On Thu, 26 May 2011, Dan Carpenter wrote: > There are a couple use after free bugs here. > > Signed-off-by: Dan Carpenter <error27@xxxxxxxxx> > --- > Compile tested only. Please review carefully. > > diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c > index ff3c644..b2f9a3a 100644 > --- a/drivers/hid/usbhid/hiddev.c > +++ b/drivers/hid/usbhid/hiddev.c > @@ -248,12 +248,15 @@ static int hiddev_release(struct inode * inode, struct file * file) > usbhid_close(list->hiddev->hid); > usbhid_put_power(list->hiddev->hid); > } else { > + mutex_unlock(&list->hiddev->existancelock); > kfree(list->hiddev); > + kfree(list); > + return 0; > } > } > > - kfree(list); > mutex_unlock(&list->hiddev->existancelock); > + kfree(list); Good catch. > return 0; > } > @@ -926,7 +929,9 @@ void hiddev_disconnect(struct hid_device *hid) > usbhid_close(hiddev->hid); > wake_up_interruptible(&hiddev->wait); > } else { > + mutex_unlock(&hiddev->existancelock); > kfree(hiddev); > + return; > } > mutex_unlock(&hiddev->existancelock); For this I already have a fix queued in my tree. So I will be applying only the first hunk. Thanks, -- Jiri Kosina SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html