From: Johannes Weiner <hannes@cmpxchg.org>
To: Jiri Kosina <jkosina@suse.cz>
Cc: Oliver Neukum <oliver@neukum.name>,
linux-kernel@vger.kernel.org, stable@kernel.org
Subject: Re: [patch] hiddev: fix incorrect hiddev freeing
Date: Mon, 9 Mar 2009 23:37:03 +0100 [thread overview]
Message-ID: <20090309223703.GA3412@cmpxchg.org> (raw)
In-Reply-To: <20090309023151.GA11464@cmpxchg.org>
On Mon, Mar 09, 2009 at 03:31:51AM +0100, Johannes Weiner wrote:
> When hiddev_open() fails for whatever reason, free the just allocated
> hiddev_list structure shared hiddev potentially still in use.
>
> The hiddev is freed in device disconnect/last close of the device file
> and must not be freed while there are possibly existing references to
> it.
>
> This is probably responsible for these
>
> http://kerneloops.org/oops.php?number=221185
> http://kerneloops.org/oops.php?number=220365
>
> where a reader sleeps on the waitqueue, the device gets disconnected
> (exist -> 0) another user tries to open it, fails on the exist check
> and frees the hiddev from the table. The finish_wait() in the reader
> will then dereference the hiddev to get to the waitqueue and oopses.
>
> This was introduced by commit 079034073faf974973baa0256b029451f6e768ad
> "HID: hiddev cleanup -- handle all error conditions properly".
>
> Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
> Cc: Oliver Neukum <oliver@neukum.name>
> ---
>
> diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
> index 4940e4d..00ea1ed 100644
> --- a/drivers/hid/usbhid/hiddev.c
> +++ b/drivers/hid/usbhid/hiddev.c
> @@ -306,7 +306,7 @@ static int hiddev_open(struct inode *inode, struct file *file)
> return 0;
> bail:
> file->private_data = NULL;
> - kfree(list->hiddev);
> + kfree(list);
> return res;
This isn't responsible for the above quoted oopsen but I think I found
the real issue. Resend coming soon.
Dear stable team, I mixed up the commit date with the authoring date.
The bugs were introduced after .28, so there is no need to backport
anything unless my fixes fail to get into .29. So please ignore for
now.
Hannes
prev parent reply other threads:[~2009-03-09 22:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-09 2:31 [patch] hiddev: fix incorrect hiddev freeing Johannes Weiner
2009-03-09 2:38 ` Johannes Weiner
2009-03-09 22:37 ` Johannes Weiner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090309223703.GA3412@cmpxchg.org \
--to=hannes@cmpxchg.org \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=oliver@neukum.name \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox