From: James Hogan <james.hogan@imgtec.com>
Date: Tue, 20 Sep 2011 13:23:46 +0000 (+0200)
Subject: HID: hidraw: protect hidraw_disconnect() better
X-Git-Tag: v3.2-rc1~187^2~1^2~5
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=65b01bd561dc995aab116aa784f97a37f7c49a65;p=pandora-kernel.git

HID: hidraw: protect hidraw_disconnect() better

The function hidraw_disconnect() only acquires the hidraw minors_lock
when clearing the entry in hidraw_table. However the device_destroy()
call can cause a userland read/write to return with an error. It may
cause the program to release the file descripter before the disconnect
is finished. hidraw_disconnect() has already set hidraw->exist to 0,
which makes hidraw_release() kfree the hidraw structure, which
hidraw_disconnect() continues to access and even tries to kfree again.
Similarly if a hidraw_release() occurs after setting hidraw->exist to 0,
the same thing can happen.

This is fixed by expanding the mutex critical section to cover the whole
function from setting hidraw->exist to 0 to freeing the hidraw
structure, preventing a hidraw_release() from interfering.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Tested-by: David Herrmann <dh.herrmann@googlemail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---

Reading git-diff-tree failed