LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Willy Tarreau <w@1wt.eu>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
	stable-review@kernel.org
Cc: Jiri Slaby <jslaby@suse.cz>, Jiri Kosina <jkosina@suse.cz>,
	Antonio Ospite <ospite@studenti.unina.it>,
	Greg Kroah-Hartman <gregkh@suse.de>, Willy Tarreau <w@1wt.eu>
Subject: [PATCH 06/23] HID: hidraw: fix window in hidraw_release
Date: Mon, 07 Feb 2011 00:22:58 +0100	[thread overview]
Message-ID: <20110206232252.786428630@pcw.home.local> (raw)
In-Reply-To: <4beed4da27f06efb2c13d6ed48850634@local>

2.6.27.58-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Jiri Slaby <jslaby@suse.cz>

commit cb174681a9ececa6702f114b85bdf82144b6a5af upstream.

[ Backport to .32.y by Antonio Ospite <ospite@studenti.unina.it> ]

There is a window between hidraw_table check and its dereference.
In that window, the device may be unplugged and removed form the
system and we will then dereference NULL.

Lock that place properly so that either we get NULL and jump out or we
can work with real pointer.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Antonio Ospite <ospite@studenti.unina.it>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>

---
 drivers/hid/hidraw.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

Index: longterm-2.6.27/drivers/hid/hidraw.c
===================================================================
--- longterm-2.6.27.orig/drivers/hid/hidraw.c	2011-01-29 11:19:14.681064282 +0100
+++ longterm-2.6.27/drivers/hid/hidraw.c	2011-01-29 11:27:11.371063762 +0100
@@ -196,11 +196,14 @@
 	unsigned int minor = iminor(inode);
 	struct hidraw *dev;
 	struct hidraw_list *list = file->private_data;
+	int ret;
 
+	mutex_lock(&minors_lock);
 	if (!hidraw_table[minor]) {
 		printk(KERN_EMERG "hidraw device with minor %d doesn't exist\n",
 				minor);
-		return -ENODEV;
+		ret = -ENODEV;
+		goto unlock;
 	}
 
 	list_del(&list->node);
@@ -211,10 +214,12 @@
 		else
 			kfree(list->hidraw);
 	}
-
 	kfree(list);
+	ret = 0;
+unlock:
+	mutex_unlock(&minors_lock);
 
-	return 0;
+	return ret;
 }
 
 static long hidraw_ioctl(struct file *file, unsigned int cmd,



  parent reply	other threads:[~2011-02-06 23:45 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20110206232252.509080428@pcw.home.local>
2011-02-06 23:22 ` [PATCH 00/23] 2.6.27.58-longterm review Willy Tarreau
2011-02-06 23:22   ` [PATCH 01/23] ALSA: hda: Use model=lg quirk for LG P1 Express to enable playback and capture Willy Tarreau
2011-02-06 23:22   ` [PATCH 02/23] ALSA: hda: Use LPIB for Dell Latitude 131L Willy Tarreau
2011-02-06 23:22   ` [PATCH 03/23] ALSA: hda: Use LPIB quirk for Dell Inspiron m101z/1120 Willy Tarreau
2011-02-06 23:22   ` [PATCH 04/23] USB: usb-storage: unusual_devs entry for the Samsung YP-CP3 Willy Tarreau
2011-02-06 23:22   ` [PATCH 05/23] USB: misc: uss720.c: add another vendor/product ID Willy Tarreau
2011-02-06 23:22   ` Willy Tarreau [this message]
2011-02-06 23:22   ` [PATCH 07/23] hwmon: (adm1026) Allow 1 as a valid divider value Willy Tarreau
2011-02-06 23:23   ` [PATCH 08/23] hwmon: (adm1026) Fix setting fan_div Willy Tarreau
2011-02-06 23:23   ` [PATCH 09/23] IB/uverbs: Handle large number of entries in poll CQ Willy Tarreau
2011-02-06 23:23   ` [PATCH 10/23] mv_xor: fix race in tasklet function Willy Tarreau
2011-02-06 23:23   ` [PATCH 11/23] md: fix bug with re-adding of partially recovered device Willy Tarreau
2011-02-06 23:23   ` [PATCH 12/23] NFS: Fix fcntl F_GETLK not reporting some conflicts Willy Tarreau
2011-02-06 23:23   ` [PATCH 13/23] nfsd: Fix possible BUG_ON firing in set_change_info Willy Tarreau
2011-02-06 23:23   ` [PATCH 14/23] PM / Hibernate: Fix PM_POST_* notification with user-space suspend Willy Tarreau
2011-02-06 23:23   ` [PATCH 15/23] posix-cpu-timers: workaround to suppress the problems with mt exec Willy Tarreau
2011-02-06 23:23   ` [PATCH 16/23] sctp: Fix a race between ICMP protocol unreachable and connect() Willy Tarreau
2011-02-06 23:23   ` [PATCH 17/23] sound: Prevent buffer overflow in OSS load_mixer_volumes Willy Tarreau
2011-02-06 23:23   ` [PATCH 18/23] sunrpc: prevent use-after-free on clearing XPT_BUSY Willy Tarreau
2011-02-06 23:23   ` [PATCH 19/23] x86, gcc-4.6: Use gcc -m options when building vdso Willy Tarreau
2011-02-06 23:23   ` [PATCH 20/23] tracing: Fix panic when lseek() called on "trace" opened for writing Willy Tarreau
2011-02-14 23:14     ` [Stable-review] " Ben Hutchings
2011-02-15  1:33       ` Steven Rostedt
2011-02-15  1:38         ` Ben Hutchings
2011-02-15  2:01           ` Steven Rostedt
2011-02-15  5:39       ` Willy Tarreau
2011-02-06 23:23   ` [PATCH 21/23] hvc_console: Fix race between hvc_close and hvc_remove Willy Tarreau
2011-02-07 21:16     ` Anton Blanchard
2011-02-07 22:11       ` Willy Tarreau
2011-02-06 23:23   ` [PATCH 22/23] hvc_console: Fix race between hvc_close and hvc_remove, again Willy Tarreau
2011-02-06 23:23   ` [PATCH 23/23] install_special_mapping skips security_file_mmap check Willy Tarreau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110206232252.786428630@pcw.home.local \
    --to=w@1wt.eu \
    --cc=gregkh@suse.de \
    --cc=jkosina@suse.cz \
    --cc=jslaby@suse.cz \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ospite@studenti.unina.it \
    --cc=stable-review@kernel.org \
    --cc=stable@kernel.org \
    --subject='Re: [PATCH 06/23] HID: hidraw: fix window in hidraw_release' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).