From patchwork Thu Aug 12 23:07:40 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chris Ball <cjb@laptop.org>
X-Patchwork-Id: 119362
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter.kernel.org (8.14.4/8.14.3) with ESMTP id o7CN9bs9022490
	for <patchwork-linux-input@patchwork.kernel.org>;
	Thu, 12 Aug 2010 23:09:37 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1760704Ab0HLXJg (ORCPT
	<rfc822;patchwork-linux-input@patchwork.kernel.org>);
	Thu, 12 Aug 2010 19:09:36 -0400
Received: from void.printf.net ([89.145.121.20]:41021 "EHLO void.printf.net"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752911Ab0HLXJf (ORCPT <rfc822;linux-input@vger.kernel.org>);
	Thu, 12 Aug 2010 19:09:35 -0400
Received: from pullcord.laptop.org ([18.85.46.20])
	by void.printf.net with esmtp (Exim 4.69)
	(envelope-from <cjb@laptop.org>)
	id 1Ojgty-0004NY-Hp; Fri, 13 Aug 2010 00:09:34 +0100
From: Chris Ball <cjb@laptop.org>
To: linux-usb@vger.kernel.org
Cc: Jiri Kosina <jkosina@suse.cz>, linux-input@vger.kernel.org
Subject: [PATCH RESEND] USB HID: Protect against disconnect/NULL-dereference
	race
References: <m3y6ee62gp.fsf@pullcord.laptop.org>
Date: Thu, 12 Aug 2010 19:07:40 -0400
In-Reply-To: <m3y6ee62gp.fsf@pullcord.laptop.org> (Chris Ball's message of
	"Wed, 16 Jun 2010 18:24:06 -0400")
Message-ID: <m3lj8b8m6b.fsf@pullcord.laptop.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (gnu/linux)
MIME-Version: 1.0
Sender: linux-input-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-input.vger.kernel.org>
X-Mailing-List: linux-input@vger.kernel.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.3 (demeter.kernel.org [140.211.167.41]);
	Thu, 12 Aug 2010 23:09:37 +0000 (UTC)


diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
index c24d2fa..7ec009a 100644
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -593,7 +593,7 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 	struct hiddev_list *list = file->private_data;
 	struct hiddev *hiddev = list->hiddev;
 	struct hid_device *hid = hiddev->hid;
-	struct usb_device *dev = hid_to_usb_dev(hid);
+	struct usb_device *dev;
 	struct hiddev_collection_info cinfo;
 	struct hiddev_report_info rinfo;
 	struct hiddev_field_info finfo;
@@ -607,9 +607,11 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 	/* Called without BKL by compat methods so no BKL taken */
 
 	/* FIXME: Who or what stop this racing with a disconnect ?? */
-	if (!hiddev->exist)
+	if (!hiddev->exist || !hid)
 		return -EIO;
 
+	dev = hid_to_usb_dev(hid);
+
 	switch (cmd) {
 
 	case HIDIOCGVERSION: