On Tue, 19 Oct 2010, Jiri Slaby wrote:
> There is a window between hidraw_table check and its dereference.
> In that window, the device may be unplugged and removed form the
> system and we will then dereference NULL.
>
> Lock that place properly so that either we get NULL and jump out or we
> can work with real pointer.
>
> Signed-off-by: Jiri Slaby <jslaby@xxxxxxx>
> ---
> drivers/hid/hidraw.c | 14 ++++++++++----
> 1 files changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
> index 925992f..8a4b32d 100644
> --- a/drivers/hid/hidraw.c
> +++ b/drivers/hid/hidraw.c
> @@ -218,9 +218,13 @@ static int hidraw_release(struct inode * inode, struct file * file)
> unsigned int minor = iminor(inode);
> struct hidraw *dev;
> struct hidraw_list *list = file->private_data;
> + int ret;
>
> - if (!hidraw_table[minor])
> - return -ENODEV;
> + mutex_lock(&minors_lock);
> + if (!hidraw_table[minor]) {
> + ret = -ENODEV;
> + goto unlock;
> + }
>
> list_del(&list->node);
> dev = hidraw_table[minor];
> @@ -233,10 +237,12 @@ static int hidraw_release(struct inode * inode, struct file * file)
> kfree(list->hidraw);
> }
> }
> -
> kfree(list);
> + ret = 0;
> +unlock:
> + mutex_unlock(&minors_lock);
>
> - return 0;
> + return ret;
> }
Good catch, applied. Thanks.
--
Jiri Kosina
SUSE Labs, Novell Inc.
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
