From: Jiri Slaby <jslaby@suse.cz>
Cc: jkosina@suse.cz, alan@signal11.us, linux-input@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/1] HID: hidraw, fix window in hidraw_release
Date: Tue, 19 Oct 2010 11:28:12 +0200 [thread overview]
Message-ID: <4CBD64AC.7030207@suse.cz> (raw)
In-Reply-To: <1287480285-5335-1-git-send-email-jslaby@suse.cz>
On 10/19/2010 11:24 AM, Jiri Slaby wrote:
> There is a window between hidraw_table check and its dereference.
> In that window, the device may be unplugged and removed form the
> system and we will then dereference NULL.
>
> Lock that place properly so that either we get NULL and jump out or we
> can work with real pointer.
>
> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
> ---
> drivers/hid/hidraw.c | 14 ++++++++++----
> 1 files changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
> index 925992f..6d81be3 100644
> --- a/drivers/hid/hidraw.c
> +++ b/drivers/hid/hidraw.c
> @@ -218,9 +218,13 @@ static int hidraw_release(struct inode * inode, struct file * file)
> unsigned int minor = iminor(inode);
> struct hidraw *dev;
> struct hidraw_list *list = file->private_data;
> + int ret;
>
> - if (!hidraw_table[minor])
> - return -ENODEV;
> + mutex_lock(&minors_lock);
> + if (!hidraw_table[minor]) {
> + ret = -ENODEV;
> + goto unlock;
> + }
>
> list_del(&list->node);
> dev = hidraw_table[minor];
> @@ -233,10 +237,12 @@ static int hidraw_release(struct inode * inode, struct file * file)
> kfree(list->hidraw);
> }
> }
> -
> + ret = 0;
> +unlock:
> + mutex_unlock(&minors_lock);
> kfree(list);
Actually the kfree cannot be here. The first process to exit would free
it and the others will try to free it again.
Was it supposed to leak memory in the !hidraw_table[minor] case?
regards,
--
js
suse labs
next prev parent reply other threads:[~2010-10-19 9:28 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-02 11:25 [PATCH] HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl Antonio Ospite
2010-10-04 13:50 ` Jiri Kosina
2010-10-04 14:11 ` Antonio Ospite
2010-10-05 15:20 ` [PATCH 0/2] HID: hidraw, fix two NULL pointer dereferences Antonio Ospite
2010-10-05 17:42 ` [stable] " Greg KH
2010-10-05 20:16 ` Antonio Ospite
2010-10-06 9:31 ` Jiri Kosina
2010-10-15 7:44 ` Antonio Ospite
2010-10-15 9:10 ` Jiri Kosina
2010-10-05 21:12 ` Jiri Slaby
2010-10-06 10:01 ` Antonio Ospite
2010-10-06 10:09 ` Jiri Slaby
2010-10-09 12:40 ` Antonio Ospite
2010-10-19 9:24 ` [PATCH 1/1] HID: hidraw, fix window in hidraw_release Jiri Slaby
2010-10-19 9:28 ` Jiri Slaby [this message]
2010-10-19 9:29 ` Jiri Slaby
2010-10-20 14:55 ` Jiri Kosina
2010-10-05 15:20 ` [PATCH 1/2] HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl Antonio Ospite
2010-10-05 15:20 ` [PATCH 2/2] HID: hidraw, fix a NULL pointer dereference in hidraw_write Antonio Ospite
2010-10-04 13:54 ` [PATCH] HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl Alan Ott
2010-10-05 20:29 ` Antonio Ospite
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CBD64AC.7030207@suse.cz \
--to=jslaby@suse.cz \
--cc=alan@signal11.us \
--cc=jkosina@suse.cz \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).