aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJiri Kosina <jkosina@suse.cz>2011-05-24 05:43:18 -0400
committerJiri Kosina <jkosina@suse.cz>2011-05-24 05:43:18 -0400
commit7f77897ef2b6a5ee4eb8bc24fe8b1f3eab254328 (patch)
tree024098e2025c2fbbd3b0a2edf70711ffef76f9b8
parentd762f4383100c2a87b1a3f2d678cd3b5425655b4 (diff)
HID: hiddev: fix potential use-after-free
Commit 6cb4b040795 ("HID: hiddev: fix race between hiddev_disconnect and hiddev_release") made it possible to access hiddev (for unlocking the existance mutex) once hiddev has been kfreed. Change the order so that this can not happen (always unlock the mutex first, it is needed only to protect access to ->exist and ->open). Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-rw-r--r--drivers/hid/usbhid/hiddev.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
index ff3c644888b1..4985f485932f 100644
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -923,10 +923,11 @@ void hiddev_disconnect(struct hid_device *hid)
923 usb_deregister_dev(usbhid->intf, &hiddev_class); 923 usb_deregister_dev(usbhid->intf, &hiddev_class);
924 924
925 if (hiddev->open) { 925 if (hiddev->open) {
926 mutex_unlock(&hiddev->existancelock);
926 usbhid_close(hiddev->hid); 927 usbhid_close(hiddev->hid);
927 wake_up_interruptible(&hiddev->wait); 928 wake_up_interruptible(&hiddev->wait);
928 } else { 929 } else {
930 mutex_unlock(&hiddev->existancelock);
929 kfree(hiddev); 931 kfree(hiddev);
930 } 932 }
931 mutex_unlock(&hiddev->existancelock);
932} 933}