diff mbox

[1/2] usbhid: use after free

Message ID 20110526084916.GD14591@shale.localdomain (mailing list archive)
State New, archived
Delegated to: Jiri Kosina
Headers show

Commit Message

Dan Carpenter May 26, 2011, 8:49 a.m. UTC 
There are a couple use after free bugs here.

Signed-off-by: Dan Carpenter <error27@gmail.com>
---
Compile tested only.  Please review carefully.

--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Jiri Kosina May 26, 2011, 12:03 p.m. UTC | #1 
On Thu, 26 May 2011, Dan Carpenter wrote:

> There are a couple use after free bugs here.
> 
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> ---
> Compile tested only.  Please review carefully.
> 
> diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
> index ff3c644..b2f9a3a 100644
> --- a/drivers/hid/usbhid/hiddev.c
> +++ b/drivers/hid/usbhid/hiddev.c
> @@ -248,12 +248,15 @@ static int hiddev_release(struct inode * inode, struct file * file)
>  			usbhid_close(list->hiddev->hid);
>  			usbhid_put_power(list->hiddev->hid);
>  		} else {
> +			mutex_unlock(&list->hiddev->existancelock);
>  			kfree(list->hiddev);
> +			kfree(list);
> +			return 0;
>  		}
>  	}
>  
> -	kfree(list);
>  	mutex_unlock(&list->hiddev->existancelock);
> +	kfree(list);

Good catch.

>  	return 0;
>  }
> @@ -926,7 +929,9 @@ void hiddev_disconnect(struct hid_device *hid)
>  		usbhid_close(hiddev->hid);
>  		wake_up_interruptible(&hiddev->wait);
>  	} else {
> +		mutex_unlock(&hiddev->existancelock);
>  		kfree(hiddev);
> +		return;
>  	}
>  	mutex_unlock(&hiddev->existancelock);

For this I already have a fix queued in my tree.

So I will be applying only the first hunk.

Thanks,
diff mbox

Patch

diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
index ff3c644..b2f9a3a 100644
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -248,12 +248,15 @@  static int hiddev_release(struct inode * inode, struct file * file)
 			usbhid_close(list->hiddev->hid);
 			usbhid_put_power(list->hiddev->hid);
 		} else {
+			mutex_unlock(&list->hiddev->existancelock);
 			kfree(list->hiddev);
+			kfree(list);
+			return 0;
 		}
 	}
 
-	kfree(list);
 	mutex_unlock(&list->hiddev->existancelock);
+	kfree(list);
 
 	return 0;
 }
@@ -926,7 +929,9 @@  void hiddev_disconnect(struct hid_device *hid)
 		usbhid_close(hiddev->hid);
 		wake_up_interruptible(&hiddev->wait);
 	} else {
+		mutex_unlock(&hiddev->existancelock);
 		kfree(hiddev);
+		return;
 	}
 	mutex_unlock(&hiddev->existancelock);
 }