From patchwork Thu May 26 08:49:16 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 820162 X-Patchwork-Delegate: jikos@jikos.cz Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter2.kernel.org (8.14.4/8.14.3) with ESMTP id p4Q8nnmc012902 for ; Thu, 26 May 2011 08:49:49 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757004Ab1EZIto (ORCPT ); Thu, 26 May 2011 04:49:44 -0400 Received: from mail-bw0-f46.google.com ([209.85.214.46]:54846 "EHLO mail-bw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756930Ab1EZItn (ORCPT ); Thu, 26 May 2011 04:49:43 -0400 Received: by bwz15 with SMTP id 15so252906bwz.19 for ; Thu, 26 May 2011 01:49:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:date:from:to:cc:subject:message-id:mime-version :content-type:content-disposition:user-agent; bh=o1koBvxePV3Z8ZU60w7SxcC+iRIkyZEPZzDNFZFYx8k=; b=Fv7XPlTQ8IPhGHRh+Btc+wPfn32ZhADRrJt3CJnnR/blSCuD+nXuP+Vn1WDIacWnlO /CU2J7Qs60Fa74LHpIzuw4JKBnRGj/hB1Ev7+nGvDbQm8U6k9tVxOnoYxqA1GZJsvTTH vq/jGVfJHW2+ZHLq1Ms6H9310MqlewzHNB5XU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=lTIvzsyjvjHBx/rNXJc5BcwMe7Xb8Q8bfKsIum81BQ7IxskYT/E93j8P3nE3MFvxFv ZhgAcQeJadVdfWEkpXikiuMsEVNLiZ8NbHpFgWCMSdLTu33+WSDm9JhkdPwEAdKOYecj 8yAZ7L7ZIxvt0z5U66PlLcYLGA9e6Mc77pSIs= Received: by 10.204.19.74 with SMTP id z10mr396101bka.183.1306399781676; Thu, 26 May 2011 01:49:41 -0700 (PDT) Received: from shale.localdomain ([212.49.88.34]) by mx.google.com with ESMTPS id x13sm280242bkj.5.2011.05.26.01.49.37 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 26 May 2011 01:49:41 -0700 (PDT) Date: Thu, 26 May 2011 11:49:16 +0300 From: Dan Carpenter To: Jiri Kosina Cc: linux-usb@vger.kernel.org, linux-input@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch 1/2] usbhid: use after free Message-ID: <20110526084916.GD14591@shale.localdomain> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]); Thu, 26 May 2011 08:49:49 +0000 (UTC) There are a couple use after free bugs here. Signed-off-by: Dan Carpenter --- Compile tested only. Please review carefully. -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c index ff3c644..b2f9a3a 100644 --- a/drivers/hid/usbhid/hiddev.c +++ b/drivers/hid/usbhid/hiddev.c @@ -248,12 +248,15 @@ static int hiddev_release(struct inode * inode, struct file * file) usbhid_close(list->hiddev->hid); usbhid_put_power(list->hiddev->hid); } else { + mutex_unlock(&list->hiddev->existancelock); kfree(list->hiddev); + kfree(list); + return 0; } } - kfree(list); mutex_unlock(&list->hiddev->existancelock); + kfree(list); return 0; } @@ -926,7 +929,9 @@ void hiddev_disconnect(struct hid_device *hid) usbhid_close(hiddev->hid); wake_up_interruptible(&hiddev->wait); } else { + mutex_unlock(&hiddev->existancelock); kfree(hiddev); + return; } mutex_unlock(&hiddev->existancelock); }