From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A264D3D5647; Wed, 8 Apr 2026 18:29:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775672943; cv=none; b=t4TEjQb55foSWBB6Wj48YshPAIV8gJLi7fqCqIkiN4G+hKeMxOPvQSqeDAjnMvPo6ja4PyCEdKXKw2QnJjNkLm+/ZM+TdDnjIdGfbhqB8LRYSJLHOR94dbgIKCqgjGwvF4iuQjhHmgeEnuBREY3kVVOrLbGtRINeQGptUYnYMko= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775672943; c=relaxed/simple; bh=0grrv2a3/7tZocbFsxvOGkin7LUtFYcC66c+TSsFqgU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=TKV6UlaqsFwh3lDSiAy22zGTIH1uB34AvUxpUd2DicQlyeXduwOtwIVvVmR6meYRu4wzIcMH19ls2OnjqfCLEsr7WZYqKtpZkAb6Svg5qvRwaP/Xzk64zWNL/D9wjhhgnPfO9aAdHPpNS/BwnGiimhlf9Cu4e5GrjWsl2ztDHPo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=YCUah9v2; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="YCUah9v2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3851CC19421; Wed, 8 Apr 2026 18:29:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1775672943; bh=0grrv2a3/7tZocbFsxvOGkin7LUtFYcC66c+TSsFqgU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YCUah9v2qOtTYFXH2R1OouDuBQXCQ2DoeC680nov86QNmPHfeNPuC5quMmQ+hQu/W R5L1AiyMBU/lUTwFUXd9OzRzAz7BKtwYo1zCQdUIKzH5TnJ8BxtgGqQQYK+VQVapAB s8OVf0BTNTuGfQ6XOKjfac55zB7Av8MEl2GoCG8k= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Lee Jones , =?UTF-8?q?G=C3=BCnther=20Noack?= , Benjamin Tissoires , Sasha Levin Subject: [PATCH 6.18 009/277] HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure Date: Wed, 8 Apr 2026 19:59:54 +0200 Message-ID: <20260408175934.193642479@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260408175933.836769063@linuxfoundation.org> References: <20260408175933.836769063@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lee Jones [ Upstream commit f7a4c78bfeb320299c1b641500fe7761eadbd101 ] Presently, if the force feedback initialisation fails when probing the Logitech G920 Driving Force Racing Wheel for Xbox One, an error number will be returned and propagated before the userspace infrastructure (sysfs and /dev/input) has been torn down. If userspace ignores the errors and continues to use its references to these dangling entities, a UAF will promptly follow. We have 2 options; continue to return the error, but ensure that all of the infrastructure is torn down accordingly or continue to treat this condition as a warning by emitting the message but returning success. It is thought that the original author's intention was to emit the warning but keep the device functional, less the force feedback feature, so let's go with that. Signed-off-by: Lee Jones Reviewed-by: Günther Noack Signed-off-by: Benjamin Tissoires Signed-off-by: Sasha Levin --- drivers/hid/hid-logitech-hidpp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c index 3522e69da78d7..faef80cb2adbd 100644 --- a/drivers/hid/hid-logitech-hidpp.c +++ b/drivers/hid/hid-logitech-hidpp.c @@ -4486,10 +4486,12 @@ static int hidpp_probe(struct hid_device *hdev, const struct hid_device_id *id) if (!ret) ret = hidpp_ff_init(hidpp, &data); - if (ret) + if (ret) { hid_warn(hidpp->hid_dev, "Unable to initialize force feedback support, errno %d\n", ret); + ret = 0; + } } /* -- 2.53.0