diff options
| author | James Hogan <[email protected]> | 2011-09-20 13:23:46 +0000 |
|---|---|---|
| committer | Jiri Kosina <[email protected]> | 2011-09-20 13:23:46 +0000 |
| commit | 65b01bd561dc995aab116aa784f97a37f7c49a65 (patch) | |
| tree | cebcfb510b789147e185eba651d383d61c071ca9 /lib/dynamic_debug.c | |
| parent | Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma (diff) | |
| download | kernel-65b01bd561dc995aab116aa784f97a37f7c49a65.tar.gz kernel-65b01bd561dc995aab116aa784f97a37f7c49a65.zip | |
HID: hidraw: protect hidraw_disconnect() better
The function hidraw_disconnect() only acquires the hidraw minors_lock
when clearing the entry in hidraw_table. However the device_destroy()
call can cause a userland read/write to return with an error. It may
cause the program to release the file descripter before the disconnect
is finished. hidraw_disconnect() has already set hidraw->exist to 0,
which makes hidraw_release() kfree the hidraw structure, which
hidraw_disconnect() continues to access and even tries to kfree again.
Similarly if a hidraw_release() occurs after setting hidraw->exist to 0,
the same thing can happen.
This is fixed by expanding the mutex critical section to cover the whole
function from setting hidraw->exist to 0 to freeing the hidraw
structure, preventing a hidraw_release() from interfering.
Signed-off-by: James Hogan <[email protected]>
Tested-by: David Herrmann <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Diffstat (limited to 'lib/dynamic_debug.c')
0 files changed, 0 insertions, 0 deletions