explicitly close FIDO2 devices

FIDO2 device access is serialised by libfido2 using flock().
Therefore, make sure to close a FIDO2 device once we are done
with it, or we risk opening it again at a later point and
deadlocking. Fixes #20664.

1 files changed, 4 insertions, 1 deletions

diff --git a/src/shared/libfido2-util.h b/src/shared/libfido2-util.h
index 5640cca5e3..4ebf8ab775 100644
--- a/src/shared/libfido2-util.h
+++ b/src/shared/libfido2-util.h
@@ -60,6 +60,7 @@ extern bool (*sym_fido_dev_is_fido2)(const fido_dev_t *);
 extern int (*sym_fido_dev_make_cred)(fido_dev_t *, fido_cred_t *, const char *);
 extern fido_dev_t* (*sym_fido_dev_new)(void);
 extern int (*sym_fido_dev_open)(fido_dev_t *, const char *);
+extern int (*sym_fido_dev_close)(fido_dev_t *);
 extern const char* (*sym_fido_strerr)(int);
 
 int dlopen_libfido2(void);
@@ -75,8 +76,10 @@ static inline void fido_assert_free_wrapper(fido_assert_t **p) {
 }
 
 static inline void fido_dev_free_wrapper(fido_dev_t **p) {
-        if (*p)
+        if (*p) {
+                sym_fido_dev_close(*p);
                 sym_fido_dev_free(p);
+        }
 }
 
 static inline void fido_cred_free_wrapper(fido_cred_t **p) {