diff options
author | Jiri Kosina <jkosina@suse.cz> | 2011-05-20 10:50:13 +0200 |
---|---|---|
committer | Jiri Kosina <jkosina@suse.cz> | 2011-05-20 10:50:13 +0200 |
commit | 6cb4b040795c555c7ab4b1ba29b0dba2b5a42beb (patch) | |
tree | ddc3db5bb24691ecd5da6bbc4dec044d2a4a5e78 | |
parent | 437f3b199c437e2a9ac01b9ab733c78e5fc7c720 (diff) | |
download | linux-6cb4b040795c555c7ab4b1ba29b0dba2b5a42beb.tar.bz2 |
HID: hiddev: fix race between hiddev_disconnect and hiddev_release
When hiddev_disconnect() runs with chardev open, it will proceed with
usbhid_close(). When userspace in parallel runs the hiddev_release(),
it sees !hiddev->exists (as it has been already set so by
hiddev_disconnect()) and kfrees hiddev while hiddev_disconnect() hasn't
finished yet.
Serialize the access to hiddev->exists and hiddev->open by existancelock.
Reported-by: mike-@cinci.rr.com
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-rw-r--r-- | drivers/hid/usbhid/hiddev.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c index 2baa71e6cc29..f4c67a5021c7 100644 --- a/drivers/hid/usbhid/hiddev.c +++ b/drivers/hid/usbhid/hiddev.c @@ -242,6 +242,7 @@ static int hiddev_release(struct inode * inode, struct file * file) list_del(&list->node); spin_unlock_irqrestore(&list->hiddev->list_lock, flags); + mutex_lock(&list->hiddev->existancelock); if (!--list->hiddev->open) { if (list->hiddev->exist) { usbhid_close(list->hiddev->hid); @@ -252,6 +253,7 @@ static int hiddev_release(struct inode * inode, struct file * file) } kfree(list); + mutex_unlock(&list->hiddev->existancelock); return 0; } @@ -300,17 +302,21 @@ static int hiddev_open(struct inode *inode, struct file *file) list_add_tail(&list->node, &hiddev->list); spin_unlock_irq(&list->hiddev->list_lock); + mutex_lock(&hiddev->existancelock); if (!list->hiddev->open++) if (list->hiddev->exist) { struct hid_device *hid = hiddev->hid; res = usbhid_get_power(hid); if (res < 0) { res = -EIO; - goto bail; + goto bail_unlock; } usbhid_open(hid); } + mutex_unlock(&hiddev->existancelock); return 0; +bail_unlock: + mutex_unlock(&hiddev->existancelock); bail: file->private_data = NULL; kfree(list); @@ -911,7 +917,6 @@ void hiddev_disconnect(struct hid_device *hid) mutex_lock(&hiddev->existancelock); hiddev->exist = 0; - mutex_unlock(&hiddev->existancelock); usb_deregister_dev(usbhid->intf, &hiddev_class); @@ -921,4 +926,5 @@ void hiddev_disconnect(struct hid_device *hid) } else { kfree(hiddev); } + mutex_unlock(&hiddev->existancelock); } |