdata->kbd_backlight->cdev.brightness_get = asus_kbd_backlight_get;

	INIT_WORK(&drvdata->kbd_backlight->work, asus_kbd_backlight_work);

	spin_lock_init(&drvdata->kbd_backlight->lock);



	ret = devm_led_classdev_register(&hdev->dev, &drvdata->kbd_backlight->cdev);

	if (ret < 0) {
@@ -1013,9 +1029,13 @@ static int asus_probe(struct hid_device *hdev, const struct hid_device_id *id) 
static void asus_remove(struct hid_device *hdev)

{

	struct asus_drvdata *drvdata = hid_get_drvdata(hdev);

	unsigned long flags;



	if (drvdata->kbd_backlight) {

		spin_lock_irqsave(&drvdata->kbd_backlight->lock, flags);

		drvdata->kbd_backlight->removed = true;

		spin_unlock_irqrestore(&drvdata->kbd_backlight->lock, flags);



		cancel_work_sync(&drvdata->kbd_backlight->work);

	}